EN 
NL 
DE IT Assurance audits
- A well-known ISO auditor for your IT assurance audits
- Quickly get your ISAE 3402 - ISAE 3000 - SOC 2 statement
- Personal support throughout the entire process
- Clear reports and competitive prices
DigiTrust is happy to help your organisation carry out your IT assurance audits. Combine this with your ISO audit.
More than 500 organisations have already gone before you.
Why IT assurance audits
Due to higher requirements in laws and regulations and the need to demonstrate quality and control of outsourced services, we expect the demand for certification in combination with an IT assurance statement to increase in the coming years. So the demand for greater assurance on the quality and control of outsourced services is increasing. The approach is shifting from certification/ISO as the basis (PDCA), with the additional demonstration of the operation of control measures with an IT assurance statement.
What does this mean for you?
In a combination audit (ISO 27001 and IT audit), the same or a fellow DigiTrust auditor looks at the ISMS and the processes and associated IT Assurance controls. Clients benefit from this efficiency stroke that will reduce a lot of time and costs.
What types of IT assurance audits are there?
There are different types of IT assurance reports. Ultimately, it is often the demand of the client (the user organisation) that determines which report is chosen. In other words, together with your client, you determine which type of assurance report should be delivered. What does the client (user organisation) ask for and what does the client want assurance on and for what purpose? An IT assurance statement can lead to better cooperation and more trust between service organisation and user organisation. We distinguish the following types of IT assurance reports:
ISAE 3402:
An ISAE 3402 statement is an independent assessment by an IT auditor of the reliability of financial and underlying processes outsourced to a service organisation. Organisations increasingly outsource processes to service organisations (outsourcing), making them dependent on the quality and control of these outsourced services and processes. The scope of ISAE 3402 is not limited to the control measures for the financial processes, but issues such as reliability of the primary process, information security, availability and integrity can also be included in an ISAE 3402 report.
ISAE 3000:
An ISAE 3000 statement is an independent assessment by an IT auditor of general non-financial management processes, including processes such as change management, incident management, service level management, security management, continuity management, software development and other processes belonging to the primary service. With an ISAE-3000 report, the client can demonstrate that the internal management processes are actually performed as described and provide assurance that it is adequately set up.
SOC 2:
To demonstrate as a service organisation that the processes outsourced to the service organisation are performed reliably, a Service Organisation Control standard (SOC 2) provides an independent opinion on security, availability, confidentiality, integrity and/or privacy. A SOC 2 Assurance contains the trust service criteria (objectives) (a generic US standards framework) which are divided into 5 categories: security, availability, confidentiality, integrity and/or privacy. SOC 2 provides a service organisation with an opportunity to provide customers with insight into the control measures and processes applicable to the service. In a SOC 2 audit, DigiTrust assesses the service organisation's management objectives and measures.
![logo-zl-concern[1]](https://www.digitrust.nl/wp-content/uploads/2025/02/logo-zl-concern1-300x90.jpg){kind=logo}
![cmyk-Logo Cura Mare [top]](https://www.digitrust.nl/wp-content/uploads/2024/09/RGB-Logo-CuraMare-300x45.jpg){kind=logo}
or call one of our specialists
Type 1 or 2 reporting?
ISAE/SOC distinguishes two types of reporting.
The Type 1 report is an assessment:
- to what extent the description of the IT service organisation's system, including internal controls, gives a true and fair view of reality; and
- To what extent the design of internal control measures is adequate.
The Type 2 report adds:
- To what extent the internal control measures worked effectively over a given period (6 months to 1 year).
DigID audit
Many governments and healthcare institutions offer users the possibility to log in with DigiD via a portal and view data or, for example, report a change of address using a form. Fortunately, in the Netherlands you don't just get a DigiD connection.
A very specific assurance engagement that is common in the Netherlands is the DigiD TPM. The DigiD ICT Security Assessment is an annual assessment that all Dutch municipalities and other organisations with a DigiD connection (user organisations), application suppliers and hosting parties have to carry out on behalf of the Ministry of the Interior and Kingdom Relations. The ICT security assessment consists of an audit and a technical penetration test.
The DigiD standards framework is based on the National Cyber Security Centre (NCSC) web application design guideline.
The DigiD assessment report contains an overview of all factual findings per standard/measure. The report is intended for the user organisation and service organisation (application supplier and hosting party). The connection holder of the DigiD link must share this report with Logius annually.
We can also conduct a pre-audit in this regard from DigiTrust to determine your compliance with the requirements of the DigiD standards framework.
ENSIA
Residents of a municipality expect a reliable municipality that handles information securely. Municipalities account for information security through an unambiguous Standardisation Single Information Audit (ENSIA). ENSIA is an initiative of the ministries of the Interior and Kingdom Relations and Social Affairs and the municipalities.
The focus of ENSIA is on accountability towards the municipal council, the highest political body of the municipality. In parallel, municipalities are accountable to the central government where the use of national facilities is concerned.
Through ENSIA, the municipal government is accountable to the municipal council for a) information security based on the BIO, and b) Digital Person Identification (DigiD), Basic Registration of Persons (BRP) and Travel Documents, Basic Registration of Addresses and Buildings (BAG), Basic Registration of Large-scale Topography (BGT), Basic Registration of Subsoil (BRO), Valuation of Immovable Property (WOZ) and the Work and Income Implementation Structure (SUWI) towards central government.
From DigiTrust, we perform an audit on the college declaration Suwinet and DigiD. We can also do a pre-audit, so you will not face any surprises during the audit.
Need advice on IT assurance?
Our specialists will be happy to tell you more about it. Call us at 088-224 56 00, please email us at sales@digitrust.nl or use our online contact form. We will be happy to visit you for a no-obligation introduction.
More than 300 organisations have already gone before you.