SOC 2 Scoping. Get it right from the start.
Scope creep is the most common reason SOC 2 programmes overrun on time and cost. We define the right system boundary and select only the Trust Services Criteria your clients actually require, so you achieve a credible report without unnecessary work.
Six scoping deliverables. One defensible foundation.
System Boundary Definition
We define the precise boundary of your SOC 2 system, identifying which infrastructure, applications, people, and processes fall within scope and which can be excluded without weakening your report.
Trust Services Criteria Selection
We assess which of the five Trust Services Criteria apply to your business model and what your clients actually require, avoiding unnecessary criteria that add cost and audit burden.
Subservice Organisation Review
We identify all subservice organisations within your system boundary, including cloud providers, data processors, and third-party services, and determine how to handle them in your report.
System Description Drafting
We draft the system description that forms the foundation of your SOC 2 report, covering infrastructure, software, people, procedures, and data in the format auditors expect.
Scope Optimisation
We identify opportunities to reduce scope without compromising report quality, minimising the number of controls required and the evidence burden during the observation period.
Criteria Mapping
We map your existing controls and processes to the selected Trust Services Criteria, giving you an early view of coverage and gaps before the formal gap analysis begins.
From business model review to agreed scope. Six structured steps.
Business Model Review
We review your products, services, and client contracts to understand what data you process, how you process it, and what security assurances your clients require.
Infrastructure Mapping
We map your technical infrastructure, including cloud environments, on-premise systems, SaaS tools, and data flows, to establish a clear picture of what needs to be in scope.
Criteria Assessment
We assess each of the five Trust Services Criteria against your business model and client requirements, recommending which to include and providing clear rationale for exclusions.
Boundary Workshop
A structured workshop with your technical and compliance teams to agree the system boundary, resolve any ambiguities, and document decisions for the auditor.
System Description Draft
We produce the first draft of your system description, covering all required elements in the format expected by SOC 2 auditors.
Scope Sign-Off
We present the agreed scope and criteria selection to your leadership team, confirm alignment with client requirements, and hand over to the gap analysis phase.
Organisations that scoped correctly. And saved time and cost.
UK SaaS platform entering US market
A UK SaaS business received a procurement questionnaire from a US enterprise client requiring SOC 2 Type II. We defined a scope covering their core platform and selected Security and Availability criteria, excluding Processing Integrity which was not relevant to their service model. The focused scope reduced their audit cost by an estimated 30 percent.
Managed service provider scoping
A UK MSP handling infrastructure for financial services clients needed SOC 2 to satisfy a new client requirement. We scoped the engagement to cover their monitoring, patching, and incident response services, excluding their internal HR and finance systems. The result was a clean, defensible scope that satisfied the client without over-engineering the programme.
Cloud infrastructure provider
A cloud hosting provider needed to scope SOC 2 across a complex multi-tenant environment with multiple subservice organisations. We mapped all data flows, identified the relevant subservice organisations, and produced a system description that accurately reflected their architecture without exposing unnecessary detail.
Define your SOC 2 scope correctly. Before you spend a penny on controls.
Getting scope wrong at the start is the most expensive mistake in a SOC 2 programme. Our scoping engagement gives you a defensible system boundary, the right Trust Services Criteria, and a system description ready for your auditor.