What is ISAE 3402 for OT environments?
ISAE 3402 is an international standard for demonstrably controlling outsourced processes. Suppliers that perform services affecting the internal control of a customer, such as IT or OT service providers, can use an ISAE 3402 report to demonstrate that they operate reliable processes and adequate control measures.
In an OT context, ISAE 3402 is an essential link in IT/OT convergence, because suppliers often have access to business-critical production systems, which carries direct risks.
🧠 Core functions of ISAE 3402 reports
- Audit opinion – An independent auditor assesses the design and operation of processes
- Type I vs Type II – Type I describes design; Type II describes design and operation over a period
- SOC reporting – Often linked to SOC 1 reports for financial relevance
- Control objectives – For example access control, change management, incident management
- Assurance for clients – Customers can rely on the risk management of their suppliers
- Repeatability – Annual review, typically aligned with ISO 27001 or other frameworks
🔐 Relevance for OT and IT/OT convergence
| Risk area | Application in an OT context |
|---|---|
| Supplier control | ISAE 3402 substantiates that an OT service provider has control |
| Patch management | Demonstrable process for safe and controlled updates |
| Remote Access | Documentation of controlled external access to systems |
| Incident Management | Insight into how a supplier logs, classifies and handles incidents |
| Change Management | Description of release policy and change control on OT assets |
ISAE 3402 can enrich supplier dossiers in the context of Third Party Risk Management and Supplier Security.
✅ How Obsidian applies ISAE 3402
| Measure within Obsidian | Relevance for IT/OT convergence |
|---|---|
| Jump Server architecture | Demonstrable control over access to OT networks via logical separation |
| Access Control with logging | Who, when, why – full traceability of user activity |
| OT patch process with validation | Coordinated updates to PLCs, HMIs and SCADAs with rollback option |
| Monitoring & detection | Continuous monitoring of OT infrastructure for anomalous behaviour |
| Asset Inventory | Full registration of critical OT components, including firmware versions |
🔁 ISAE 3402 and other standards
| Standard | Linkage to ISAE 3402 for OT |
|---|---|
| ISO 27001 | Often used as the framework for ISAE 3402 Type II reports |
| IEC 62443-2-4 | Supplier standard for OT security – complementary |
| NIS2 | Obligation to verify suppliers – ISAE 3402 helps demonstrate this |
| SOC 2 | Complementary assurance for privacy and information security |
📦 IT/OT supply chain control via ISAE 3402
| IT components | OT components |
|---|---|
| Authentication, logging, cloud access | PLC updates, fieldbus communication, physical access |
| Service management and CMDB | Firmware management, asset lifecycle |
| IAM and RBAC | HMI/SCADA user management and zone segmentation |
By applying ISAE 3402 to both IT and OT processes, you create a single integrated view of risk management in convergent environments.
📌 In summary
ISAE 3402 is a powerful tool for managing supplier risks across IT and OT. In environments where production continuity and Cybersecurity meet, ISAE 3402 provides demonstrable assurance over processes such as access, updates, incident management and integrity of OT Assets.