-
1. What does ISAE stand for?
ISAE stands for International Standard on Assurance Engagements. ISAE reports are issued by an independent certified auditor who audits relevant and agreed-upon processes and procedures at a service provider.
-
2. What is an ISAE report?
The reports document how the service provider's systems and organisational controls work and how effective they are.
-
3. Is ISAE 3402 or 3000 mandatory?
The reports are not mandatory. An ISAE report is designed to provide the safety a customer seeks in a service provider. The report is the result of the audit.
-
4. What is ISAE 3000 used for?
A service provider who has obtained an ISAE report can demonstrate the trustworthiness of its services. This is because the report is a quality stamp that proves and indicates that an independent auditor has reviewed that the processed data is treated with confidentiality, a high level of security and any potential risks are documented and controlled accordingly.
-
5. Why should you choose a service provider who obtained one?
At TimeLog, we believe that as a service provider, we need to assure our customers that they do not run additional risks by trusting part of their business and data to us. Therefore, we have committed to working with a certified auditor in obtaining both an ISAE 3000 GDPR report and an ISAE 3402 report as an ongoing annual target in our compliance and information security work.
-
6. Download the reports as pdf
-
7. What is an ISAE 3000 report on GDPR and Data Processing?
The scope of an ISAE 3000 report can be any control agreed upon between the service provider and an independent auditor.
At TimeLog, we have voluntarily chosen to have an external auditor review our efforts about the work involving our customers’ data. Creating transparency and demonstrating compliance with the General Data Protection Regulations is crucial to us as a data processor.
With our ISAE 3000 GDPR report, we can document the operating effectiveness of our internal processes and controls since an independent auditor has confirmed GDPR compliance within and in external relations.
As a data controller, you have the assurance of the auditor who has assessed our processes regarding the notion that your data is processed in compliance with applicable law.
-
8. What is ISAE 3402?
An ISAE 3402 is an internationally recognised auditing standard verifying the security and effectiveness of a service organisation’s control system related to all business processes concerning its IT landscape.
The control areas of ISAE 3402 audit may cover, and are not limited to, the following areas:
- Organisation and management
- IT security policy
- IT strategy
- Risk assessment and management
- User access management
- Network security management
- Development and maintenance of systems
- Emergency and contingency management
At TimeLog, we want to ensure that our IT infrastructure responds to the highest level of security, confidentiality and availability. Therefore, we have committed to voluntarily working with an independent auditor who has assessed our policies, procedures, and documentation. The result illustrates quality and reliability to our customers, and it demonstrates that we continuously evaluate our work to improve and ensure the highest quality for our customers.
TimeLog has obtained ISAE 3402 type II.
-
9. The difference between and ISAE 3402 Type I and Type II
When referring to an ISAE 3402, the internal control framework can be issued in a Type I or a Type II report.
- Type I covers controls at a specific “point in time”, where the auditor will report on whether the service organisation's description of its controls presents fairly and is suitably designed to achieve control objectives.
- Type II describes the controls placed in operation and includes detailed testing of the effectiveness of the corresponding results. The tests cover a period between six to twelve months.
TimeLog has obtained ISAE 3402 type II.
-
10. ISO 2700X certification vs ISAE
- ISO 2700X certifications were historically a benchmark for information security. However, since the threat landscape is in continuous change, it becomes more important for companies to have a greater level of assurance in broader areas.
- ISO 27001 focuses only on the design of controls and ISO 27002 provides guidelines on the process of implementation.
- ISAE reports, on the other hand, are based on the ISO controls, and they further allow for testing the operating effectiveness of the controls over a period.
- An ISAE provides a formal attestation and therefore, it is a greater level of assurance to customers who want to know about their service provider’s internal procedures covering broader areas.
-
11. How can you, as a TimeLog customer, benefit from our ISAE reports?
One of the most valuable properties to TimeLog is the data of our customers, business partners and employees. Therefore, we have chosen that our customer will receive an independent auditor’s report on how we deal with personal data and that we are compliant with GDPR (ISAE 3000 report).
Finally, our customers should know whether our IT landscape is mature enough to support the high demands that a service provider faces, which we can document in ISAE 3402.
- We take responsibility in always protecting your data. This is documented in our ISAE 3000 and ISAE 3402 reports.
- We believe that our customers need transparency when it comes to quality and reliability.
- Our customers will be able to share the ISAE report with their own auditors, which will eliminate or reduce the requirement for our customers’ auditors to do additional testing of our controls.
IT security and data protection
Learn about TimeLog's policies and what it means to you as a customer.
Terms and conditions
Data Processing Agreement
Your responsibility as data controller
Data protection and privacy policy
FAQ about data protection in TimeLog PSA