How To Define Your SOC 2 Scope

Defining the SOC 2 scope is a practical constraint when preparing for SOC 2 assessments. Some organizations err by selectively incorporating elements that showcase their strengths creating challenges for the recipients who rely on SOC 2 reports for making key decisions.

Others find it difficult to balance assessment initiatives with the time and resources at hand. It is therefore important to smartly narrow down the scope to meet the compliance requirements and stakeholders/customers expectations and yet exclude unnecessary items.

Progressing standards and a well-informed market demand a strategic scoping for SOC 2 audits. This blog aims to help you prepare SOC 2 scope rationally and responsibly for establishing clarity, managing risks, and meeting regulatory requirements.

What is SOC 2 scope?

SOC 2 scope refers to defining the parameters for the assessment of internal controls performed under SOC 2 audit. It brings clarity on the service providers controls and systems that need to be evaluated for ensuring the protection of customer data.

What does SOC 2 scope include?

SOC 2 scope includes services, systems, policies, processes, and people that must be evaluated for effectiveness against the five trust principles—security, availability, processing integrity, confidentiality, and privacy.

How to prepare SOC 2 scope?

The accuracy and relevance of SOC 2 reports stand on well-defined SOC 2 scope. It lays the foundation of the audit and is often the most challenging and perplexing step for most organizations. Although the scope of SOC 2 varies as per the type of services and nature of organization, the basic idea remains the same. With that in mind.

Here’s how you can prepare SOC 2 scope for your organization:

1. Choose relevant Trust Service Criteria

The starting point for defining the scope should be deciding the Trust Service Criteria which must be included in the SOC 2 audit. These criteria will then serve as the basis for evaluation.

Here’s how you can make a choice from among the 5 Trust Service Criteria:

Security: This service criteria is mandatory and is known as common criteria

Availability: If the availability of your systems and services is critical for the customers, then this criterion applies to the business. Ask the following questions to get clarity:

• Does my business provide services that must be available 24×7 to the customer? For example financial transaction processing.
• Do our service level agreements specify any level of availability?
• Are there any risks in my business environment that can impact the availability of systems and impact the customer?
• Are clients asking for availability TSC?

Processing integrity: When ensuring the accuracy, completeness and authorization of data is key to the business, processing integrity must be included in the SOC 2 audit scope. The following will help with the decision:

• If the nature of business involves processing of sensitive data like financial or health-related
• If critical business decisions rely on accurate data processing
• If the business processes large volume of data with complex systems like an e-commerce platform
• If the business is prone to risks that can compromise the integrity of data
• If the clients are demanding processing integrity TSC

Confidentiality: If the business deals with sensitive or personally identifiable information that needs to be protected from unauthorized access, the confidentiality criterion must be included in the scope. Ask the following questions to check applicability:

• Does my business deal with sensitive information like financial records, health information, intellectual property, passwords etc.?
• Is my business subject to regulatory requirements like HIPAA or GDPR that mandate ensuring confidentiality of information?
• Have we signed non-disclosure agreements with clients?
• Are there cyber risks to confidentiality of information?

Privacy: Privacy is related to personal data. Any business collecting, processing or transmitting personal information that needs to be kept safe must meet the privacy criterion.

• Certain data regulations mandate protection of personal information.
• Businesses like e-commerce, healthcare providers, SaaS businesses etc. need to ensure privacy of customer data
• If there are significant risks of data breaches that could impact data privacy, then this criterion must be considered.

2. Specify the services that fall within scope

Based on the organization’s operations, the service offerings that must be included in the SOC 2 audit should be specified in the scope. Any service that involves collecting, storing, processing or transmitting of sensitive data has to be included in the scope in accordance with the relevant TSC.

Examples of these services can be cloud computing, managed IT services, data hosting etc.

