Our FAQ on ISAE 

TimeLog has obtained the ISAE 3000 as well as the ISAE 3402 report. Learn in this FAQ exactly what the two reports cover and how we keep your data safe.

If you have any further questions, please do not hesitate to contact our Support.

1. What does ISAE stand for?

ISAE stands for International Standard on Assurance Engagements, and ISAE reports are issued by an independent certified auditor, who audits relevant and agreed upon processes and procedures at a service provider.

2. What is an ISAE report?

 The ISAE reports documents how the service provider’s systems and organisation control operate and their effectiveness.

3. Is ISAE 3402 or 3000 mandatory?

The reports are not mandatory. An ISAE report is designed to provide the safety a customer is seeking in a service provider. The report is the result of the audit.

4. What is ISAE 3000 used for?

A service provider who has obtained an ISAE report is able to demonstrate the trustworthiness of its services. The reason for this is that the report is a quality stamp that proves and indicates that an independent auditor has reviewed that the processed data is treated with confidentiality, a high level of security and any potential risks are documented and controlled accordingly. 

5. Why should you choose a service provider who obtained one?

At TimeLog, we believe that as a service provider, we need to assure our customers that they do not run additional risks by trusting part of their business and data to us. Therefore, we have committed to working with a certified auditor in obtaining both an ISAE 3000 GDPR report and an ISAE 3402 report as an ongoing annual target in our compliance and information security work.

6. Download the reports in pdf

• Assurance report ISAE 3000
• Assurance report ISAE 3402 type II

7. What is an ISAE 3000 report on GDPR and Data Processing?

The scope of an ISAE 3000 report can be any type of control that has been agreed upon between the service provider and an independent auditor.

At TimeLog we have voluntarily chosen to have an external auditor review our efforts pertaining to the work involving our customers’ data. Creating transparency and demonstrating that we are compliant with the General Data Protection Regulations is crucial to us as a data processor.

With our ISAE 3000 GDPR report, we can document the operating effectiveness of our internal processes and controls since an independent auditor has confirmed GDPR compliance both within the organisation and in external relations.

As a data controller, you have the assurance of the auditor who has assessed our processes when it comes to the notion that your data is processed in compliance with applicable law.

Please view our full assurance report ISAE 3000

8. What is ISAE 3402?

An ISAE 3402 is an internationally recognised auditing standard verifying the security and effectiveness of a service organisation’s control system related to all business processes concerning the organisation’s IT landscape.

The control areas of ISAE 3402 audit may cover, and are not limited to, the following areas:

• Organisation and management
• IT security policy
• IT strategy
• Risk assessment and management
• User access management
• Network security management
• Development and maintenance of systems
• Emergency and contingency management

At TimeLog, we want to make sure that our IT infrastructure responds to the highest level of security, confidentiality and availability. Therefore, we have committed to voluntarily work with an independent auditor who has assessed our policies, procedures and documentation. The result illustrates quality and reliability to our customers, and furthermore it demonstrates that we continuously evaluate our work to improve and ensure the highest quality for our customers.

9. The difference between and ISAE 3402 Type I and Type II

When referring to an ISAE 3402, the internal control framework can be issued in Type I or a Type II report.

• Type I covers controls at a specific “point in time”, where the auditor will report on whether the service organisation's description of its controls presents fairly and is suitably designed to achieve control objectives.
• Type II covers the description of the controls placed in operation and includes detailed testing of the effectiveness of the corresponding results. The tests cover a period between six to twelve months.

10. ISO 2700X certification vs ISAE 

• ISO 2700X certifications were historically a benchmark for information security. However, since the threat landscape is in continuous change, it becomes more important for companies to have a greater level of assurance in broader areas.
• ISO 27001 focuses only on the design of controls and ISO 27002 provides guidelines on the process of implementation.
• ISAE reports, on the other hand, are based on the ISO controls, and they further allow for testing the operating effectiveness of the controls over a period.
• An ISAE provides a formal attestation and therefore, it is a greater level of assurance to customers who want to know about their service provider’s internal procedures covering broader areas.

11. How can you, as a TimeLog customer, benefit from our ISAE reports?

One of the most valuable properties to TimeLog is the data of our customers, business partners and employees. Therefore, we have chosen that our customer will receive an independent auditor’s report on how we deal with personal data and that we are compliant with GDPR (ISAE 3000 report).

Finally, our customers should know whether our IT landscape is mature enough to support the high demands that a service provider faces, which we can document in ISAE 3402.

• We take responsibility in always protecting your data. This is documented in our ISAE 3000 and ISAE 3402 reports.
• We believe that our customers need transparency when it comes to quality and reliability.
• Our customers will be able to share the ISAE report with their own auditors, which will eliminate or reduce the requirement for our customers’ auditor to do additional testing of our controls.