Skip to main content

ISAE 3000 | SOC2

Organizations that provide services that have no effect on their customers' financial statements can have these activities "certified" according to ISAE 3000. The general IT controls or (GITCs) are described by the organization and provided with an assurance statement by an external auditor. Such an audit is then carried out in accordance with ISAE 3000. The standard framework for this audit can in such a case be the Trust Service Principles or a more generic standard framework, such as COBiT. If your customers are also located in the United States, it is recommended to have a SOC2 report drawn up in accordance with the Trust Service Principles.

What is ISAE 3000 | SOC2

The Global standard for IT outsourcing

SOC2 is part of the AICPA Service Organization Control Reporting platform. The AICPA distinguishes between three types of reports; SOC1 (an ISAE 3402 report), a SOC2 a report in accordance with AT 101 (trust service principles). The five mandatory parts of the Trust Service Principles are:

  • Security. Systems are protected, both logical protection and physical protection against unauthorized access.
  • Availabilty. The system is available for use as agreed
  • Processing integrity. Process processing is complete, correct and authorized.
  • Confidentiality. Information identified as "confidential" is secured as agreed.
  • Privacy. Personal information is collected, used, stored and made available in accordance with the agreements in the privacy agreement and with the privacy principles.
Datacentre Compliance


ISAE 3402  compliance is tailored to service organizations that process financial information for customers. ISAE 3000 is designed for the growing number of technology companies and cloud computing entities that are increasingly common in the world of service organizations. For example, if an organization only does workplace management for its customers or only manages web servers, an ISAE 3402 statement may not be necessary.

ISAE 3402 SOC1

ISAE 3402

Initially, ISAE 3000 compliance was largely "overshadowed" by ISAE 3402 compliance. There is a gradual shift in this. Technology and Cloud computing organizations are increasingly realizing the value of ISAE 3000. It is expected that many organizations that only provide IT services will ask for an ISAE 3000 more often than an ISAE 3402 report in the future.

ISAE 3000 requires that understandable security procedures and policies are described and followed. Policy forms the basis for a strong internal control environment. Conclude can support your organization in the development of this policy from its group company SASconsult.

1 Step

2 Step

3 Step


Certicus is an international audit firm providing services to the top tier IT and financial services firms worldwide. We continuously explore the latest technology and adapt to follow world’s new trends to deliver the best assurance services to the market.