I'll never forget the panicked email I received from a CTO at 11 PM on a Sunday. His company was three weeks away from their SOC 2 Type II audit, and his auditor had just informed him that half of their infrastructure needed to be included in scope—systems they'd never documented, never tested, and frankly, weren't even sure they could secure in time.
"Why didn't anyone tell us this six months ago?" he wrote. The short answer? Because they'd gotten scope wrong from day one.
That audit got delayed by four months. They lost two major deals worth a combined $3.2 million. And the CEO nearly fired the entire security team.
After fifteen years in cybersecurity and guiding over 60 companies through SOC 2 audits, I can tell you with absolute certainty: getting scope right is the single most important decision you'll make in your SOC 2 journey. Get it right, and your audit is manageable, focused, and actually valuable. Get it wrong, and you're in for a world of pain.
Let me show you how to get it right.
Why Scope Matters More Than You Think
Here's a truth that most consultants won't tell you upfront: scope determines everything—your timeline, your budget, your workload, your success probability, and ultimately, the value of your SOC 2 report.
I worked with two SaaS companies in 2022, both roughly the same size (around 80 employees, $15M ARR). Let me show you what happened:
Aspect | Company A (Smart Scope) | Company B (Everything Scope) |
|---|---|---|
Systems in Scope | 12 core systems | 47 systems (including dev, test, staging) |
Time to Certification | 7 months | 14 months |
Implementation Cost | $127,000 | $340,000 |
Ongoing Compliance Effort | 15 hours/week | 45 hours/week |
Audit Cost | $28,000 | $67,000 |
Result | Clean report, closed 3 enterprise deals | Report with exceptions, delayed 2 deals |
Company A got strategic about scope. Company B tried to boil the ocean. Both got SOC 2 reports, but only one got business value.
"SOC 2 scope isn't about including everything you possibly can. It's about including exactly what your customers need to trust—nothing more, nothing less."
The Fundamental Principle: Service Commitments Drive Scope
Let me start with the most important concept in SOC 2 scoping, one that too many organizations miss:
Your scope should be determined by the services you provide to customers, not by everything you own.
I can't tell you how many times I've walked into a company and found them trying to include:
Internal HR systems
Employee expense management tools
Marketing automation platforms
Development and testing environments
Personal laptops that never touch customer data
None of these typically need to be in scope for a SOC 2 audit focused on your customer-facing service.
Here's the litmus test I use: "If this system disappeared tomorrow, would it directly impact your ability to deliver your service to customers or affect the security of their data?"
If the answer is no, it probably doesn't belong in scope.
My Three-Circle Scoping Framework
Over the years, I've developed a simple visual framework that helps organizations think about scope correctly:
Circle 1: MUST BE IN SCOPE (Core Service Delivery)
- Production systems customers directly interact with
- Databases storing customer data
- Authentication and authorization systems
- Production infrastructure and networks
- Systems processing customer transactionsThe mistake most companies make? They start with Circle 3 and work backward. Smart companies start with Circle 1, add Circle 2 selectively, and leave Circle 3 alone.
The Anatomy of a Well-Defined Scope
Let me show you what a properly scoped SOC 2 engagement looks like. This is based on a real SaaS company I worked with in 2023:
System Components Table
Component Category | In Scope | Out of Scope | Rationale |
|---|---|---|---|
Application Layer | Production web application, Customer API, Admin portal | Development/staging environments, Internal tools, Marketing website | Dev/staging don't serve customers; marketing site doesn't process customer data |
Data Storage | Production database (PostgreSQL), Redis cache, Customer file storage (S3) | Analytics database, Employee document storage, Marketing data warehouse | Only customer operational data in scope |
Infrastructure | Production AWS account, Load balancers, CDN (CloudFront) | Development AWS account, Testing environments, Demo environments | Production infrastructure only |
Security Systems | SIEM, IDS/IPS, Production firewalls, MFA system | Endpoint protection on dev machines, Internal network scanners | Customer data protection focus |
Support Systems | Production monitoring (DataDog), Backup system, Incident management (PagerDuty) | Project management (Jira), Knowledge base (Confluence), Internal wiki | Direct operational support only |
People/Processes | Engineering (production access), IT operations, Security team, Customer support | Marketing team, Sales team, HR, Finance | Direct service delivery personnel |
This company had 112 total systems. They scoped 23. Their audit went smoothly, they got certified, and they closed $4.8M in enterprise deals within six months.
