Author: securance

Axians | ISAE 3402 | SOC 2

"My relationship with Conclude Accountants / Risklane goes back some time. Both now and in previous projects, I have experienced the expertise, pragmatism and cooperation as very pleasant. Because we planned to achieve both the ISAE 3402 and the ISAE 3000 within one year, it was essential that we as partners could count on each other. The fact that Risklane / Conclude Accountants has established itself as a sparring partner during the implementation has helped us a lot. This partnership, in combination with the willingness to change, commitment, and motivation of all Axians employees involved, has ensured that we have been able to achieve this result within time and the budget.

A result that both Risklane / Conclude Accountants and Axians can be proud of!"

- Dennis van Hoof, Quality & Risk manager Axians


Axians is a dedicated ICT brand of VINCI Energies, specialized in IT solutions and services. They support a broad range of clients consisting out of private businesses, public organizations, government agencies, operators, and service providers. Axians offers a broad portfolio of IT solutions and services: business applications and data analytics, enterprise networks and digital workplaces, datacentre and cloud services, telecommunications infrastructure, and cybersecurity.

Axians uses the best technology for their clients to grow and compete in a constantly fluctuating market. People are more important than technology; the human touch is key for Axians.


Organizations are increasingly outsourcing services and processes to service providers. Besides, the complexity of laws and regulations has increased. The outsourcing organizations remain responsible for their data and services. This caused a significant rise in the popularity of assurance reports that can provide reasonable assurance that service organizations are in control of their risks. Due to the fact that Axians is constantly striving to supply their clients with qualitative reliable services with the lowest possible risks, it is even more important to implement the ISAE 3402 | SOC 2 Type II report.

The biggest challenge Risklane faced at Axians was to separate the structures performed on a European or global scale, and which processes were performed within Axians Netherlands. The location of the supportive activities performed by Axians, such as the logical access management and the security of external links, have a major impact on the scope of the Axians Netherlands report.

In the end, our goal was not only to provide Axians with a state-of-the-art ISAE 3402 | SOC 2 Type II report but also to support them in taking the step towards risk leadership. Risk leadership is what we define as a critical shift in thinking, where risks are opportunities for improvement which should be met head-on instead of being worked around. As it turned out, this way of thinking matched perfectly with the agile and innovative thinking Axians is known for by their clients.


Knowing that more organizations are outsourcing their services Axians partnered with Risklane to achieve ISAE 3402 Type II | SOC 2 Type II which are complementary to ISO-certification as ISO 9001, ISO 20000, and ISO 27001. Risklane’s projects always aim to combine the highest standard of reporting in the market with descriptions and processes that are both recognizable for Axians as well as their clients. This required us to get to know Axians' processes as if they were our own. Through intensive interviews with their employees, we not only succeeded in getting to know the Axians processes but also pinpoint the risks. Knowing the risks we can efficiently describe the control objectives and define effective controls. Our extensive knowledge of the outsourcing services market often allows us to advise our clients about efficiency drives in operations, registration processes, and risk management.


The cooperation between Axians and Risklane resulted in achieving ISAE 3402 Type II and SOC 2 Type II. The result is a direct effect on the business for Axians as it will offer client organizations more certainty that processes are optimized and demonstrable setup and controlled including potential risks. In the end, the reports are successfully audit by Conclude Accountants.

Conclusion | ISAE 3402

“Conclude Accountants / Risklane helped us extremely well with the implementation. This was a tough job since later on in the process a fourth Conclusion company joined the already participating three Conclusion companies. The companies provided more or less the same type of services, but with quite a few differences between them. The young and enthusiastic consultants thought along with us and developed, in close cooperation and pragmatically, a one-size-fits-all control framework. Every year, we are tested in two test periods to see if we are doing what is described in the control framework. These intensive periods can only be passed successfully by working well together and Risklane succeeded to do this.”

- Stefan Hendriks, Manager Quality at Conclusion Future IT


Conclusion is an ecosystem which consist of independently operating businesses with each their own unique knowledge and expertise, customers, delivery partners, technology vendors and ventures. Without any exceptions the businesses are focused on technology driven solutions, but also on organization and people. On continuous basis Conclusion initiates, facilitates, develops, maintains and innovates because the demands and needs of the customers and the world are changing constantly.

Conclusion wants to be the best IT service provider in the Netherlands; to be seen as partner, service provider and innovator and positively known for their services.


During the process of the ISAE 3402 implementation, multiple operating businesses were included in the scope of the ISAE 3402 report. The biggest challenge of this extensive scope was that processes and procedures had to be aligned and all employees from the multiple operating businesses had to work in accordance with these processes and procedures. Due to the nature of the business, Conclusion employees are used to work with both internal applications as client applications. This created a challenge during the audit process, performed by Conclude Accountants, because extensive audit activities had to be performed in order to verify whether processes were performed in accordance with the internal control framework.


The ISAE 3402 was ultimately realised by effective cooperation between Conclusion staff and Risklane Consultant and efficient project management. Several workshops and meetings with multiple teams of the operating businesses are held to identify risks, determine the impact and the existing working method, and accordingly align individual processes to a Conclusion control system.

