ISAE3000

ISAE 3000

Assurance for IT Services

ISAE3000: IT Assurance for IT Service Providers.

IT Organizations and IT departments increasingly outsource IT services to specialized suppliers, including SaaS suppliers, data centers and IT Service providers. External regulators increasingly require that suppliers provide certainty about the IT services provided, including all subcontractors. This can be done by carrying out an ISAE3000 audit at the service provider, after which an IT Asssurance is issued as an ISAE3000 statement. At Cyberus, we have certified IT Auditors and Consultants, and understand how we can relieve the burden on organizations in obtaining and maintaining an ISAE3000 statement. The Cyberus Consultants guide organizations, from SMEs to Corporates, in achieving the ISAE3000 assurance as an IT Audit and Compliance partner. In addition, the Cyberus IT Auditors are able to perform ISAE3000 audits and issue assurance statements. For more information please feel free to contact us!

Achieve ISAE 3000 Statement'



We from Cyberus take care of achieving an ISAE 3000 statement.


In the execution of the actual IT Audit, Cyberus offers transparency and efficiency in the execution of the ISAE 3000 audit.


Cyberus uses 4 phases for both audit and advice for ISAE 3000


Phase 1

Scoping &
Planning

De eerste stap is de inventarisatie van de scope van het ISAE3000 rapport, op basis hiervan wordt een planning voor het audittraject opgesteld.


Het doel hierbij is de planning van de 'ISAE3000 audit' of ' ISAE3000 implementatietraject' vast te stellen.


A choice must be made whether it concerns consultancy work or the actual audit.

Level 2

Risk profile &
goal

After the scope and planning determination, a risk analysis is carried out and the management objectives are drawn up.


The purpose of this is to further specify the audit objective of the actual execution or implementation.




Phase 3

Pre-audit &
Mitigatie

During the third phase, the pre-audit will be carried out on the implemented control mechanisms. Through the pre-audit, possible findings can be mitigated.


Het doel is het

identificeren van de mogelijke bevindingen en deze te mitigeren voordat de daadwerkelijke audit en zal plaatsvinden.

Phase 4

Audit &
Assurance

During the fourth and final phase, the audit will be carried out or support will be provided for the implementation of the audit. This is for the sake of relief.


The aim is to carry out the audit or support in obtaining an ISAE3000 assurance report in Type 1 or Type 2.

Belang: Third Party Assurance IT Dienstverlening

In recent years, the outsourcing of parts of activities by (user) organizations to service organizations has increased dramatically. Examples of this include outsourcing IT services to third parties, including SaaS providers, data centers and cloud providers. Disruptions to these outsourced services can have a major impact on the user organizations and the proper functioning of these processes is therefore important for the user organizations. Precisely for this reason, user organizations want periodic reports on the quality of outsourced services. These reports must be drawn up by independent auditors and are called ISAE reports. An ISAE3000 (International Standard on Assurance Engagements) report is relevant for IT service organizations that want to provide assurance about control measures in the areas of security, availability, integrity and reliability of processes and data and privacy.

Additional information: ISAE3000 Type 1/2

An ISAE 3000 report is an assurance report drawn up by the independent auditor that provides certainty about control measures included in the report in question. An ISAE 3000 report is characterized by the following features: Standard structure Service Organization Control reports Judgment with a reasonable degree of certainty and limited degree of certainty possible (ISAE 3402 only reasonable degree of certainty) Possibility of variant Type I and Type II (explained below) None minimum review period (advice from NOREA that Type II report covers at least a period of three months). Intended for an audience who can understand the content and objective of the report (management of the Service Organization itself, management user organization, users at selecting potential service organization, accountants, auditors and supervisory authorities). The final scope of an ISAE 3000 audit is drawn up in consultation with you by our specialists. The following areas may be part of the scope: Change management, acquisition, development and maintenance of information systems, software development, service level management, management of information security incidents, vendor management, access security, physical security, environmental security, asset management, personnel security requirements, continuity management, privacy management and compliance. In the case of a type I Service Organization Control report, the auditor tests the adequacy of the described control measures to achieve the stated control objective and determines their implementation. The control measures are determined as they have been implemented at a specific time. A type II report describes the process and control measures as they have operated during a certain defined period (often 6 months to a year). In the specific case of the ISAE 3000 report, it should be stated that no minimum period is described to which the report (and the audit) must at least relate (but advice from NOREA that an ISAE 3000 Type II report must at least relate to a period of three months).

Introduction

For an introduction to Cyberus, the consultants and IT auditors about SOC2, please feel free to contact us.


This can be done via virtual appointment or simply at our office with a cup of coffee.


Our office is located at the HSD (the Hague Security Delta) in The Hague next to The Hague Laan van NOI station. Parking is available under the building.


In contact met Cyberus

Share by: