Complementing Your ISO Certification - AT 101

December 9, 2013 Ryan Mackie

Undoubtedly, the ISO 27001 Certification is recognized globally and revered as one of the highest and most comprehensive certifications an organization can attain. The high esteem that the certification is held is substantiated by the effort and dedication that is required by an organization to attain ISO 27001 certification. As an internationally accepted certification, ISO 27001 represents an organization's ability to effectively manage information security risks with a certified information security management system (ISMS).

While the actual certification process entails a suite of rigorous activities concerning information security, the end result is a consolidated one-page certificate. This single page certificate is held in very high regard, but does not document the actual procedures and processes that were included in the ISMS certification. Through conversations with our clients, they have mentioned that providing their customers with a document that describes the below along with their ISO certificate would be a “homerun”:

  • What controls were included within the organization's statement of applicability?
  • What was the process the organization took to implement these controls?
  • What gaps were identified and which steps were taken for remediation?

As a solution, the BrightLine team offers an accompanying supplemental publication to the ISO 27001 certificate that effectively provides both the organization and customer with the explanation and assurance that is simply necessary.

AT 101 Enhancement

The attestation standard (AT) 101 is the common baseline for service organization controls (SOC) reports performed by a licensed CPA firm. The AT 101 examination can be conducted against specific processes, procedures, control sets, and/or standards. The AT 101 examination can be either a Type 1, which is considered a point-in-time examination, or a Type 2, which is an examination covering a minimum of six months review period.

For organizations that have been recently certified or have effectively maintained its annual certification, the Type 1 AT 101 examination with the ISO 27001 certificate provides its customers with the additional processes performed as well as the procedural information. Considering this information isn't included in the actual certificate, it is provided with minimal or no additional performance of control testing.

During the Stage 2 review of an initial ISO certification, procedures related to the requirements of the ISMS and the identified applicable controls are performed by the certification body. The certification body is required to report on the Stage 2 review and provide the report to the entity being audited. Both the control testing results from the Stage 2 review and the content from the report can be used to fulfill the reporting requirements and content for the Type 1 AT 101 report.

The Type 1 AT 101 report is structured to include the following:

  • The organizations background information
  • A description of the services provided
  • Details of the management system
  • The entity's statement of applicability and control matrix

An organization can offer their ISO 27001 certificate accompanied by the Type 1 AT 101 report to prospects or customers as a value-added service. This will offer the customer or prospect a more complete picture that further explains the significance of achieving the ISO certification. Additionally, the report will communicate the details of the management system and the controls in place that were integral in making the achievement possible. 

About the Author

Ryan Mackie

Ryan Mackie is a Principal and ISO Certification Services Practice Director at Schellman & Company, LLC. Ryan manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery and also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000, and ISO 22301 as well as CSA STAR certification services. He has over 18 years of experience. Ryan also is an active member of the CSA and site on the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.

More Content by Ryan Mackie
Previous Article
The 3 Things to Consider When Transitioning from ISO 27001 :2005 vs. ISO 27001 :2013
The 3 Things to Consider When Transitioning from ISO 27001 :2005 vs. ISO 27001 :2013

Next Article
ISO:BREAK - ISO 27001 2005 to 2013 ISMS Mapping
ISO:BREAK - ISO 27001 2005 to 2013 ISMS Mapping

It is common for organizations to refer to their ISMS as clauses 4 through 8. However, with the release of ...