https://community.isc2.org/t5/Tech-Talk/Can-a-business-unit-get-a-SOC-2-report/m-p/27757#M1782 Sorry for late response. I just joined the community. I do many SOC 2 audits and run into this issue. For this requirements, you can replace board of directors with those charged with security governance. In small organizations, it usually makes sense to have a security steering committee that meets on at least a qrtly basis that discusses policies, issues, new security risks, projects, etc. The committee should be made up of appropriate personnel that can make decisions as a group regarding security. As long as the steering committee is not made up of all security personnel, then the independence requirement is met. Sat, 07 Sep 2019 16:20:50 GMT Troy_Fine 2019-09-07T16:20:50Z https://community.isc2.org/t5/Tech-Talk/Can-a-business-unit-get-a-SOC-2-report/m-p/16907#M694 <P>I know an ISO-27K Audit can be scoped to only include certain portions of a business, but is the same true of SOC-2?&nbsp; Reviewing the TSC, the first part of the governance section is all about the Board of Directors vs. Management.&nbsp; We are a small, internally incubated, part of a much larger corporation, and I'm not sure if we can pursue SOC-2 prior to spinning out into a separate legal entity, since we are the tail, that can't wag the dog in this case.&nbsp; Any information or pointers on reference material would be awesome, I can't seem to find the answer.</P> Mon, 09 Oct 2023 09:02:11 GMT https://community.isc2.org/t5/Tech-Talk/Can-a-business-unit-get-a-SOC-2-report/m-p/16907#M694 mgorman 2023-10-09T09:02:11Z https://community.isc2.org/t5/Tech-Talk/Can-a-business-unit-get-a-SOC-2-report/m-p/17112#M710 <P>I don't see any reason why not.&nbsp; &nbsp; Determine your trust principles, develop control objectives and activities, and ask a SOC attestation firm for a consult.&nbsp; &nbsp;&nbsp;</P><P>&nbsp;</P><P>My company publishes dozens of SOC1 and SOC2 reports every year, each for a different business (ok - a few have a SOC1 and a SOC2, but that's probably more of a left-over from the old SAS70 days (yeah, I still get clients asking for a SAS-70 report)</P> Tue, 18 Dec 2018 20:41:48 GMT https://community.isc2.org/t5/Tech-Talk/Can-a-business-unit-get-a-SOC-2-report/m-p/17112#M710 DHerrmann 2018-12-18T20:41:48Z https://community.isc2.org/t5/Tech-Talk/Can-a-business-unit-get-a-SOC-2-report/m-p/17501#M753 <P>My concern (And eventually I will consult a, auditing firm, just so far back from the line it isn't worth the money yet) is the governance section of the principles.&nbsp; There is a lot of discussion on board makeup, board independence and skills, etc.&nbsp; We are a small, internally incubated, startup of a much larger firm, and can't really expect to wag the dog.&nbsp; We should be spinning out sometime soon to a separate entity, which would resolve a lot of this (if we do it properly), but that schedule has moved around a lot, so it might not line up.&nbsp;</P> Thu, 03 Jan 2019 20:42:10 GMT https://community.isc2.org/t5/Tech-Talk/Can-a-business-unit-get-a-SOC-2-report/m-p/17501#M753 mgorman 2019-01-03T20:42:10Z https://community.isc2.org/t5/Tech-Talk/Can-a-business-unit-get-a-SOC-2-report/m-p/27757#M1782 Sorry for late response. I just joined the community. I do many SOC 2 audits and run into this issue. For this requirements, you can replace board of directors with those charged with security governance. In small organizations, it usually makes sense to have a security steering committee that meets on at least a qrtly basis that discusses policies, issues, new security risks, projects, etc. The committee should be made up of appropriate personnel that can make decisions as a group regarding security. As long as the steering committee is not made up of all security personnel, then the independence requirement is met. Sat, 07 Sep 2019 16:20:50 GMT https://community.isc2.org/t5/Tech-Talk/Can-a-business-unit-get-a-SOC-2-report/m-p/27757#M1782 Troy_Fine 2019-09-07T16:20:50Z