ISMS audit results for ISAE 3402 Type II Audit/Report
Do you think it is possible to use the output of ISO27001 controls/monitoring/records in an appropriate ISAE3402 Type II Audit/Report?
In ISAE3402, the auditor checks results/KPIs of a predefined set of controls against control objectives for a given time period of the past and produces an „Assurance Report“.
It sounds to me as if ISAE3402 is just only the „Check“ Part of the PDCA cycle of the ISMS?
It would be great to combine the 2 Standards (provided the ISA3402 scope is Information Security related, of course) and simply use the controls which have been documented by the ISMS, and using the monitor output and internal audit output for the auditor.
Is that common practice?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
We're not experts in this field, but in general ISAE3402 Type II Audit/Report (SOC 2) reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy, and considering the ISMS scope is related to the scope of the ISA3402 report, it seems perfectly possible to use ISMS outputs to your ISA3402 report.
The ISMS provides a framework for implementation, operation, and improvement of information security, while ISA3402 is a verification that implemented measures are working as expected.
This information (from the official site of American Institute of CPAs) about SOC 2 and ISO 27001 can be interesting for you: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/othermapping/trust-services-map-to-iso-27001.xlsx
Comment as guest or Sign in
Feb 24, 2020