Simply put, an attestation letter is a statement or declaration from an independent third party that lends credibility to the part of the organization undergoing review. Many times these attestations are required as part of an ongoing audit, which is in and of itself a type of attestation, but audits are much more detailed, and typically encompasses the entire organization. We at Secure Ideas are definitely not auditors, but our services are oftentimes necessary for successful completion of an organization’s audit, and thus the attestation letter.
Penetration testing or security assessments might be performed to uncover certain information with regard to compliance requirements, policies and procedures, security posture, etc. that might not have been recognized within the company prior to the testing. An attestation letter is provided as a way to publicly validate that the organization performed well during said testing or review process.
In our case, the explicit purpose for having an attestation letter is to confirm, after evaluating the security posture of the organization's infrastructure, network, applications, etc, that the organization was in fact adequately protected, with the appropriate controls and based on industry information security standards and regulations.
Organizations should understand that the attestation is there to prove the assessment was performed and how it resulted. This attestation is either undermined or enhanced by how the client handles the results.