cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer II

Can a business unit get a SOC-2 report?

I know an ISO-27K Audit can be scoped to only include certain portions of a business, but is the same true of SOC-2?  Reviewing the TSC, the first part of the governance section is all about the Board of Directors vs. Management.  We are a small, internally incubated, part of a much larger corporation, and I'm not sure if we can pursue SOC-2 prior to spinning out into a separate legal entity, since we are the tail, that can't wag the dog in this case.  Any information or pointers on reference material would be awesome, I can't seem to find the answer.

2 Replies
Newcomer III

Re: Can a business unit get a SOC-2 report?

I don't see any reason why not.    Determine your trust principles, develop control objectives and activities, and ask a SOC attestation firm for a consult.    

 

My company publishes dozens of SOC1 and SOC2 reports every year, each for a different business (ok - a few have a SOC1 and a SOC2, but that's probably more of a left-over from the old SAS70 days (yeah, I still get clients asking for a SAS-70 report)

Newcomer II

Re: Can a business unit get a SOC-2 report?

My concern (And eventually I will consult a, auditing firm, just so far back from the line it isn't worth the money yet) is the governance section of the principles.  There is a lot of discussion on board makeup, board independence and skills, etc.  We are a small, internally incubated, startup of a much larger firm, and can't really expect to wag the dog.  We should be spinning out sometime soon to a separate entity, which would resolve a lot of this (if we do it properly), but that schedule has moved around a lot, so it might not line up.