DEKRA Audit Netherlands

As a service organization, how do you demonstrate that customer data is safe when you oursource serv

ISAE 3402 and ISAE 3000 certification

The standard for service organizations focused on information security in outsourcing

With an ISAE 3402 and 3000 assurance statement you demonstrate that you have set up sufficient control in relation to your IT security and privacy measures. Due to increasing competition, cost savings and technological developments, more and more organizations are outsourcing important and crucial processes to service organizations. But how do you, as a service organization, demonstrate that customer data is safe with you?

What is ISAE 3402 and ISAE 3000?

ISAE 3402 and ISAE 3000 is a standard that stands for International Standard on Assurance Engagements. An ISAE audit results in an assurance statement that includes risk management of the controllable processes. The final report shows that the organization has properly organized the relevant processes in design, existence and operation. This guarantees information security.

When do you need an ISAE 3402 and ISAE 3000 statement?

You use the ISAE 3402 statement if your services have an effect on the financial processing of your customer. For example, your services are part of your customer's invoice processing. In addition, there is also the ISAE 3000 statement. This statement relates to the control of security and privacy measures (and does not consist out of a financial component).

The advantages of ISAE 3402 and ISAE 3000

An ISAE 3402 and ISAE 3000 audit gives you and your customers insight into IT processes related to internal control, risk management, information security and privacy;
With an ISAE 3402 and ISAE 3000 statement you are demonstrably able to respond to manageable processes and take the right measures in response to valuable information;
With the assurance statement you meet the requirements as set out in the Financial Supervision Act (Wft), the Pensions Act (PW) and the Alternative Investment Fund Managers Directive (AIFMD). These laws lay down financial obligations with regard to the outsourcing of activities.

Why DEKRA?

Extensive experience

Our experienced auditors, who carry out the assessment, are affiliated with the Dutch professional organization NOREA. We've tested hundreds of organizations for information security standards and our knowledge is always up-to-date, ensuring your reporting meets the latest requirements.

Short communication lines

You have one point of contact for all audits related to ISAE 3402. Our account managers and auditors are always ready to determine the best route for your organization

Broad portfolio

Save time and money by combining different certifications.

ISAE 3402 or ISAE 3000 and ISO 27001

An ISAE assurance assessment and the audits in the context of the ISO 27001 certificate can be easily combined. It gives your client more certainty about the total service. This is because your client's auditor or accountant uses the ISAE 3402 report for its own assurance statement. Your customer can rely on the services you provide. DEKRA offers the unique possibility to perform the ISAE 3402 assessment and ISO 27001 audits in combination. It is then discussed in advance which findings from the ISO 27001 audit relate to the ISAE 3402 assessment. This prevents measures from being (unnecessarily) additionally assessed.

What components does ISAE 3402 and ISAE 3000 consist of?

An ISAE 3402 and ISAE 3000 audit is performed by our auditors (register EDP auditors). DEKRA then prepares the full report based on the findings. When the pre-agreed framework is met, DEKRA issues the official ISAE 3402 and ISAE 3000 statement.

The ISAE report consists of at least the following parts:

Description of the control framework;
Confirmation of the service organization;
Service auditor assurance report.

During the execution of an audit, the DEKRA audit team checks whether all measures that fall within the agreed framework are actually complied with (in design, existence and operation). After an audit has been carried out, the report is provided with the so-called 'assurance' statement in accordance with standard ISAE 3402.

The investigation for an ISAE statement can be carried out in two ways, namely as an 'Attestation' or as 'Direct Reporting'.

At an 'attestation' you have an internal auditor who prepares, carries out and delivers the investigation. For this 'attestation', use can be made of the management system in accordance with ISO 27001. DEKRA performs reperformance for the investigation of the internal auditor.

With direct reporting, DEKRA carries out the entire investigation.

Request a quote