Office hours · 09:00–18:00 IST info@abscerts.com
+91 96257 76771 +91 97925 86202 EN · 40+ countries

Cyber Security

ISAE 3402 — Assurance on Service Organisation Controls

Independent ISAE 3402 Type I and Type II assurance reports — the international standard for controls at a service organisation.

Book a consultation
ISAE 3402 assurance report on service organisation controls
10-14 weeks Typical timeline to certificate
IAASB Governing body / standard owner
AICPA Accredited & globally recognised
What this covers
ISAE 3402IAASBService OrganizationAssurance

What ISAE 3402 is and why buyers ask for it

ISAE 3402 — the International Standard on Assurance Engagements 3402 — is a well-known global auditing framework, issued by the International Auditing and Assurance Standards Board (IAASB), for reporting on the controls at a service organisation. It is most often used for controls tied to clients’ IT systems and financial information. In effect, it is the international counterpart to the US SOC 1 report.

If your organisation performs an outsourced function that feeds into another company’s financial reporting — and that company or its auditors are outside the United States — they will frequently ask for an ISAE 3402 report rather than SOC 1. A single independent report lets you give that assurance to many clients at once, instead of being audited repeatedly. ISAE 3402 is part of the Cyber Security and assurance work ABS delivers for service organisations.

What the assessment covers

An ISAE 3402 engagement is structured around the control objectives relevant to the services you provide. It is reported in two forms:

  • Type I — an opinion on the fairness of the control description and the suitability of control design as at a specific date.
  • Type II — the above plus a test of operating effectiveness over a period, typically six months to a year.

ABS supports the full path: readiness assessments to map your controls against the objectives, help with control design and implementation, the Type I and Type II reports themselves, and ongoing monitoring and training to keep the controls effective between cycles.

Typical timeline

A Type I report is usually achievable in around 10–14 weeks, depending on the maturity of your control environment. A Type II report then adds the observation period over which the controls are tested in operation. Each engagement begins with a fixed-price scoping call, and we send a proposal within 24 hours.

Common questions

What is the difference between ISAE 3402 and SOC 1?

They are the same kind of report on a service organisation’s controls, issued under different standards. ISAE 3402 is the international standard from the IAASB; SOC 1 is the US report governed by the AICPA’s SSAE 18. Which one you need depends on where your clients and their auditors are based.

What is the difference between a Type I and a Type II report?

A Type I report gives an opinion on the fairness of your control description and the suitability of control design as at a specific date. A Type II report adds an assessment of operating effectiveness over a period, usually six months to a year. Most clients ultimately want a Type II.

Who needs an ISAE 3402 report?

Service providers that handle financial information or perform key outsourced functions for their clients — payroll bureaus, data centres, fund administrators, investment managers and similar — are most often asked for one. It is especially common among vendors to financial services organisations.

How does ISAE 3402 relate to SSAE 18?

SSAE 18 is the AICPA attestation standard that governs SOC 1 engagements in the United States. ISAE 3402 is its international equivalent. The two describe substantially the same controls report for service organisations, differing mainly in the standard-setting body and the audiences that expect each.

More services

Related certifications

agile-transformation / 01 Agile coaching with a delivery team

Agile Coaching

Experienced coaches working alongside your teams and leaders to adopt agile ways of working — and to sustain them across the organisation.

Agile CoachingAgile TransformationScrumKanban
Get a quote
cmmi / 02 CMMi for Development process maturity improvement

CMMi for Development (CMMi-DEV)

Process maturity improvement for organisations that design and build products, software and systems — benchmarked against the CMMI Development view.

CMMiCMMi-DEVProcess ImprovementSoftware Development
Get a quote
industry-food-certifications / 03 HACCP food safety hazard analysis certification

HACCP Certification

Certification of a HACCP food safety system — the internationally recognised approach to identifying and controlling hazards across the food chain.

HACCPFood SafetyHazard AnalysisIndustry & Food
Get a quote

Get started

Ready to get certified?

Get a free, fixed-price quote within one business day. No obligation, no sales pressure, no follow-up spam — just a clear path to certification.

Book a 30-min consultation
24-hour response time Fixed price, multi-currency IAS / IAF accredited 40+ countries served

Before you go — let us help

Drop your details and we'll send a free certification roadmap tailored to your business. No spam, ever.

By submitting, you agree to ABS's privacy policy. We never share your details.