ISAE 3402 | SOC1

ISAE 3402 is a guarantee that processes that are outsourced are demonstrably 'in control'. 'In control' means that processes are executed properly, that information security is adequately organized and that sufficient measures are taken to prevent fraud. ISAE 3402 is increasingly demanded by financial institutions, listed organizations and professional companies. To become ISAE 3402 certified you need a Service Organization Control report 'certified' by an accountant. ISAE 3402 should not be confused with ISAE 3000.

A Service Organization Control (SOC) report is a term from the United States for reporting on the internal control of a service organization. A SOC report contains a description of the risk management organization, the internal control system and the information security measures. Usually, a general description of the internal control system and a control matrix (CM) is included in an ISAE 3402 report, which includes detailed internal control measures

Almost all processes can be outsourced. For example, the IT organization as well as the processing of financial processes or the credit management process can be outsourced. Organizations increasingly outsource (parts of) important processes. As a result, important control measures (controls) can disappear out of sight of the management of the user organization. Resulting in less influence that can be exerted on the implementation of the processes that are outsourced.

The ISAE 3402 standard was created because organizations and regulators had a greater need for insight into and control of outsourcing. As a result, supervisory authorities such as the Dutch Bank (DNB), the Netherlands Authority for the Financial Markets (AFM), the government in general and possibly your customers also ask questions or requirements with regard to reporting on the (control of) outsourced processes. Relevant parties arties require a solid risk management framework, sound information security and transparency about this.