Compliance Simplified LogoCompliance Simplified
Shared DocsDocsHow-to GuidesScope Definition

How to Define Your Compliance Scope

Define boundaries, systems, and ownership clearly so implementation and audits stay focused.

On this page (0)

How to Define Your Compliance Scope

Task: Define the boundaries of your compliance program.

This guide provides specific steps to define your compliance scope for ISO 27001 or SOC 2. Follow these steps to create a clear, defensible scope that meets your business needs and audit requirements.

Before You Start

What you need:

  • Understanding of your organization's structure
  • Access to key stakeholders
  • Knowledge of your systems and processes
  • 1-2 hours for scope definition

What you'll get:

  • Clear scope statement
  • System boundaries defined
  • Stakeholder alignment
  • Audit-ready documentation

Step 1: Understand Scope Requirements (15 minutes)

ISO 27001 Scope Requirements

ISO 27001 requires you to define:

Organizational Scope: Which parts of your organization are included System Scope: Which systems, processes, and data are included Geographic Scope: Which locations are included Temporal Scope: The time period for implementation

SOC 2 Scope Requirements

SOC 2 requires you to define:

System Description: What your system does and includes System Boundaries: What's in and out of scope Subservice Organizations: Third-party services you use Trust Services Criteria: Which criteria you're addressing

Action: Review the scope requirements for your chosen standard.

Step 2: Map Your Organization (30 minutes)

Identify Organizational Units

Create an organizational map:

# Organizational Scope Template

**In Scope**:

- [ ] IT Department
- [ ] Security Team
- [ ] Development Team
- [ ] Customer Support
- [ ] Finance (for customer data processing)

**Out of Scope**:

- [ ] Marketing (no access to customer data)
- [ ] Sales (limited system access)
- [ ] Legal (separate systems)
- [ ] HR (separate systems)

**Rationale**: [Explain why each unit is in or out of scope]

Action: Complete your organizational scope mapping.

Identify Systems and Applications

Create a system inventory:

# System Scope Template

**In Scope Systems**:
| System | Purpose | Data Types | Criticality |
|--------|---------|------------|-------------|
| Customer Database | Store customer data | PII, Business | High |
| Payment System | Process payments | Financial | High |
| User Portal | Customer access | PII, Business | Medium |
| Admin Tools | System management | Configuration | Medium |

**Out of Scope Systems**:
| System | Purpose | Reason for Exclusion |
|--------|---------|---------------------|
| Marketing CRM | Lead management | No customer data |
| Internal Wiki | Documentation | No sensitive data |
| Development Tools | Code management | Separate environment |

Action: Complete your system scope mapping.

Step 3: Define Geographic Boundaries (15 minutes)

Identify Locations

Map your geographic scope:

# Geographic Scope Template

**In Scope Locations**:

- [ ] Primary office (San Francisco, CA)
- [ ] Secondary office (New York, NY)
- [ ] Cloud data centers (AWS US-East-1, US-West-2)
- [ ] Remote workers (US-based only)

**Out of Scope Locations**:

- [ ] International offices (separate legal entities)
- [ ] Partner locations (not under our control)
- [ ] Employee home offices (personal equipment)

**Rationale**: [Explain geographic boundaries]

Action: Complete your geographic scope mapping.

Step 4: Document Your Scope Statement (30 minutes)

Create Scope Statement

Write a clear, concise scope statement:

# Scope Statement Template

**Organization**: [Your Company Name]

**Scope**: The [ISO 27001 ISMS / SOC 2 System] covers [specific systems, processes, and data] that support [business function] for [customer types].

**In Scope**:

- [List key systems and processes]
- [List organizational units]
- [List data types]

**Out of Scope**:

- [List excluded systems and processes]
- [List excluded organizational units]
- [List excluded data types]

**Rationale**: [Explain the business justification for scope boundaries]

**Effective Date**: [Date]
**Review Date**: [Date - typically annual]

Action: Draft your scope statement.

Step 5: Validate with Stakeholders (15 minutes)

Review with Key Stakeholders

Present your scope to:

  • Leadership: Ensure business alignment
  • IT Team: Verify technical accuracy
  • Legal Team: Confirm regulatory compliance
  • Audit Team: Validate audit readiness

Document Feedback

Record stakeholder input:

# Stakeholder Review Template

**Stakeholder**: [Name/Role]
**Feedback**: [Specific comments]
**Action Required**: [Changes needed]
**Status**: [Open/Closed]

Action: Conduct stakeholder review and document feedback.

Common Scope Definition Mistakes

Too Broad Scope

Problem: Including everything makes compliance unmanageable Solution: Focus on customer-facing systems and critical data

Too Narrow Scope

Problem: Excluding important systems creates gaps Solution: Include all systems that process customer data

Unclear Boundaries

Problem: Vague scope statements create audit issues Solution: Be specific about what's in and out of scope

Missing Rationale

Problem: No justification for scope decisions Solution: Document business reasons for scope boundaries

Scope Examples

Example 1: SaaS Company

Scope: Customer-facing web application and supporting infrastructure In Scope: Web app, database, payment processing, customer support tools Out of Scope: Internal HR systems, marketing tools, development environments

Example 2: Financial Services

Scope: Core banking systems and customer data processing In Scope: Core banking platform, customer portal, payment systems Out of Scope: Employee benefits systems, marketing databases

Example 3: Healthcare Provider

Scope: Patient care systems and protected health information In Scope: EMR system, patient portal, billing systems Out of Scope: Administrative systems, research databases

Next Steps

Once you have defined your scope:

  1. Get approval: Secure leadership sign-off on scope
  2. Document controls: Map controls to your scope
  3. Implement monitoring: Set up scope monitoring processes
  4. Plan reviews: Schedule regular scope reviews

Troubleshooting

"Our scope keeps changing"

  • Document scope change process
  • Require formal approval for changes
  • Update scope statement regularly

"Auditors question our scope"

  • Ensure scope aligns with business objectives
  • Document clear rationale for boundaries
  • Be prepared to defend scope decisions

"Scope is too complex"

  • Simplify by focusing on customer data
  • Start with core systems only
  • Expand scope gradually over time