Common Scoping Mistakes (And How I've Seen Them Backfire)
Let me share the costly mistakes I've witnessed:
Mistake #1: The "Include Everything" Approach
Real Story: A fintech startup in 2021 decided to include every single system in their SOC 2 scope because they thought it would "look more impressive" to customers.
They included:
Their marketing WordPress site
Their recruiting ATS system
Their HR management system
All development and testing environments
Employee expense management
Internal chat and collaboration tools
The result? Their scope included 83 systems. The audit took 11 months. The cost exceeded $400,000. And here's the kicker: not a single customer cared about those extra systems. When prospects reviewed the report, they only asked about the production systems anyway.
The CEO told me later: "We spent an extra $250,000 and six months to impress nobody. It was the most expensive vanity project we ever ran."
Mistake #2: The "Exclude Too Much" Approach
On the flip side, I've seen companies try to scope too narrowly and get burned.
Real Story: A healthcare SaaS company in 2020 scoped only their web application, explicitly excluding their database server "because it's infrastructure, not application."
Their auditor rightfully pushed back: "Your application is useless without the database. If the database is compromised, customer data is compromised. It must be in scope."
They had to restart the audit, redocument everything, and implement controls they'd skipped. Cost them three months and $85,000 in additional work.
"Scoping isn't about minimizing work—it's about accurately representing the systems necessary to deliver your service securely."
Mistake #3: Ignoring the Supply Chain
This one catches people constantly. They scope their own systems but forget about critical third-party services.
Your System | Third-Party Dependency | Should It Be In Scope? |
|---|---|---|
Web Application | AWS (Infrastructure) | No - use SOC 2 report |
Authentication | Auth0/Okta | No - use SOC 2 report |
Payment Processing | Stripe | No - use SOC 2 report |
Email Delivery | SendGrid | Maybe - depends on data sensitivity |
Customer Support | Zendesk | Yes - handles customer data |
Analytics | Google Analytics | No - aggregated data only |
Data Warehouse | Snowflake | Yes - if customer data present |
Monitoring | DataDog | No - metadata only |
Key Principle: If a third-party provider already has SOC 2 certification and handles the security of their platform, you typically reference their report rather than including their systems in your scope. This is called "carve-out" or "complementary controls" approach.
I worked with a company that tried to audit AWS controls as part of their scope. Their auditor laughed and said, "You're going to audit Amazon? Just reference their SOC 2 report and move on."
The Scoping Process: How to Actually Do This
Here's my battle-tested process for defining scope correctly:
Step 1: Map Your Service Delivery (Week 1-2)
Start by documenting how your service actually works from a customer's perspective.
Exercise I use with clients: Draw the customer journey from signup to active usage:
Customer signs up → Authentication system → User database
Customer logs in → Web application → Application servers → Database
Customer uploads data → API gateway → Processing queue → Storage system
Customer views reports → Application servers → Database → Cache layer
Customer gets support → Support portal → Ticketing system → Knowledge base
Every system in this flow is a candidate for scope. Everything else is questionable.
Step 2: Identify Trust Services Criteria (Week 2)
Not every SOC 2 audit includes all five Trust Services Criteria. You need to decide which ones apply:
Trust Services Criteria | When It's Required | Example Commitment |
|---|---|---|
Security (Required) | Always - this is mandatory | "We protect customer data from unauthorized access" |
Availability | If you promise uptime/SLAs | "Our service is available 99.9% of the time" |
Processing Integrity | If data accuracy matters | "We process transactions accurately and completely" |
Confidentiality | If you handle proprietary data | "We protect confidential business information" |
Privacy | If you handle personal information | "We collect, use, and dispose of personal data responsibly" |
Real Example: I worked with a SaaS company that provided data analytics. They initially thought they needed all five criteria. After reviewing their service commitments:
Security: YES (required)
Availability: YES (they promised 99.9% uptime)
Processing Integrity: YES (data accuracy was core to their value)
Confidentiality: NO (they didn't handle proprietary business secrets)
Privacy: YES (they processed personal information)
Removing Confidentiality reduced their scope by about 15% and saved them roughly $30,000 in audit costs.
