17 April 2024

What is a TPM assurance report?

A Third Party Memorandum (TPM) is a assurance report prepared by an independent audit party. The assyrance report contains information about security and/or privacy risks associated with a service organization's IT systems. The purpose of this report is to provide (potential) users of the IT system with an objective assessment of the security and/or privacy risks.

What does a it look like?

A TPM assurance report can be prepared according to several applicable manuals and guidelines. IT auditors often use guidelines 3000 and 3402 (known from the ISAE3402 statement) or handbook SOC 2.

A TPM assurance report typically contains information about the following:

  1. The security and/or privacy risks associated with the service organization's ICT systems;
  2. The measures taken by the service organization to manage these risks;
  3. An assessment of the effectiveness of the measures taken and the extent to which they meet required standards;
  4. Recommendations for the user with measures the user should take to ensure that the service organization's measures are effective.


Why is it important?

A TPM assurance report from an IT auditor (RE) is of particular importance in the IT sector, where the importance of information security and privacy is increasing. It is a report that guarantees (with reasonable assurance) that the service organization of the IT system meets the required norms which can help improve the reputation of the organization. It also allows the service organization to show that it is aware of the risks and is committed to managing them.


What are the benefits?

  • As a service organization, you save on your users' audit costs, because then you do not have to perform the same audit for every customer with the same ICT systems;
  • With a TPM report, you can demonstrate the quality of your organization's control measures and services, to both existing and potential customers;
  • You may communicate a TPM report externally for communication and commercial purposes. See our requirements for a SOC 2 statement here;
  • As a service organization, such a statement allows you to demonstrate to your users that you comply with certain laws & regulations;
  • It is often mandatory for public companies to have a TPM assurance report for ICT services they purchase and procure.


Who sets it up? 

Setting up a TPM assruance report requires specific IT security and privacy expertise. Our IT auditors have very extensive experience in issuing TPM statements. We can support you with a variety of audits on all known standards frameworks. These include DigiD, ENSIA, SOC 2, ISAE 3402, NEN 7510, ISO27001, PCF and support with the annual audit of auditors.


+31 (0) 76-5019470

Please contact us

Do you have any questions or comments about our IT audit services? We are happy to hear from you. Please enter your details in the form below and we will get back to you as soon as possible. You can also contact us directly at the phone number on the left.

Our dedicated team is ready to assist you with any questions or concerns. We strive to provide you with the best service possible.

Fill in our contact form