ELI5: What is Attestation?
It’s like a doctor signing a note saying you’re healthy enough to play sports. An official expert checks everything and then puts their name on a document saying “yes, this company’s security is working properly.”
Definition
Attestation is a formal declaration or certification made by an auditor, examiner, or responsible party confirming that security controls, processes, or compliance requirements are in place and operating as intended. In auditing contexts, attestation provides third-party assurance to stakeholders that an organization’s security posture meets defined standards. It is commonly associated with SOC 2 reports, PCI DSS assessments, and regulatory compliance sign-offs.
Key Details
- Attestation is a key output of both internal and external audits
- A Qualified Security Assessor (QSA) provides attestation for PCI DSS compliance
- SOC 2 Type II attestation covers a period of time (typically 6–12 months), demonstrating sustained control effectiveness
- Self-attestation (vendor self-certification) carries less assurance than third-party attestation
- Exam tip: attestation ≠ certification; attestation is a professional opinion, not a guarantee of no vulnerabilities
Connections
- Parent: audits-and-assessments — attestation is the formal output of the audit and assessment process
- See also: soc-reports
- See also: external-audit