ISAE 3402 Assurance Reports on Controls at a Service Organisation
International assurance engagement standard for reporting on controls at service organisations relevant to user entities' financial reporting. Defines Type I (design suitability) and Type II (design and operating effectiveness) report structures covering management assertions, control objectives, control activities, subservice organisation management, and complementary user entity controls (CUECs). Widely used by cloud providers, data centres, payment processors, and outsourcing firms. Equivalent to SSAE 18 / SOC 1 in the US.
Controls: 96
Total Mappings: 131
Publisher: IAASB (International Auditing and Assurance Standards Board) Version: 2011 (revised 2022) AC (9) AU (7) CA (8) CM (10) CP (4) IA (4) IR (2) PE (10) PL (4) PM (8) PS (2) RA (4) SA (7) SC (5) SI (6) SR (6)
AC Access Control
| Control | Name | ISAE 3402 References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | Clause 4 |
| AC-02 | Account Management | Clause 4 |
| AC-03 | Access Enforcement | Clause 4 |
| AC-04 | Information Flow Enforcement | Clause 4 |
| AC-05 | Separation Of Duties | Clause 4 |
| AC-06 | Least Privilege | Clause 4 |
| AC-17 | Remote Access | Clause 4 |
| AC-20 | Use Of External Information Systems | Clause 7Clause 8 |
| AC-21 | Information Sharing | Clause 8 |
AU Audit and Accountability
| Control | Name | ISAE 3402 References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | Clause 4 |
| AU-02 | Auditable Events | Clause 4 |
| AU-03 | Content Of Audit Records | Clause 4 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | Clause 10Clause 4Clause 6 |
| AU-07 | Audit Reduction And Report Generation | Clause 10 |
| AU-12 | Audit Record Generation | Clause 4 |
| AU-16 | Cross-Organizational Audit Logging | Clause 6 |
CA Security Assessment and Authorization
| Control | Name | ISAE 3402 References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | Clause 1Clause 3 |
| CA-02 | Security Assessments | Clause 10Clause 2Clause 3Clause 5Clause 6 |
| CA-03 | Information System Connections | Clause 7Clause 8 |
| CA-04 | Security Certification | Clause 6 |
| CA-05 | Plan Of Action And Milestones | Clause 10Clause 2Clause 5 |
| CA-06 | Security Accreditation | Clause 1Clause 2Clause 3 |
| CA-07 | Continuous Monitoring | Clause 10Clause 2Clause 5Clause 6 |
| CA-08 | Penetration Testing | Clause 6 |
CM Configuration Management
| Control | Name | ISAE 3402 References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | Clause 4 |
| CM-02 | Baseline Configuration | Clause 4Clause 9 |
| CM-03 | Configuration Change Control | Clause 4 |
| CM-04 | Monitoring Configuration Changes | Clause 4 |
| CM-05 | Access Restrictions For Change | Clause 4 |
| CM-06 | Configuration Settings | Clause 4 |
| CM-07 | Least Functionality | Clause 4 |
| CM-08 | Information System Component Inventory | Clause 9 |
| CM-12 | Information Location | Clause 9 |
| CM-13 | Data Action Mapping | Clause 9 |
CP Contingency Planning
IA Identification and Authentication
IR Incident Response
PE Physical and Environmental Protection
| Control | Name | ISAE 3402 References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | Clause 4 |
| PE-02 | Physical Access Authorizations | Clause 4 |
| PE-03 | Physical Access Control | Clause 4 |
| PE-06 | Monitoring Physical Access | Clause 4 |
| PE-09 | Power Equipment And Power Cabling | Clause 4 |
| PE-10 | Emergency Shutoff | Clause 4 |
| PE-11 | Emergency Power | Clause 4 |
| PE-12 | Emergency Lighting | Clause 4 |
| PE-13 | Fire Protection | Clause 4 |
| PE-14 | Temperature And Humidity Controls | Clause 4 |
PL Planning
PM Program Management
| Control | Name | ISAE 3402 References |
|---|---|---|
| PM-01 | Information Security Program Plan | Clause 1Clause 2Clause 3 |
| PM-05 | System Inventory | Clause 1Clause 9 |
| PM-06 | Measures of Performance | Clause 10Clause 5Clause 6 |
| PM-07 | Enterprise Architecture | Clause 9 |
| PM-09 | Risk Management Strategy | Clause 1Clause 2Clause 3Clause 8 |
| PM-11 | Mission and Business Process Definition | Clause 1Clause 3 |
| PM-14 | Testing, Training, and Monitoring | Clause 5 |
| PM-30 | Supply Chain Risk Management Strategy | Clause 7 |
PS Personnel Security
RA Risk Assessment
SA System and Services Acquisition
| Control | Name | ISAE 3402 References |
|---|---|---|
| SA-03 | Life Cycle Support | Clause 4 |
| SA-04 | Acquisitions | Clause 7 |
| SA-05 | Information System Documentation | Clause 9 |
| SA-09 | External Information System Services | Clause 7Clause 8 |
| SA-10 | Developer Configuration Management | Clause 4 |
| SA-11 | Developer Security Testing | Clause 4 |
| SA-17 | Developer Security and Privacy Architecture and Design | Clause 9 |
SC System and Communications Protection
SI System and Information Integrity
| Control | Name | ISAE 3402 References |
|---|---|---|
| SI-02 | Flaw Remediation | Clause 4 |
| SI-03 | Malicious Code Protection | Clause 4 |
| SI-04 | Information System Monitoring Tools And Techniques | Clause 4 |
| SI-07 | Software And Information Integrity | Clause 4 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | Clause 4 |
| SI-12 | Information Output Handling And Retention | Clause 4 |
SR Supply Chain Risk Management
| Control | Name | ISAE 3402 References |
|---|---|---|
| SR-01 | Policy and Procedures | Clause 7Clause 8 |
| SR-02 | Supply Chain Risk Management Plan | Clause 7 |
| SR-03 | Supply Chain Controls and Processes | Clause 7 |
| SR-05 | Acquisition Strategies, Tools, and Methods | Clause 7 |
| SR-06 | Supplier Assessments and Reviews | Clause 7 |
| SR-07 | Supply Chain Operations Security | Clause 8 |