Compliance Simplified LogoCompliance Simplified

How to Define Your Compliance Scope

Task: Define the boundaries of your compliance program.

This guide provides specific steps to define your compliance scope for ISO 27001 or SOC 2. Follow these steps to create a clear, defensible scope that meets your business needs and audit requirements.

Before You Start

What you need:

  • Understanding of your organization's structure
  • Access to key stakeholders
  • Knowledge of your systems and processes
  • 1-2 hours for scope definition

What you'll get:

  • Clear scope statement
  • System boundaries defined
  • Stakeholder alignment
  • Audit-ready documentation

Step 1: Understand Scope Requirements (15 minutes)

ISO 27001 Scope Requirements

ISO 27001 requires you to define:

Organizational Scope: Which parts of your organization are included System Scope: Which systems, processes, and data are included Geographic Scope: Which locations are included Temporal Scope: The time period for implementation

SOC 2 Scope Requirements

SOC 2 requires you to define:

System Description: What your system does and includes System Boundaries: What's in and out of scope Subservice Organizations: Third-party services you use Trust Services Criteria: Which criteria you're addressing

Action: Review the scope requirements for your chosen standard.

Step 2: Map Your Organization (30 minutes)

Identify Organizational Units

Create an organizational map:

# Organizational Scope Template

**In Scope**:

- [ ] IT Department
- [ ] Security Team
- [ ] Development Team
- [ ] Customer Support
- [ ] Finance (for customer data processing)

**Out of Scope**:

- [ ] Marketing (no access to customer data)
- [ ] Sales (limited system access)
- [ ] Legal (separate systems)
- [ ] HR (separate systems)

**Rationale**: [Explain why each unit is in or out of scope]

Action: Complete your organizational scope mapping.

Identify Systems and Applications

Create a system inventory:

# System Scope Template

**In Scope Systems**:
| System | Purpose | Data Types | Criticality |
|--------|---------|------------|-------------|
| Customer Database | Store customer data | PII, Business | High |
| Payment System | Process payments | Financial | High |
| User Portal | Customer access | PII, Business | Medium |
| Admin Tools | System management | Configuration | Medium |

**Out of Scope Systems**:
| System | Purpose | Reason for Exclusion |
|--------|---------|---------------------|
| Marketing CRM | Lead management | No customer data |
| Internal Wiki | Documentation | No sensitive data |
| Development Tools | Code management | Separate environment |

Action: Complete your system scope mapping.

Step 3: Define Geographic Boundaries (15 minutes)

Identify Locations

Map your geographic scope:

# Geographic Scope Template

**In Scope Locations**:

- [ ] Primary office (San Francisco, CA)
- [ ] Secondary office (New York, NY)
- [ ] Cloud data centers (AWS US-East-1, US-West-2)
- [ ] Remote workers (US-based only)

**Out of Scope Locations**:

- [ ] International offices (separate legal entities)
- [ ] Partner locations (not under our control)
- [ ] Employee home offices (personal equipment)

**Rationale**: [Explain geographic boundaries]

Action: Complete your geographic scope mapping.

Step 4: Document Your Scope Statement (30 minutes)

Create Scope Statement

Write a clear, concise scope statement:

# Scope Statement Template

**Organization**: [Your Company Name]

**Scope**: The [ISO 27001 ISMS / SOC 2 System] covers [specific systems, processes, and data] that support [business function] for [customer types].

**In Scope**:

- [List key systems and processes]
- [List organizational units]
- [List data types]

**Out of Scope**:

- [List excluded systems and processes]
- [List excluded organizational units]
- [List excluded data types]

**Rationale**: [Explain the business justification for scope boundaries]

**Effective Date**: [Date]
**Review Date**: [Date - typically annual]

Action: Draft your scope statement.

Step 5: Validate with Stakeholders (15 minutes)

Review with Key Stakeholders

Present your scope to:

  • Leadership: Ensure business alignment
  • IT Team: Verify technical accuracy
  • Legal Team: Confirm regulatory compliance
  • Audit Team: Validate audit readiness

Document Feedback

Record stakeholder input:

# Stakeholder Review Template

**Stakeholder**: [Name/Role]
**Feedback**: [Specific comments]
**Action Required**: [Changes needed]
**Status**: [Open/Closed]

Action: Conduct stakeholder review and document feedback.

Common Scope Definition Mistakes

Too Broad Scope

Problem: Including everything makes compliance unmanageable Solution: Focus on customer-facing systems and critical data

Too Narrow Scope

Problem: Excluding important systems creates gaps Solution: Include all systems that process customer data

Unclear Boundaries

Problem: Vague scope statements create audit issues Solution: Be specific about what's in and out of scope

Missing Rationale

Problem: No justification for scope decisions Solution: Document business reasons for scope boundaries

Scope Examples

Example 1: SaaS Company

Scope: Customer-facing web application and supporting infrastructure In Scope: Web app, database, payment processing, customer support tools Out of Scope: Internal HR systems, marketing tools, development environments

Example 2: Financial Services

Scope: Core banking systems and customer data processing In Scope: Core banking platform, customer portal, payment systems Out of Scope: Employee benefits systems, marketing databases

Example 3: Healthcare Provider

Scope: Patient care systems and protected health information In Scope: EMR system, patient portal, billing systems Out of Scope: Administrative systems, research databases

Next Steps

Once you have defined your scope:

  1. Get approval: Secure leadership sign-off on scope
  2. Document controls: Map controls to your scope
  3. Implement monitoring: Set up scope monitoring processes
  4. Plan reviews: Schedule regular scope reviews

Troubleshooting

"Our scope keeps changing"

  • Document scope change process
  • Require formal approval for changes
  • Update scope statement regularly

"Auditors question our scope"

  • Ensure scope aligns with business objectives
  • Document clear rationale for boundaries
  • Be prepared to defend scope decisions

"Scope is too complex"

  • Simplify by focusing on customer data
  • Start with core systems only
  • Expand scope gradually over time