ISAE 3402 Declaration

What is an ISAE 3402 declaration and what does it mean that we as an IT company have received an ISAE 3402 declaration? You will find answers to that and much more in this post.

What is an ISAE 3402 declaration?

ISAE is an abbreviation of "International Standard for Assurance Engagements", and an ISAE 3402 declaration is given on the basis of an annual IT audit, and the statement documents that a company has good and proper IT conditions. It is therefore official proof that the company meets all applicable legal requirements within IT security and generally demonstrates good IT practice.

Therefore, an ISAE 3402 declaration provides an insight into how a company generally handles IT in the organization. The auditor examines all the company's work processes around IT functions, including operation, development, preparedness, documentation etc.

In addition, it is also being investigated how impractical functions such as back-up security, how data is secured on servers and in data centers, who has access to data, etc. The audit company reviews documentation and procedures for this and carries out random checks of the company's entire security setup.

When the audit company has gone through all procedures, documentation, workflows, etc., a report and ISAE 3402 declaration is prepared based on the checks and observations made at the company.

The ISAE 3402 declaration is part of the international management standard for information security, ISO 27001, and the statement is only given to companies that, among other things, follows the control objectives of ISO 27001. ISO 27001 is continuously updated so that the company is always able to handle the challenges of a business world that is constantly changing.

Read more about ISO 27001 and information security here.

Two types of certifications

The ISAE standard has two types of statements:

  • Type 1, which is prepared in relation to a given date
  • Type 2, which is drawn up over a period of time, typically a minimum of six months

Common to both standards is that they include the audit company's conclusion on whether the IT company acts fairly in relation to controls, documentation and work processes that are imposed in relation to the standard.

In addition, the declaration consists of three parts:

  1. The company's description of the system
  2. The company's own statement on description and controls
  3. The auditor's statement on the company's statement with reference to the description 

Here it is important that the company's descriptions are detailed and contain control objectives and control processes, so that the auditor can gain an understanding of the procedures, as well as verify that the description is accurate and check that the controls have been carried out according to purpose and intent.

The declaration therefore consists of several different elements, all of which are reviewed in depth by the auditor and the IT security officer in the company.  

Read more about ISAE 3402 at The Board for IT and Learning.

Why is it important that your IT supplier is ISAE 3402 certified?

It is important to make sure that your IT supplier is ISAE 3402 certified if you want to be absolutely sure that there is 100% control over good IT practice, control and IT security with your IT collaboration partner. In some cases, it may even be a requirement on the part of the customer that the supplier company has the declaration before a collaboration can be entered into.

At itpilot, certification is particularly important to us because we want to ensure our customers that the handling of their IT software solutions is sound and that they get the solution they need.

”We attach great importance to being a professional and trustworthy partner to our customers - in other words, we deliver what we say we deliver. We handle your IT solutions correctly and we have a high IT quality, which the statement also supports"

Kenneth Damgaard Løwe • CEO of itpilot

Nomen NESCIO • Direktør for MinVirksomhed

Read more about our certifications here.

itpilot is your ISAE 3402-certified software supplier

At itpilot, we are proud to be ISAE 3402 certified, as this means that we are a IT software supplier and business partner that you can rely on.

With the certification, it is possible for us to develop solutions for public instances as well as large organizations and companies, where you as a customer can have full confidence and feel secure in choosing itpilot. We can thus help you develop the systems you need within the right framework.

If you have any questions about the declaration, or if you want to hear more about how we at itpilot can help you with your digital solution, you are welcome to contact us.