When I download and open either the Attestation or Certification, it doesn’t have any details of the individual controls. Can I assume that all controls listed in the self-assessment were found to be present and effective based on either the Attestation or Certification?
Possibly, but not necessarily.
STAR Certification and STAR Attestation are respectively "extensions" of ISO/IEC 27001 and SOC2. Essentiallyadditional controls to the CCM are added to the statement of applicability for ISO/IEC 27001 or the declaration of applicable controls to SOC2.
According to the ISO and SOC2 auditing rules, a company can exclude some of the controls (of ISO/IEC 27001 or of SOC2 or STAR Cert/Attestation) from SoA if those are out of scope and proper justification is validated.
So in general you can assume that all the CCM controls are verified, and if they are not it is because they are not relevant in the scope of the audit (because not relevant in that specific implementation, or because other compensating controls are in place, or...).
Please sign in to leave a comment.