Announcements
April is Volunteer Appreciation Month! We want to thank all of our
volunteers for all the hard work they do! Join us in celebrating!
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Newcomer III

Can a business unit get a SOC-2 report?

I know an ISO-27K Audit can be scoped to only include certain portions of a business, but is the same true of SOC-2?  Reviewing the TSC, the first part of the governance section is all about the Board of Directors vs. Management.  We are a small, internally incubated, part of a much larger corporation, and I'm not sure if we can pursue SOC-2 prior to spinning out into a separate legal entity, since we are the tail, that can't wag the dog in this case.  Any information or pointers on reference material would be awesome, I can't seem to find the answer.

2 Replies
Newcomer III

Re: Can a business unit get a SOC-2 report?

I don't see any reason why not.    Determine your trust principles, develop control objectives and activities, and ask a SOC attestation firm for a consult.    

 

My company publishes dozens of SOC1 and SOC2 reports every year, each for a different business (ok - a few have a SOC1 and a SOC2, but that's probably more of a left-over from the old SAS70 days (yeah, I still get clients asking for a SAS-70 report)

Newcomer III

Re: Can a business unit get a SOC-2 report?

My concern (And eventually I will consult a, auditing firm, just so far back from the line it isn't worth the money yet) is the governance section of the principles.  There is a lot of discussion on board makeup, board independence and skills, etc.  We are a small, internally incubated, startup of a much larger firm, and can't really expect to wag the dog.  We should be spinning out sometime soon to a separate entity, which would resolve a lot of this (if we do it properly), but that schedule has moved around a lot, so it might not line up.