Step 3: Document System Boundaries (Week 3-4)
This is where most companies get fuzzy. You need crystal-clear boundaries.
I use a table like this with every client:
System Name | Purpose | Customer Data? | In Scope? | Boundary Definition |
|---|---|---|---|---|
Production API | Serve customer requests | Yes | Yes | AWS Production VPC, specific subnets and security groups |
Production DB | Store customer data | Yes | Yes | RDS instance prod-db-primary and read replicas |
Redis Cache | Performance optimization | Yes (cached queries) | Yes | ElastiCache cluster prod-cache |
Auth Service | User authentication | Yes (credentials) | Yes | Auth0 tenant - production only |
Monitoring | System observability | No (metrics only) | Yes | DataDog - production monitors only |
Dev Environment | Development/testing | No | No | Explicitly excluded |
Marketing Site | Public website | No | No | No customer data, no access to systems |
Critical Detail: Notice the "Boundary Definition" column. This is where companies screw up. "Production environment" is too vague. "AWS Production VPC, subnet-prod-a through subnet-prod-d, security groups SG-prod-web and SG-prod-db" is specific enough for an auditor.
Step 4: Map Data Flows (Week 4-5)
I make every client create a data flow diagram showing:
Where customer data enters the system
How it moves through the system
Where it's stored
How it exits the system
Who has access at each point
This visual map becomes your scoping bible. Every system that touches customer data in this flow must be in scope. Systems that don't touch it probably shouldn't be.
Pro Tip: Use different colors for different data types:
Red: Authentication credentials
Orange: Personally Identifiable Information (PII)
Yellow: Customer business data
Green: Metadata and logs
Blue: Public information
This color-coding helps you have productive conversations with auditors about what's truly sensitive.
Step 5: Define Personnel Scope (Week 5-6)
Systems aren't the only thing in scope—people are too.
Here's how I categorize personnel:
Role Type | Typical Inclusion | Example Roles |
|---|---|---|
Production Access (Always In) | Anyone who can access production systems or customer data | DevOps engineers, SREs, Database administrators, Security team |
Development Teams (Depends) | Developers with production deployment rights | Senior engineers with production access |
Support Teams (Usually In) | Personnel handling customer inquiries with data access | Customer success, Technical support |
Administrative (Usually In) | IT and security management | CISO, IT Director, System administrators |
Business Operations (Usually Out) | No access to production or customer data | Sales, Marketing, HR, Finance |
Critical Mistake I See: Companies exclude developers because "they don't access production." Then the auditor discovers developers have read access to production databases for troubleshooting. Now those developers are in scope, but you haven't trained them, documented their access, or audited their activities. Instant finding.
The Scoping Document: What Your Auditor Needs
After defining scope, you need to document it formally. Here's the structure I use:
1. Service Description
A clear description of what you provide to customers.
Bad Example: "We provide cloud-based software solutions."
Good Example: "We provide a cloud-based project management platform that allows customers to create projects, assign tasks, track time, and generate reports. The platform is delivered via web application and mobile apps, with data stored in our secure cloud infrastructure."
2. System Components Table
I showed this earlier, but it's worth repeating: create a comprehensive table of every system, clearly marked in/out of scope with rationale.
3. Infrastructure Diagram
A visual representation showing:
Network boundaries
System components
Data flows
Trust boundaries
External integrations
Reality Check: I've never seen an organization regret making their infrastructure diagram too detailed. I've seen dozens regret making it too simple.
4. Trust Services Criteria Mapping
Criteria | Applicable? | Relevant Service Commitments |
|---|---|---|
Security | Yes | "We implement controls to protect customer data from unauthorized access, disclosure, and destruction" |
Availability | Yes | "We maintain system availability of 99.9% during business hours" |
Processing Integrity | No | We don't make specific commitments about data processing accuracy |
Confidentiality | Yes | "We protect the confidentiality of customer proprietary information" |
Privacy | Yes | "We collect, use, retain, and dispose of personal information in accordance with our privacy policy" |
5. Boundaries and Exclusions
Explicitly state what's out of scope and why.
