ISAE 3402
Audit standard for outsourcing service providers
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
ISAE 3402 (International Standard on Assurance Engagements) is required by clients to assess the security and control maturity of outsourcing service providers. SOC 1/2 are the US counterparts.
What is ISAE 3402?
Type I (snapshot) vs. Type II (12-month observation):
- Type I: description plus control framework
- Type II: additionally covers operating effectiveness over 12 months
ISAE 3402 is suitable for NIS2 supplier audits.
Practical example
SaaS provider X offers ISAE 3402 Type II. As the customer, you require an annual report — as part of the supplier audit.
Frequently asked questions
Mandatory?
No, but recommended for critical service providers.
Who audits?
Statutory auditors (Big 4 plus mid-tier firms).