How It WorksPricingBlogStart Free Trial
All answers

How do I scope my SOC 2 audit to keep it manageable?

March 6, 20262 min readSOC 2 Basics for Founders

How Do I Keep SOC 2 Scope Small?

SOC 2 scope determines how much work you do. A larger scope means more controls, more evidence, and a longer audit. The key is including only what matters — the systems and criteria that your customers and auditor actually need to see.

Scoping Decisions

DecisionSmaller ScopeLarger Scope
Trust Services CriteriaSecurity onlySecurity + Availability + Confidentiality
Systems includedProduction environment onlyProduction + staging + internal tools
Cloud accountsOne AWS/GCP accountMultiple accounts across regions
ApplicationsCustomer-facing app onlyAll internal applications
PeopleEngineering + leadershipEntire company

Three Rules for Scoping

  1. Include only systems that touch customer data. Your internal Slack, HR tools, and marketing stack are typically out of scope. Focus on your production infrastructure, application, and the SaaS tools that access customer data.

  2. Start with Security only. Do not add Availability, Processing Integrity, Confidentiality, or Privacy unless a specific customer requires it in writing.

  3. Draw your boundary at the infrastructure level. If you use Vercel or AWS, your boundary starts at your configuration layer — not at the physical data center. Reference your cloud provider's SOC 2 report for infrastructure controls below your boundary.

Common Scoping Mistakes

  • Including staging and development environments (rarely needed)
  • Adding every SaaS tool the company uses (only include those that touch customer data)
  • Scoping to all five Trust Services Criteria on the first audit
  • Including employee personal devices beyond basic MDM requirements

How to Document Your Scope

Create a simple system description that lists:

  • Which cloud accounts are in scope
  • Which applications process customer data
  • Which third-party tools are included
  • Which Trust Services Criteria you are auditing against
  • Which teams and roles are in scope

Screenata helps define your scope by analyzing your codebase and infrastructure to identify which systems process customer data and which controls apply.

Related Questions

SOC 2 Basics for Founders

How do I explain SOC 2 to my CEO or board?

Frame SOC 2 as a sales enablement investment, not a compliance burden. Enterprise buyers require it before signing contracts. The cost is $5,000–$25,000 all-in for Type I, and it removes the biggest friction point in enterprise sales cycles.

SOC 2 Basics for Founders

How do I know if my startup actually needs SOC 2?

Your startup needs SOC 2 when enterprise prospects require it during vendor review. If you sell to companies with 200+ employees, operate in regulated industries, or handle sensitive customer data, SOC 2 will come up. If you only sell to SMBs, you likely do not need it yet.

SOC 2 Basics for Founders

How do I run a SOC 2 readiness assessment myself?

Run a DIY readiness assessment by walking through each Trust Services Criterion, documenting your existing controls, identifying gaps, and prioritizing remediation. Use the AICPA's published criteria as your checklist and focus on the Security category first.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →

© 2025 Screenata. All rights reserved.