Example from a real scoping document:
OUT OF SCOPE:
- Development and testing environments: These do not process customer data and do not affect production service delivery
- Marketing website (www.company.com): Public-facing only, no customer data or system access
- Employee productivity tools (Slack, Google Workspace): Internal communications only, no customer data
- Sales CRM (Salesforce): Pre-sales data only, no active customer data
Scope Changes: When and How to Modify
Here's something nobody tells you: your scope will probably change during the audit.
I've guided 60+ companies through SOC 2, and I'd estimate 70% made scope modifications during the process.
Valid Reasons to Expand Scope
Story Time: I worked with a company that initially excluded their logging system from scope. During the audit kickoff, their auditor pointed out: "Your incident response procedures rely on these logs. If the logging system is compromised, you can't detect or respond to incidents. It needs to be in scope."
They were right. We added it.
Other valid expansions:
Auditor identifies system dependencies you missed
Customer requirements change during audit period
New critical system deployed mid-audit
Third-party vendor loses certification (must replace or include)
Valid Reasons to Reduce Scope
Story Time: A SaaS company included their customer training platform in scope because "customers use it." During the audit, we realized:
No customer data in the training system
Separate authentication (no SSO with main app)
No impact on service delivery
Training platform had its own SOC 2 report
We removed it from scope, saving about 40 hours of work and $15,000 in audit costs.
The Scope Change Process
If you need to modify scope mid-audit:
Document the rationale (in writing, with detail)
Get auditor agreement (before doing any work)
Update scoping document (formal revision)
Adjust timeline and budget (be realistic)
Communicate to stakeholders (transparency matters)
Critical Rule: Never, ever surprise your auditor with scope changes in the final two weeks of the audit. That's how you turn a 6-month audit into a 9-month nightmare.
Industry-Specific Scoping Considerations
Different industries have different scoping realities:
SaaS Companies
Typical In-Scope | Typical Out-of-Scope |
|---|---|
Web application (production) | Development environments |
Customer database | Staging/testing environments |
API servers | Marketing website |
Authentication system | Internal tools |
File storage | Sales/marketing platforms |
Monitoring and logging | HR systems |
Customer support portal | Employee productivity tools |
Key Focus: Data storage, application security, API protection
Healthcare Technology
Typical In-Scope | Typical Out-of-Scope |
|---|---|
Electronic Health Record (EHR) system | Research and development systems |
Patient portal | Internal scheduling (if separate) |
Telemedicine platform | Marketing and public websites |
Medical device integration | HR and payroll systems |
HL7/FHIR interfaces | Training and education platforms |
Backup and disaster recovery | Internal communications |
Key Focus: PHI protection, HIPAA alignment, audit logging
FinTech Companies
Typical In-Scope | Typical Out-of-Scope |
|---|---|
Payment processing system | Marketing and lead generation |
Transaction database | Sales CRM |
Banking integrations | Product development tools |
Fraud detection system | Internal dashboards (if separate) |
Customer account management | HR and operations systems |
Compliance reporting | Social media management |
Key Focus: Financial data security, transaction integrity, fraud prevention
Real-World Scoping Template
Let me give you an actual scoping document structure I've used successfully:
COMPANY NAME SOC 2 TYPE [I/II] SCOPE DEFINITION
Version X.X | DateMy Scoping Checklist: Don't Start Without This
Here's the checklist I give every client before we define scope:
Business Understanding
[ ] Service commitments documented
[ ] Customer expectations clarified
[ ] Regulatory requirements identified
[ ] Industry standards reviewed
[ ] Competitive positioning understood
Technical Documentation
[ ] System inventory completed
[ ] Architecture diagrams current
[ ] Data flows mapped
[ ] Network boundaries defined
[ ] Third-party services identified
Organizational Readiness
[ ] Personnel roles documented
[ ] Access controls inventoried
[ ] Change management process defined
[ ] Incident response procedures documented
[ ] Existing security controls catalogued
Auditor Communication
[ ] Trust Services Criteria selected
[ ] System boundaries clearly defined
[ ] Exclusions justified
[ ] Complementary controls identified
[ ] Timeline and budget aligned
The Cost of Getting Scope Wrong (Real Numbers)
Let me show you the financial impact of scoping decisions using real data from companies I've worked with:
Scope Decision | Initial Audit Cost | Ongoing Compliance | Total 3-Year Cost | Business Impact |
|---|---|---|---|---|
Optimal Scope (23 systems) | $32,000 | $24,000/year | $104,000 | Closed $4.8M in deals |
Moderate Over-Scope (45 systems) | $58,000 | $45,000/year | $193,000 | Same deals, 3 months delay |
Severe Over-Scope (83 systems) | $94,000 | $78,000/year | $328,000 | 6-month delay, lost 1 deal |
Under-Scoped (12 systems) | $28,000 initial + $42,000 re-audit | $30,000/year | $160,000 | 4-month delay, reputation damage |
The difference between optimal scope and severe over-scope? $224,000 over three years for the exact same business outcome.
