What Is an ISAE 3000 Assurance Report and Why Should You Get It?

Are you an IT company that is a data processor?

‍

Then you probably find that customers often ask for documentation of your GDPR compliance.

‍

You can ensure that documentation with an ISAE 3000 assurance report.

‍

With this, you can also save a lot of time as you avoid having to answer questions from each customer.

‍

It's what you might call a true win-win situation.

‍

That's why in this blog post, I want to help you understand what an ISAE 3000 statement is and whether it can be an advantage for your company to work towards.

‍

What is an ISAE 3000 assurance report?

In general, you can use ISAE assurance reports to document your company's processes, controls or reporting. For instance, in areas such as compliance, sustainability, GDPR, IT security, and corporate social responsibility.

‍

In other words, it's a broad framework for creating trust in information that is not necessarily financial statements.

‍

An ISAE 3000 assurance report (International Standard on Assurance Engagements 3000) is a report on whether a company has complied with several requirements or principles within information security.

‍

In Denmark, FSR - Danish Auditors in collaboration with the Danish Data Protection Agency has launched a GDPR assurance report - ISAE 3000 - for use by suppliers who are data processors.

‍

So, it’s the FSR's GDPR assurance report that I refer to when I talk about ISAE 3000 in this blog post.

Why did the need for an assurance report arise?

The focus of the ISAE 3000 is “on information security and measures pursuant to the data processing agreement with a data controller.”  

When the statement was launched in 2019, the then head of supervision at the Danish DPA, Jesper Husmer Vang, stated that the assurance report (my translation):

"... will help data controllers to audit their data processors adequately. As the statement has the right focus, it will also facilitate the DPA's enforcement when we check whether a controller has audited its data processors."‍

‍

In other words, there was an unmet need for an auditing standard.

‍

So, ever since the auditor’s assurance report saw the light of the day, controllers have been able to use it as part of GDPR audit of their data processors. It gives the data controller assurance that their data processor complies with the GDPR requirements that they have committed to in the data processing agreement.

‍

The assurance report covers both the procedures for processing personal data and the level of security linked with the processing.

‍

The ISAE 3000 assurance report intends to help the controller comply with the regulations and its responsibility to ensure that personal data is processed correctly, even if another party processes the data.

‍

‍If the data processor doesn’t have an ISAE 3000 assurance report, it can be used as a ‘guide’ for the questions the controller sends to the data processor during the GDPR audit.

‍

But as you may have guessed, an ISAE 3000 not only examines and documents whether a company's overall security level meets the requirements of a customer or partner.

‍

It also helps the company in its role as a data processor to meet the requirements set out in a data processing agreement.

‍

To meet these requirements - and not least to document it – there's an advantage for the data processor in using the ISAE 3000 as an obvious and recognized seal of approval.

‍

And this is especially the case for IT companies.

‍

Why is an ISAE 3000 statement particularly relevant for IT companies?

If you work in an IT company where you process personal data on behalf of your customers (and are therefore a data processor), you’ve probably experienced that your customer (as the data controller) has asked for an assurance report from you. Often in connection with their audit of you.

‍

Or at the very least, they’ve asked you to answer a series of questions about your GDPR compliance and the data processing agreement.

‍

The reason can be found in Article 28(3)(h) of the GDPR.

‍

This states that the data processor (IT company) must make all necessary information available to the data controller (customer) to show compliance with the requirements of the data processing agreement. The processor must also allow for and contribute to audits, such as inspections.

‍

If your company has gotten such requests from customers, you probably know how much work it can be to respond to them one by one.

‍

This is where the ISAE 3000 assurance report comes in:

‍

By simply investing efficient and targeted time in the preparation of an assurance report - the total effort depends of course on how mature your company is in relation to the ISAE 3000’s control objectives - you end up with a document that you can send directly to customers.

‍

Then, you won't have to spend time answering individual questions from customers.

‍

ISAE 3000: Assurance report or self-assessment report?

You can use the ISAE 3000 to show customers, authorities and business partners, for example, that an independent party (auditor) has scrutinized your company's work. And that they have also given the green light that you meet the GDPR requirements in the data processing agreement.

‍

In practice, you first need to agree the scope of the ISAE 3000 statement with the auditor.

‍

Next, you need to schedule meetings with the auditor, where they then start collecting documentation, conducting interviews, reviewing documents, performing sample tests, etc.

‍

Finally, the auditor prepares the final auditor's report with the auditor's conclusion based on their observations.

‍

This work includes an in-depth check of the individual control objectives.

‍

‍Both the audit and the ISAE 3000 assurance report itself can take a large chunk of the budget and the bottom line, which can be disproportionate for small companies. For example, because they only have small budgets to work with or because they process little personal data when providing their services to customers.

‍

An alternative to the assurance report is to make a self-assessment report based on ISAE 3000.

‍

Of course, with a self-assessment report, you don't get an auditor's report with all the benefits that come with it.

‍

Instead, you'll effectively describe and document your company's processes in line with ISAE 3000 control objectives. Without having to spend time and money on the collaboration with an auditor.

‍

‍Before you start the ISAE 3000 process, we recommend that your company first decides whether you’re aiming for an auditor's assurance report or a self-assessment report.

‍

‍For example, a self-assessment report isn’t enough if your company has an agreement with your customer in the data processing agreement that you must provide an auditor's report for the customer's audit of you.

‍

Therefore, it’s important that the data processing agreement clearly states that your company prepares a self-audit report based on the ISAE 3000 audit objectives.

‍

If your company uses the Danish DPA's standard data processing agreement, you must state this in Appendix C, point 7.

‍

Whether you use an auditor or take on the ISAE 3000 work yourself, the process generally follows the same steps and control objectives.

‍

If you're curious about how ComplyCloud can help your organization work towards an ISAE 3000 assurance report, feel free to reach out.