The audit was performed focusing on minimizing business processes and optimizing the process as much as possible. By effective project management by Conclusion and guidance from Conclude, all identified challenged were mitigated in an effective way.


Because of the cooperation between Conclusion and Risklane all operating businesses are currently working in accordance with the Conclusion Internal Control Framework. The ISAE 3402 reports serves as a guidelines for performing processes, the associated ISAE 3402 statement provides assurance over these processes to customers of Conclusion.

Spring Real Estate | ISAE 3402

“Although we were under the assumption that processes had been properly and completely arranged, points still emerged that needed to be added in the context of ISAE 3402. Risklane has made several suggestions that could be directly implemented in existing processes, with which the ISAE 3402 statement could still be obtained. The practical approach and the extent to which they can make suggestions by all the companies they supervise have resulted in us being able to add extra value to our processes quickly and easily.”
- Lennard Hoekstra, Partner Valuations

“Through the implementation of ISAE 3402, Spring Real Estate has further professionalised internal procedures, so that valuations are demonstrably carried out by the highest quality requirements. Improvement initiatives identified by the Risklane team during the implementation have been followed up by Spring Real Estate in a pragmatic and adequate manner ”
- Koen van der Aa, Associate Manager Risklane


Spring Real Estate has grown into a national real estate consultancy organization since its foundation in 2011. Spring Real Estate advises tenants and investors of commercial real estate on transactions and valuations. The services consist of Agency (offices, industrial spaces, retail), Capital Markets (commercial and residential), Management, MidCap Investments, Valuations, Media, and Online Lead Generation. Research and knowledge form the basis of their advice. In the coming years, they will focus on expanding their services to all important economic regions in the Netherlands to provide their clients with optimal advice.

Together with Risklane, Spring Real Estate took up the challenge to implement ISAE 3402 in the organization to identify and minimize risks.


Implementing the control framework allows Spring Real Estate the opportunity to demonstrate that they carry out valuations based on the applicable requirements according to the NRVT guidelines. The NRVT guidelines provide a formal framework with rules that cannot be deviated from by registered appraisers. Practical guidelines with practical recommendations were also provided which formed the basis of the implementation.

The biggest challenge was not so much implementing the control framework but making all control actions that were already taken within the organization measurable. In the interviews conducted by the Risklane team, it soon became clear that valuation procedures had already been set up in accordance with the NRVT guidelines but were insufficiently demonstrable. Spring has managed to realize this demonstrability in short term through a targeted implementation plan.

The cooperation between Risklane and Spring Real Estate went well and has led to a professional result: a successful implementation of ISAE 3402. Recently, Conclude Accountants has conducted the ISAE 3402 Type I audit which will be followed by an ISAE 3402 Type II audit in the second half of this year.

Solution & results

The ISAE 3402 implementation gives Spring Real Estate the ability to demonstrate that valuations are carried out in accordance with the NRVT guidelines and that risks within this process are minimized by using an effective and professional control framework.

Planday – ISAE 3000 | SOC 2


Planday is a technology company that helps businesses move away from cumbersome, manual scheduling processes, and into ways of working that make the interaction between hourly employees and their workplaces real-time and collaborative. Operating across the UK, Europe, and the USA, with over 200 employees and driven by a growth-centric business model, it was important to look at obtaining the ISAE 3000 assurance report. This report is a demonstrable commitment from Planday to its customers and other stakeholders about the importance of data privacy and the value of information and cybersecurity in their strategy, governance, and their day-to-day operations.

For example, many of Planday’s customers are Kommunes, the political jurisdictions in Denmark. Kommunes require that their third-party suppliers are able to demonstrate that independent controls are in place for IT security and validate the integrity of systems to ensure the confidentiality and privacy of the information processed by that system.

Risklane offers services in the field of information security, risk management, and governance. In addition to advisory services and risk sourcing, Risklane offers software (SaaS) solutions that enable organizations to implement complex standards independently. Both solutions are focused on managing risk and improving performance. Risklane provides solutions for the management of risks and the implementation of ISAE 3402 (SOC 1), ISAE 3000 (SOC 2), ISO 27001, and ISO 9001.


Planday has been engaging with Risklane since 2018, with the introduction of GDPR. Planday acknowledged the professional skill set that Risklane brought to the table and in early September 2020, Planday engaged with the team at Risklane to identify the existing processes and review all requirements against the SOC 2 control framework. Risklane’s team – Koen van der Aa, Vincent Man, and Bart van Wijck – were engaged and committed to helping Planday through every step of the process. They helped Planday understand how to align processes to the control framework effectively, and how to evidence their risk management framework and strategy accordingly.

Solution & results

Through an extensive series of interviews and workshops with the Risklane team, Planday was in a good place and ready for the full audit to commence on November 4, 2020. Planday has successfully implemented SOC 2 which helps them to demonstrate continuous improvement by iterating over their processes, strengthening their risk management, and informing their information and cybersecurity strategy and roadmap for 2021. In May 2021, Certicus Ltd. performed the SOC 2 Type II audit successfully.