"Every system you add to scope costs you about $3,000-$5,000 in initial audit costs and $2,000-$3,000 per year in ongoing compliance. Make each one count."
Advanced Scoping Strategies for Complex Organizations
For larger or more complex organizations, here are advanced techniques I use:
Multi-Service Scoping
If you offer multiple distinct services, consider separate SOC 2 reports for each:
Example: A company offering both:
SaaS project management tool
Professional services consulting
These are completely separate services with separate systems. Creating two focused SOC 2 reports (one for SaaS, one for professional services) can be more valuable to customers than one bloated report covering everything.
Phased Scoping Approach
For companies with complex environments:
Phase 1: Core service delivery (months 1-6) Phase 2: Add enhanced security controls (months 7-12) Phase 3: Expand to additional services (year 2)
I worked with an enterprise SaaS company that took this approach. They got their first SOC 2 report covering core services in 7 months. Then they expanded scope annually as they added capabilities. By year 3, they had comprehensive coverage without the overwhelming "boil the ocean" approach.
Geographic Scoping
For global companies with data centers in multiple regions:
Option A: Scope all regions (comprehensive but expensive) Option B: Scope primary region, reference others (efficient) Option C: Regional SOC 2 reports (customer-specific)
Real Decision: A company with data centers in US, EU, and Asia scoped only their US operations initially because 85% of customers were US-based. They added EU scope in year 2 when they landed large European customers. Smart sequencing saved them about $120,000 in year 1.
Working With Your Auditor on Scope
Your relationship with your auditor starts with scoping. Here's how to make it productive:
Questions to Ask Your Auditor During Scoping
"What scope have you seen work well for companies like us?"
Auditors have pattern recognition from dozens of similar audits
"What are common scope mistakes in our industry?"
Learn from others' failures
"How does our proposed scope compare to your other clients?"
Benchmark against reality
"What scope would meet our customers' typical requirements?"
They see many RFPs and customer requirements
"If we had to prioritize scope elements, what's most important?"
Helps with phasing decisions
Red Flags That Your Auditor Will Raise
Based on 15 years of experience, here are scope issues that will trigger pushback:
Immediate Red Flags:
Excluding databases that store customer data
Excluding authentication systems
Excluding backup systems for in-scope data
Excluding production infrastructure
Excluding personnel with production access
Likely Challenges:
Too-narrow network boundaries
Vague system descriptions
Missing data flow documentation
Unclear personnel scope
No complementary control documentation
Auditor Pet Peeves:
Changing scope last-minute
Undocumented scope rationale
"Trust me" instead of evidence
Scope document that's just a system list
No diagram or visual representation
Final Thoughts: Scope Is Strategy
After guiding 60+ companies through SOC 2 audits, here's what I know for certain:
Scope definition is not a technical exercise—it's a strategic business decision.
Your scope communicates:
What you consider critical to your service
How you understand your customer commitments
Where you're willing to invest in security
What you want to be accountable for
I've seen companies use smart scoping to:
Close enterprise deals 3 months faster than competitors
Reduce compliance costs by 40% while maintaining customer trust
Build focused, effective security programs
Create defensible, auditable documentation
Scale their compliance program as they grow
And I've seen companies with poor scoping:
Waste hundreds of thousands of dollars
Delay certifications for months
Lose customer deals to better-prepared competitors
Burn out their security teams
Create compliance programs that don't actually improve security
The difference isn't luck. It's understanding that scope done right is scope done strategically.
Start with your service commitments. Focus on what customers need to trust. Include what's necessary and exclude what's not. Document clearly. Communicate transparently.
Do this well, and SOC 2 becomes a competitive advantage. Do it poorly, and it becomes an expensive checkbox that doesn't actually make you more secure.
Choose wisely.