Vendors or third-party service providers associated with the organization to perform certain services and functions are known as sub-service organizations. These must be included and detailed in the SOC 2 scope as they may have access to organization’s data, networks or other resources.
During the audit, the auditor assesses the associated risks with these sub-service organizations and checks if there are appropriate controls in place.

3. Identify policies, procedures, systems and people

The data that is collected, processed or transmitted during the specified services is included in the scope along with the following:

Policies

Policies are guidelines that dictate the behaviour of security practices and processes followed in the organization. It is important to decide which of these policies are crucial for SOC 2 audit. Some examples of policies are vendor management, training and awareness, data privacy, etc.

Procedures

Standard Operating Procedures (SOPs) refer to sequential guidance  for implementing specific operations. SOPs that include steps on how to carry a security task must be included in the SOC 2 scope. 

An example could be the protocol for handling security incidents. In case of a security incident, there may be protocols for incident identification, communication, responsibilities of staff, remediation actions and post incident steps.
The auditor reviews such protocols to compare them with actual practices and understand the adherence levels.

Systems

Technical and physical information systems relevant to the chosen criteria make an important component of SOC 2 scope. The devices, software and network components that collect or process data are especially evaluated for managing any information security risks.
Examples of systems and controls that must be included in the SOC 2 scope can be access controls, firewalls, intrusion detection systems etc.

Personnel

The personnel are directly accountable for designing and implementation of controls. It is important to clearly define the roles and responsibilities of every employee involved in the process to ensure that the organisation meets the TSC.

People managing access controls, detecting incidents, executing security training programs etc. all come under SOC 2 scope.

4. Choose amongst SOC 2 type 1 and type 2

While both SOC 2 reports aim to identify areas of improvement and tighten the security environment of the organization, they differ in scope. Type 2 is broader in scope and provides a higher level of assurance to clients, partners and stakeholders.

SOC 2 type 1 scope includes reporting on the design of security controls to meet one or more of the chosen trust principles (security, availability etc.) at a specific point in time. It is a succinct review of policies, procedures and technologies and is chosen when a quick snapshot of controls is to be demonstrated to the clients or stakeholders.

This is generally when the organization is new to SOC 2 audits and needs to identify areas of improvements first.

SOC 2 type 2 scope includes reporting on the design and operating effectiveness of security controls to meet one or more of the chosen TSC over a specified period, minimum, 6 months. This report not only includes a detailed review of policies, procedures, and technologies but also tests the control effectiveness across the organization over the designated period.

So it is chosen when the organization wants to demonstrate the effectiveness of security controls over the period of 6 to 12 months.

Organizations looking to stay SOC 2 compliant must conduct a type 2 audit every 12 months.

Also check out: Examples of SOC 2 report

Get SOC 2 ready with Sprinto

The SOC 2 scope is the starting point of the SOC 2 audit and it is crucial to define it with precision. A well-defined audit scope keeps the organization and the auditor aligned with the compliance requirements and expedites the process by bringing clarity. 

Sprinto, as a  compliance automation solution, helps you speed up the SOC 2 compliance process. From streamlined workflows and automated checks for risk assessment to ready-made policy templates and continuous evidence collection, Sprinto ensures everything is done in an audit-friendly manner.

The entire compliance program runs on autopilot and ensures you don’t drift from SOC 2 compliance. Talk to our compliance expert and get a personalized demo today.

FAQs

What are the consequences of not including the relevant items in the SOC 2 scope?

Not including the relevant systems, controls, processes and people in SOC 2 scope will result in incomplete assessments, disclaimer of opinion by auditor or audit failure and consequences of increased risk exposure.

Can SOC 2 scope change every year?

Yes, if an organization undergoes a change in systems, processes, controls or a new trust criterion becomes applicable to the organization, the SOC 2 scope will change.

What are some challenges organizations face in defining soc 2 scope?

Some challenges that organizations face in defining SOC 2 scope are identifying the systems, controls and processes that must be included, understanding the applicability of criteria, choosing report type, updating the scope when required and including too much or too less in the scope.