In this post, we’ll explore the differences between assurance vs attestation vs audit. Use this simple guide to shed light on these somewhat similar terms and prevent errors in preparation.
It’s been said before by Compliance purists and linguistic pedantics alike, but it bears repeating: there is no such thing as SOC 2 Certification. Technically speaking, organizations don't get SOC 2 certification, nor is there any such thing as being SOC 2 certified. And though there is an official report handover at the end of the audit, there’s no official certificate given out.
If SOC 2 isn't certification….what is it?!
While this all may sound like little more than an exercise in InfoSec-word-nerdery, there is actually a good reason that some people get more than a bit touchy about the topic. That’s because, the truth is, when it comes to assessments, audits, attestations and certification, they are not the same and each one of them has its own requirements and implications. And not understanding the ramifications of assurance vs attestation vs audit can cause confusion and may lead to mistakes.
In an audit, an organization compares itself to a standard. Whether done internally or externally, there must be a chosen standard to be compared to. The level for audits can be further segmented based on the agreed-upon procedures that are involved in the scope. Internal audits, for instance, are comparisons with the organization’s own standards, which is the set of policies, standards, procedures, etc. ISO 27001 is an example of a Compliance audit with a certification at the end.
What is the difference between assessment and audit? Think of an assessment as an “audit plus”, which means comparison with both a standard and industry practices, the auditor’s knowledge and experience, etc. PCI-DSS is an audit, though as part of PCI-DSS, organizations are required to go through a penetration test as well, which is an assessment. In this light, PCI-DSS can also be called an assessment, and the QSA (Qualified Security Assessor) can use their own judgement to determine what else is needed and what's in scope.
The difference between an attestation vs an audit is that an attestation is a type of audit where the auditor reviews the practices of the organization being audited and provides a statement about the organization’s posture. SOC 2 is a pure attestation which is an assessment as well. The auditor goes through the Trust Services Criteria and uses their own knowledge and experience as well to determine whether the organization meets requirements. At the end there's no certification, and instead finishes with an attestation, stating that the organization has been assessed, plus a description of the control environment.
This is essentially a result of one of the above options. Organizations can go through an audit or an assessment or even an attestation, and besides getting the report at the end, they can get a certification if there is an official one. For example, ISO 27001 can include a review of an organization’s own Information Security Management System (ISMS) or something based on ISO 27002 (Code of Practice). In both cases, the auditor will review the ISMS and compare it with ISO 27001 Chapters and Appendix.
These are another tool used by organizations to assess security posture in potential vendors/third parties. Security questionnaires can contain hundreds, if not thousands, of questions pertaining to the organization’s security posture and may cover controls addressed in the more common frameworks. Many organizations opt to use questionnaires based on industry-approved standards like The NIST Special Publication 800-53 and The Center for Internet Security – CIS Critical Security Controls (CSC) to make things easier for themselves. Organizations may ask for these questionnaires in addition to seeing the above mentioned attestations and certificates. Such questionnaires can be also called self-assessments or self-audits, since organizations use questionnaires as the standard (and sometimes, those are actually based on known standards, like Cloud Security Alliance Cloud Control Matrix (aka CSA CCM)) but instead of being audited by someone else, they are requested to respond to the questionnaire on their own.
Though these reports can get pretty confusing, and even overwhelming, they all share the same vision — that of reducing security-related friction when solidifying deals and partnerships with other businesses. Jargon aside, the objective of any audit, attestation, certification, and all the rest is to reflect an organization’s security posture to the world via established and mutually-agreed upon frameworks. Whether the chosen framework provides a certificate like ISO 27001 or is purely attestation like SOC 2, what really matters is the control environment and the organization’s ability to continually meet and maintain requirements.
But truthfully, spending time establishing controls, collecting Compliance evidence, and dealing with auditors may lead InfoSec professionals to believe that Compliance is the main point of all these activities. It’s super important to remember that meeting frameworks and accumulating new certificates/audits/etc., should never be seen as the ultimate destination; Compliance, the accompanying reports and certifications, and meeting frameworks are simply all means to an end.
The real goal of understanding the difference between assurance vs attestation vs audit and carrying out these activities should be to reduce risk and help ensure best practices are baked into every step of an organization’s journey to optimal security posture.
Discover how anecdotes, pioneers in the Compliance world, can help you minimize risks and take your security practices to the next level.