What is Certification vs Attestation?

Certification is when an accredited third party confirms an organization conforms to a standard and issues a certificate (for example, ISO/IEC 27001). Attestation is when a licensed practitioner, typically a CPA, examines controls and issues a report expressing an opinion (for example, a SOC 2 report). They are different deliverables from different parties.

The distinction matters because buyers ask for the wrong thing all the time. There is no such thing as being "SOC 2 certified": SOC 2 is an AICPA attestation engagement performed under SSAE 18, and the output is an independent CPA's report and opinion, not a certificate. ISO 27001, by contrast, is a certification: an accredited certification body audits your ISMS and, if it conforms, issues a certificate valid for three years with annual surveillance audits.

A practical example: a prospect's security questionnaire asks for your "certification." If you run SOC 2, you provide the SOC 2 report (often Type II) under NDA; if you run ISO 27001, you provide the certificate plus, on request, the Statement of Applicability. Knowing which word applies prevents you from over-promising and helps sales answer questionnaires accurately.

Documentation work underpins both routes, and much of it overlaps, which is why a dual ISO 27001 plus SOC 2 toolkit can serve both. ComplianceDocs templates give you the mapped policies and evidence structures both an ISO certification body and a SOC 2 CPA will expect to see, but neither the certificate nor the attestation report is something a template can grant; only the accredited body or the CPA can, after testing your real controls.

Related terms: Compliance Audit · Trust Services Criteria (TSC) · SOC 2 Type I vs Type II · Stage 1 and Stage 2 Audit

Frequently asked questions

Is SOC 2 a certification?
No. SOC 2 is an attestation engagement performed by a licensed CPA firm under AICPA standards (SSAE 18). The result is an independent auditor's report and opinion on your controls, not a certificate, so "SOC 2 certified" is technically incorrect.
Is ISO 27001 a certification or an attestation?
ISO/IEC 27001 is a certification. An accredited certification body audits your information security management system and, if it conforms, issues a certificate (typically valid three years with annual surveillance audits).
Which should I get, ISO 27001 or SOC 2?
It depends on your buyers and markets: SOC 2 reports are commonly requested by US enterprise customers, while ISO 27001 certification is widely recognized internationally. Many companies pursue both because the underlying controls and documentation largely overlap.

Toolkits that cover Certification vs Attestation

ISO 27001:2022 + SOC 2

ISO 27001 + SOC 2 Dual Toolkit

47 documents covering both frameworks plus a control crosswalk, risk register, Statement of Applicability and TSC mapping — run one security program, pass two audits.

$14930% off with codeView toolkit
ISO/IEC 27001:2022

ISO 27001 Complete Toolkit

All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.

$9930% off with codeView toolkit
SOC 2 Trust Services Criteria

SOC 2 Complete Toolkit

22 policies plus the risk register, full Trust Services Criteria mapping and audit evidence checklist — built for startups facing their first SOC 2.

$9930% off with codeView toolkit

Learn more in our ISO/IEC 27001 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.