Strike Graph security compliance blog

What compliance attestation means for your business

Written by Kenneth Webb, CISSP, GWAPT, CSSLP, CISA, CIS LA | Jan 25, 2023 8:00:00 AM

Are you ready to take your business’s security compliance to the next level? Then compliance attestation may be in the cards for you.

In this post, we’ll take a look at what exactly compliance attestation is, how it’s different from certification, and how it relates to cybersecurity frameworks like PCI DSS, HIPAA, and SOC 2.

According to the Association of International Certified Professional Accountants (AICPA), compliance attestation refers to “an entity's compliance with requirements of specified laws, regulations, rules, contracts, or grants or the effectiveness of an entity's internal control over compliance with specified requirements.”

During a compliance attestation engagement, an organization’s compliance with specified requirements is examined, after which an Attestation of Compliance (AoC) is delivered if the appropriate Report on Compliance or Self-Assessment Questionnaire has been performed. This is verifiable proof of your organization’s full compliance. 

Certification is a term that's used broadly when discussing security compliance to indicate documentation proving compliance (In fact, you'll notice us talking about security certifications in this general way). But, when you start talking about specific frameworks, it's important to understand that each has its own terminology. With SOC 2 for example, a SOC report is not a certification, but rather an independent attestation confirming certain elements about the control environment of a service organization — but more on that in the next section.

Compliance attestations are used for many compliance frameworks, including PCI DSS, SOC 2, HIPAA, ISO, and more. Let’s take a closer look at each.

PCI DSS

A PCI AoC is a declaration of an organization's compliance with PCI DSS, serving as documented evidence that the company's security practices effectively protect against threats to cardholder data.

HIPAA 

A compliance assessment evaluates your operation against HIPAA regulations, looking at how your organization collects, stores, processes, and transmits electronic personal health information (ePHI) to ensure data security and patient privacy. From there, your auditor will provide an attestation that your organization complies with HIPAA regulations.  

SOC 2

While commonly referred to as a SOC 2 certification, a SOC 2 is technically an attestation report that provides detailed information and assurance about an organization's security, availability, processing integrity, confidentiality, and privacy controls.

AICPA-specific attestation (AT Section 601)

SOC 2 isn’t a mandatory compliance framework, but rather a voluntary attestation proven by a third-party auditor with a SOC 2 report. While the AICPA designs the SOC 2 standards, it doesn’t award certifications.

This means that there’s no certifying body and any CPA can attest to being compliant with SOC 2 controls. However, in order to provide an attestation, an organization should comply with the AICPA's trust services criteria (TSC) in accordance with SSAE 18, a set of standards governing service organizations’ security practices.

SOC 3

According to the AICPA, similar to the SOC 2 attestation, the SOC 3 attestation includes “reports [that] are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report.”

SOX

The Sarbanes Oxley Act (SOX) is a US federal law administered by the Securities and Exchange Commission (SEC) that requires publicly-traded companies to have proper internal control structures in place to validate that their financial statements reflect their financial results accurately. Companies subject to compliance with the Sarbanes-Oxley Act (SOX) can use the SOC 1 Type 2 attestation for reporting on internal controls over financial reporting.

C5

The C5 Attestation, or Cloud Computing Compliance Criteria Catalog, is a baseline of security controls that was developed by the Federal Office for Information Security in Germany. This allows cloud service providers (CSPs) to better develop transparent and trusted relationships between themselves and their cloud customers. There are attestations for Type 1 and Type 2.

CSA

The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. Similar to the AICPA, it's dedicated to defining best practices. The CSA helps ensure a more secure cloud computing environment and allows potential cloud customers to make informed decisions when transitioning their IT operations to the cloud. The CSA STAR provides two levels of assurance: a self-assessment based on the Consensus Assessments Initiative Questionnaire (Level 1) and independent third-party assessments such as CSA STAR Attestation and CSA STAR Certification (Level 2). The CSA STAR Attestation involves a rigorous independent third-party audit of a cloud provider's security posture based on a SOC 2 Type 2 audit with CCM criteria.

ISO

ISO and IEC, through the ISO Committee for conformity assessment (CASCO), develop International Standards that enable suppliers, regulators, and consumers to have confidence that a service, process, product, or system meets specified requirements. In ISO/IEC terminology, “attestation” is the issue of a "statement" based on a decision that specific requirements have been met. There are first-party, second-party, and third-party attestations of conformity.

So what are some of the benefits of compliance attestation?

Receiving an AoC can help you prove compliance with a particular regulatory requirement, benchmark your organization’s operations or a segment of your business against control frameworks mandated by regulatory requirements, and provide your customers with third-party-reviewed proof that you meet the requirements of specific laws, regulations, or governing body’s rules.

In addition, successful compliance management can help you gather necessary data, refine your processes, provide a centralized source of information, manage your company’s policies with internal stakeholders, reduce your business risk, and ultimately speed up business decisions.

How Strike Graph can help with compliance attestation

Strike Graph’s security certification means you don't have to hire an old-fashioned audit firm to get to certification. We take you from step one to certification faster and for a lower cost.

That’s because our compliance platform reduces the burden of security compliance while building trust with enterprise prospects and clients and increasing sales opportunities with service providers.

We do more than just simplify the initial acquisition of security attestations such as SOC 2 Type I/II or ISO 27001, we support your ongoing compliance efforts and make it easy to branch out to other security frameworks.