cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mgorman
Contributor II

Can a business unit get a SOC-2 report?

I know an ISO-27K Audit can be scoped to only include certain portions of a business, but is the same true of SOC-2?  Reviewing the TSC, the first part of the governance section is all about the Board of Directors vs. Management.  We are a small, internally incubated, part of a much larger corporation, and I'm not sure if we can pursue SOC-2 prior to spinning out into a separate legal entity, since we are the tail, that can't wag the dog in this case.  Any information or pointers on reference material would be awesome, I can't seem to find the answer.

3 Replies
DHerrmann
Contributor II

I don't see any reason why not.    Determine your trust principles, develop control objectives and activities, and ask a SOC attestation firm for a consult.    

 

My company publishes dozens of SOC1 and SOC2 reports every year, each for a different business (ok - a few have a SOC1 and a SOC2, but that's probably more of a left-over from the old SAS70 days (yeah, I still get clients asking for a SAS-70 report)

mgorman
Contributor II

My concern (And eventually I will consult a, auditing firm, just so far back from the line it isn't worth the money yet) is the governance section of the principles.  There is a lot of discussion on board makeup, board independence and skills, etc.  We are a small, internally incubated, startup of a much larger firm, and can't really expect to wag the dog.  We should be spinning out sometime soon to a separate entity, which would resolve a lot of this (if we do it properly), but that schedule has moved around a lot, so it might not line up. 

Troy_Fine
Newcomer I

Sorry for late response. I just joined the community. I do many SOC 2 audits and run into this issue. For this requirements, you can replace board of directors with those charged with security governance. In small organizations, it usually makes sense to have a security steering committee that meets on at least a qrtly basis that discusses policies, issues, new security risks, projects, etc. The committee should be made up of appropriate personnel that can make decisions as a group regarding security. As long as the steering committee is not made up of all security personnel, then the independence requirement is met.