Skip to main content

ISAE 3000 | SOC 2

Organizations which provide services that do not affect their customers' financial statements can have these activities "certified" according to ISAE 3000. The general IT controls or (GITCs) are described by the organization and provided with an assurance statement by an external auditor. Such an audit is carried out in accordance with ISAE 3000. The standard framework for this audit can be the Trust Service Principles or a more generic standard framework, such as COBIT. If your customers are located in the United States, it is recommended to have a SOC 2 report drawn up in accordance with the Trust Service Principles.

What is ISAE 3000 | SOC2

The Global standard for IT outsourcing

SOC 2 is part of the AICPA Service Organization Control Reporting platform. The AICPA distinguishes between two types of reports; SOC 1 (an ISAE 3402 report), a SOC2 report in accordance with AT 101 (trust service principles).

The five mandatory parts of the Trust Service Principles are:

  • Security: Systems are protected, by logical protection and physical protection against unauthorized access.
  • Availability: The system is available for use as agreed.
  • Processing integrity: Process processing is complete, correct, and authorized.
  • Confidentiality: Information identified as "confidential" is secured as agreed.
  • Privacy: Personal information is collected, used, stored, and made available in accordance with the agreements in the privacy agreement and with the privacy principles.


Datacentre Compliance


ISAE 3402 compliance is tailored to service organizations that process financial information for customers. ISAE 3000 is designed for the growing number of technology companies and cloud computing entities that are increasingly common in the world of service organizations. For example, if an organization only does workplace management for its customers or only manages web servers, an ISAE 3402 statement may not be necessary.

ISAE 3402 SOC 1

ISAE 3402

Initially, ISAE 3000 compliance was largely "overshadowed" by ISAE 3402 compliance. There is a gradual shift in this. Technology and Cloud computing organizations are increasingly realizing the value of ISAE 3000. It is expected that many organizations that only provide IT services will ask for an ISAE 3000 report more often than an ISAE 3402 report in the future.

ISAE 3000 requires that understandable security procedures and policies are described and followed. Policy forms the basis for a strong internal control environment. Certicus can support your organization in the development of this policy with her sister company Risklane.