Solita services: ISAE 3402 type II and ISAE 3000 GDPR audit statements

ISAE 3402 Type II and ISAE 3000 GDPR audit statements

ISAE 3402 Type II and ISAE 3000 GDPR audit statements

International standard for assurance engagements

ISAE 3402 Type II

Solita Denmark is ISAE 3402 Type II certified. An ISAE 3402 audit statement provides a picture of the general state of the IT organisation, documents proper IT conditions and serves as proof that we comply with legal requirements and sustainable IT practice. The statement is prepared by an independent, government-approved auditing company, which ensures a review of documentation and random checks of the various areas based on ISO 27001/2.

Description of ISAE 3402 Type II

ISAE stands for “International Standard for Assurance Engagements” and ISAE 3402 is an international standard used for audit and assurance engagements to provide a high level of assurance on the internal controls of service providers, including IT service providers. The assurance opinions are used by user organisations (the service provider’s customers) and their auditors. ISAE 3402 is also a SOC1 report within Service Organisation Control (SOC) reports.

The standard provides a framework for how the service provider’s auditor should perform his or her work and issue opinions, including how the auditor obtains reasonable assurance that the service provider’s description of its system is fairly stated, that the service provider’s controls are suitably designed, and that the controls have operated effectively. There must be a relationship between the controls that the auditor tests and the purpose of the controls (control objectives), including the risks that the controls are designed to address.

The certification standard provides for two types of statements: one (type 1) is for a given date and the other (type 2) is for a period, usually at least six months. A Type 2 statement includes the auditor’s opinion on whether the service provider’s description of the controls, designed and implemented for a particular period, is true and on point for the period in question. It also includes comments on whether the controls were suitably designed for the period, and whether the controls operated effectively throughout the period. 

The statement consists of three parts:

  • The service provider’s description of the system
  • The service provider’s statement on the description and controls
  • The auditor’s opinion on the service provider’s assertions in relation to the description.

The statement should describe the service provider’s services in general terms and, moreover, address the objectives of the controls and the related controls in detail. This makes it easy for any user organisation’s appointed auditor to gain an understanding of the services and controls. The statement should include confirmation that the description is accurate and a statement that the controls were appropriately designed and operated effectively throughout the period. Finally, the service provider must describe the policies and procedures. The control objectives, identified risks and controls must also be well documented. 

ISAE 3402 logo


Solita A/S is certified to ISAE 3000 GDPR – High Security

The auditor’s opinion provides a picture of Solita’s compliance with the General Data Protection Regulation (GDPR) and has been issued by an independent, government-approved accounting firm. ISAE 3000 GDPR – High Assurance is a statement that ensures a review of documentation and random checks, based on the framework defined by FSR – Danish Auditors and the Danish Data Protection Agency. The auditor’s statement contains no observations.

Description of ISAE 3000 GDPR – High Security

On 25 May 2018, data protection legislation based on the EU GDPR replaced the Personal Data Act and related security regulations. This meant significant changes to existing security standards and increased penalties, specific requirements for the assessment of a Data Protection Officer (DPO), data subject rights and reporting duties were introduced. All companies in the EU are obligated to comply with the GDPR. Companies outside the EU are also obligated to comply with the GDPR if they process data about EU citizens.

In general, the law covers the following types of processing:

  • The service provider’s system description
  • Collection of data
  • Registration of data
  • Classification of data
  • Storage of data
  • Use of data
  • Disclosure of data
  • Deletion of data

Documentation and sampling

The statement itself comes in two forms: high assurance and limited assurance. Solita A/S holds the High Assurance Statement, which is based on an in-depth review of documentation and samples, whereas the Limited Assurance Statement is based on enquiries and interviews and is generally easier to obtain.

The assurance statement consists of 4 sections:

  1. Solita’s description of processing activities
  2. Solita’s statement
  3. An independent auditor’s high-assurance statement
  4. Control objectives, controls performed, tests and results
ISAE 3000

More about our other deliveries

Solita develops business-critical applications for Denmark’s largest companies. We are dedicated to quickly creating solutions and value. This is based on effective technology selection and responsible delivery.

Read also about SKI, the Danish State and Municipal Procurement Agreement, which consolidates procurement in the public sector and simplifies the obligation to tender.

The auditor is ISAE 3000 GDPR – high security certified

The auditor’s statement provides an overview of Solita’s compliance with the General Data Protection Regulation (GDPR), and has been prepared by an independent, government-approved accounting firm. ISAE 3000 GDPR – High Assurance. Our audit statement has a clean opinion.  

Whether your system integration is in a design phase, under development or already in production, we can help you. We make sure that the solution meets your needs and runs continuously with high reliability. To ensure that any unforeseen incidents are resolved as quickly and efficiently as possible, we stay in constant contact with you along the way.

Then you can consider IT done. 

Want to hear more? Contact us!