ISAE 3402

ISAE 3402 is a global standard for auditing an organization's IT conditions. This standard acts as documentation that the organization practices what it preaches in terms of what’s outlined in the IT Security Policy.

An external auditor must carry out the evaluation of the organization’s IT conditions, resulting in an assurance report. Conducted annually, this audit provides the organization with official verification that it meets all legal requirements for IT security and consistently follows best IT practices.

When is an ISAE 3402 statement necessary?

There are several motivations for obtaining an ISAE 3402 certification. Some organizations pursue it to meet the demands of customers or partners, while others use it to demonstrate their credibility and security to current and potential clients. Additionally, certain industries and services may have legal requirements that mandate an ISAE 3402 certification.

It's crucial to ensure that IT providers regularly secure an ISAE 3402, as it will serve as an assurance that the provider's IT security operations are well-designed and operating effectively, maintaining the necessary level of security.

Advantages of having a ISAE 3402 standard

The primary benefit of an ISAE 3402 report is that it provides documentation of the organization's well-established and maintained IT conditions. This report serves as official proof that the organization complies with relevant legal requirements for IT security and follows best IT practices.

Additionally, the report offers customers and partners valuable insight into how the organization manages IT functions such as operations, development, preparedness, documentation, and more. It also highlights the organization's security framework, ensuring that data is handled according to current legal standards—two factors that significantly enhance customer confidence.

When an auditor prepares an ISAE 3402 assurance report, all the organization's IT-related work processes are thoroughly examined, including operations, development, preparedness, documentation, and more. This includes evaluating functions such as backup security, along with the securing and storage of data.

Being certified and reviewed following the ISAE 3402 standard is a strategic goal for Adapt Group. The work towards this certification began in 2018 with a reworked IT Security Policy for Adapt Group - one that has since been revised, refined and updated yearly to meet the legal IT security requirements and best practices. It uses the structure of the main section of ISO 27001 and covers everything from risk management, access control, physical security, cryptography, operational security, breach management, contingency plans, compliance and more. 

We see having a high level of security as not only a requirement for fulfilling statutory and regulatory requirements, but also as an element of quality in relation to offering a secure service to our partners, authorities, professionals, and private customers in general.

An annual audit helps us validate our security level and quality both internally and externally – are we actually doing what we claim? It serves as an official accredit. We consider ourselves obligated to continuously educate our employees on security as technology, services and data management evolve at a fast pace in our industry. Our approach is that each employee should have access to as little as possible but as much as necessary – a shift in mindset from full access for all, which is no longer suitable in the present day where we must be extra compliant with data of various sensitive nature. 

Our latest ISAE 3402 Type 2 certification was achieved in 2023, and preparations for 2024 are already underway.