What is an Attestation Letter?
Simply put, an attestation letter (often called an Executive Summary Report) is a statement or declaration from an independent third party that lends credibility to the part of the organization undergoing review. These attestations are often required as part of an ongoing audit, which is in and of itself a type of attestation. Still, audits are much more detailed and typically encompasses the entire organization. We at Secure Ideas are definitely not auditors, but our services are often necessary to successfully complete an organization's audit, and thus the attestation letter.
Penetration testing or security assessments might be performed to uncover certain information concerning compliance requirements, policies, and procedures, security posture, etc. that might not have been recognized within the company before the testing. An attestation letter is provided to publicly validate that the organization performed well during said testing or review process.
In our case, the explicit purpose for having an attestation letter is to confirm that after evaluating the security posture of the organization's infrastructure, network, applications, etc., the organization was adequately protected, with the appropriate controls and based on industry information security standards and regulations.
Organizations should understand that the attestation is there to prove the assessment was performed and how it resulted. This attestation is either undermined or enhanced by how the client handles the results.
