866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Complementing Your ISO Certification With The Attestation Standard (AT) 101 Blog Feature
RYAN MACKIE

By: RYAN MACKIE

Print/Save as PDF

Complementing Your ISO Certification With The Attestation Standard (AT) 101

Education | ISO Certifications

Undoubtedly, the ISO 27001 Certification is recognized globally and revered as one of the highest and most comprehensive certifications an organization can attain. The high esteem that the certification is held is substantiated by the effort and dedication that is required by an organization to attain ISO 27001 certification. As an internationally accepted certification, ISO 27001 represents an organization's ability to effectively manage information security risks with a certified information security management system (ISMS).

While the actual certification process entails a suite of rigorous activities concerning information security, the end result is a consolidated one-page certificate. This single page certificate is held in very high regard, but does not document the actual procedures and processes that were included in the ISMS certification. Through conversations with our clients, they have mentioned that providing their customers with a document that describes the below along with their ISO certificate would be a “homerun”:

  • What controls were included within the organization's statement of applicability?
  • What was the process the organization took to implement these controls?
  • What gaps were identified and which steps were taken for remediation?

As a solution, the BrightLine team offers an accompanying supplemental publication to the ISO 27001 certificate that effectively provides both the organization and customer with the explanation and assurance that is simply necessary.

AT 101 Enhancement

The attestation standard (AT) 101 is the common baseline for service organization controls (SOC) reports performed by a licensed CPA firm. The AT 101 examination can be conducted against specific processes, procedures, control sets, and/or standards. The AT 101 examination can be either a Type 1, which is considered a point-in-time examination, or a Type 2, which is an examination covering a minimum of six months review period.

For organizations that have been recently certified or have effectively maintained its annual certification, the Type 1 AT 101 examination with the ISO 27001 certificate provides its customers with the additional processes performed as well as the procedural information. Considering this information isn't included in the actual certificate, it is provided with minimal or no additional performance of control testing.

During the Stage 2 review of an initial ISO certification, procedures related to the requirements of the ISMS and the identified applicable controls are performed by the certification body. The certification body is required to report on the Stage 2 review and provide the report to the entity being audited. Both the control testing results from the Stage 2 review and the content from the report can be used to fulfill the reporting requirements and content for the Type 1 AT 101 report.

The Type 1 AT 101 report is structured to include the following:

  • The organizations background information
  • A description of the services provided
  • Details of the management system
  • The entity's statement of applicability and control matrix

An organization can offer their ISO 27001 certificate accompanied by the Type 1 AT 101 report to prospects or customers as a value-added service. This will offer the customer or prospect a more complete picture that further explains the significance of achieving the ISO certification. Additionally, the report will communicate the details of the management system and the controls in place that were integral in making the achievement possible. 

About RYAN MACKIE

Ryan Mackie is a Managing Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.