Control Assurance Audit and Accreditation for Software Provider
Xcina Case Study

Control Assurance Audit (ISAE3402 Type 1) and Accreditation to ISO/IEC 27001 for Software Provider

The client

A leading provider of strategic management software for End User Computing (EUC) who is committed to ensuring the integrity of business operations. Trusted by world leading institutions in 20 countries on five continents their solutions help firms balance their governance, risk and regulatory compliance (GRC) obligations with the need for revenue generation, staff efficiency and productivity.

The work

Having developed a new Software as a Service (SaaS) platform for clients, customer demand for external accreditations, and the importance of services supporting customer regulatory compliance, the client wanted to provide buyers with assurance over the rigour they apply in the design, control and ongoing development and operation of their services.

How we helped

We worked with the UK board, and investors, to agree that the assurances that would most likely be demanded by purchasers would be the International Standard on Assurance Engagements (ISAE 3402) Assurance Report on Controls at a Service Organization and the International Information Security Standard (ISO/IEC 27001). Our Information Security consultants undertook a gap analysis of the client control environment against both ISAE3402 and ISO/IEC 27001 to prepare a comprehensive gap analysis and required remediation plan. We then worked with operational management to enhance their Information Security Management System (ISMS) to establish a common control framework that could be operated to meet the requirement of both Standards. By working collaboratively we helped the client successfully obtain a Type 1 ISAE3402 attestation and to gain certification to ISO/ IEC 27001 via both Stage 1 and Stage 2 audits on the first attempt.

Value added

By focussing on the reporting requirements of both Standards, and control overlap between them, we were able to design a single control framework that could be operated as part of their Business As Usual (BAU) operations which was operationally efficient and reduced the overall cost of compliance.

Industry and sector:


Solutions and service area:

What our clients say

"Xcina is always responsive to any question we have during the time we are implementing data protection remediation activities, they keep us informed and understand what we need and what we’re trying to do. "

Getac Technology Corp, Legal Affairs Center

"Xcina is always responsive to any question we have during the time we are implementing data protection remediation activities, they keep us informed and understand what we need and what we’re trying to do."

ParkMobileUK, Managing Director

"Xcina Consulting performed an annual review of our card data environment, and ensured that we are compliant with the PCI-DSS. We continue to work with their experienced QSAs, leveraging their guidance and best practices so we have the highest possible level of security controls in place."

DKB Brands, Data Protection Officer

"Xcina really helped us to kick start our data protection compliance process. They took the time to speak to all departments of the business and outlined our highest risk to lowest risk areas. The insight and guidance they provided was essential for our business to become GDPR compliant."

Portman Settled Estates Limited, Estate Secretary

"Xcina’s ongoing support has ensured that our employees feel confident when dealing with data protection matters, with best practice knowledge and expertise from consultants who have taken the time to get to know our business and our industry."

National Bank of Kuwait, Compliance Officer

"Xcina worked with us on a number of data protection matters, including subject access requests and gave helpful, practical advice which reflected their understanding of technology issues as well as legal matters."

Your World Recruitment, Group IT Director

"We have worked with with Xcina successfully for two years, initially on internal GDPR GAP analysis. We now have them engaged as our ‘Virtual DPO’ provider and regularly receive useful, pragmatic and, more importantly, actionable advice on all areas of Data Protection."

Quadrangle Research, Group Chief Operating Officer

Discover how we have supported businesses like yours >>

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>