I know an ISO-27K Audit can be scoped to only include certain portions of a business, but is the same true of SOC-2? Reviewing the TSC, the first part of the governance section is all about the Board of Directors vs. Management. We are a small, internally incubated, part of a much larger corporation, and I'm not sure if we can pursue SOC-2 prior to spinning out into a separate legal entity, since we are the tail, that can't wag the dog in this case. Any information or pointers on reference material would be awesome, I can't seem to find the answer.
I don't see any reason why not. Determine your trust principles, develop control objectives and activities, and ask a SOC attestation firm for a consult.
My company publishes dozens of SOC1 and SOC2 reports every year, each for a different business (ok - a few have a SOC1 and a SOC2, but that's probably more of a left-over from the old SAS70 days (yeah, I still get clients asking for a SAS-70 report)
My concern (And eventually I will consult a, auditing firm, just so far back from the line it isn't worth the money yet) is the governance section of the principles. There is a lot of discussion on board makeup, board independence and skills, etc. We are a small, internally incubated, startup of a much larger firm, and can't really expect to wag the dog. We should be spinning out sometime soon to a separate entity, which would resolve a lot of this (if we do it properly), but that schedule has moved around a lot, so it might not line up.
Sorry for late response. I just joined the community. I do many SOC 2 audits and run into this issue. For this requirements, you can replace board of directors with those charged with security governance. In small organizations, it usually makes sense to have a security steering committee that meets on at least a qrtly basis that discusses policies, issues, new security risks, projects, etc. The committee should be made up of appropriate personnel that can make decisions as a group regarding security. As long as the steering committee is not made up of all security personnel, then the independence requirement is met.