ISAE stands for International Standard on Assurance Engagements. ISAE reports are issued by an independent certified auditor who audits relevant and agreed-upon processes and procedures at a service provider.
A service provider who has obtained an ISAE report can demonstrate the trustworthiness of its services. This is because the report is a quality stamp that proves and indicates that an independent auditor has reviewed that the processed data is treated with confidentiality, a high level of security and any potential risks are documented and controlled accordingly.
At TimeLog, we believe that as a service provider, we need to assure our customers that they do not run additional risks by trusting part of their business and data to us. Therefore, we have committed to working with a certified auditor in obtaining both an ISAE 3000 GDPR report and an ISAE 3402 report as an ongoing annual target in our compliance and information security work.
The scope of an ISAE 3000 report can be any control agreed upon between the service provider and an independent auditor.
At TimeLog, we have voluntarily chosen to have an external auditor review our efforts about the work involving our customers’ data. Creating transparency and demonstrating compliance with the General Data Protection Regulations is crucial to us as a data processor.
With our ISAE 3000 GDPR report, we can document the operating effectiveness of our internal processes and controls since an independent auditor has confirmed GDPR compliance within and in external relations.
As a data controller, you have the assurance of the auditor who has assessed our processes regarding the notion that your data is processed in compliance with applicable law.
An ISAE 3402 is an internationally recognised auditing standard verifying the security and effectiveness of a service organisation’s control system related to all business processes concerning its IT landscape.
The control areas of ISAE 3402 audit may cover, and are not limited to, the following areas:
Organisation and management
IT security policy
Risk assessment and management
User access management
Network security management
Development and maintenance of systems
Emergency and contingency management
At TimeLog, we want to ensure that our IT infrastructure responds to the highest level of security, confidentiality and availability. Therefore, we have committed to voluntarily work with an independent auditor who has assessed our policies, procedures and documentation. The result illustrates quality and reliability to our customers, and it demonstrates that we continuously evaluate our work to improve and ensure the highest quality for our customers.
When referring to an ISAE 3402, the internal control framework can be issued in a Type I or a Type II report.
Type I covers controls at a specific “point in time”, where the auditor will report on whether the service organisation's description of its controls presents fairly and is suitably designed to achieve control objectives.
Type II describes the controls placed in operation and includes detailed testing of the effectiveness of the corresponding results. The tests cover a period between six to twelve months.
ISO 2700X certifications were historically a benchmark for information security. However, since the threat landscape is in continuous change, it becomes more important for companies to have a greater level of assurance in broader areas.
ISO 27001 focuses only on the design of controls and ISO 27002 provides guidelines on the process of implementation.
ISAE reports, on the other hand, are based on the ISO controls, and they further allow for testing the operating effectiveness of the controls over a period.
An ISAE provides a formal attestation and therefore, it is a greater level of assurance to customers who want to know about their service provider’s internal procedures covering broader areas.
One of the most valuable properties to TimeLog is the data of our customers, business partners and employees. Therefore, we have chosen that our customer will receive an independent auditor’s report on how we deal with personal data and that we are compliant with GDPR (ISAE 3000 report).
Finally, our customers should know whether our IT landscape is mature enough to support the high demands that a service provider faces, which we can document in ISAE 3402.
We take responsibility in always protecting your data. This is documented in our ISAE 3000 and ISAE 3402 reports.
We believe that our customers need transparency when it comes to quality and reliability.
Our customers will be able to share the ISAE report with their own auditors, which will eliminate or reduce the requirement for our customers’ auditors to do additional testing of our controls.
IT security and data protection
Learn about TimeLog's policies and what it means to you as a customer.