Scoping a SOC 2 means drawing a system boundary around the five system components defined in AICPA DC section 200 — infrastructure, software, people, procedures, and data — that store, process, or transmit customer data or support your service commitments. You include those systems, carve out cloud providers such as AWS, GCP, and Azure as subservice organizations, and exclude unrelated internal tools and staging environments. Scope also means choosing which Trust Services Categories to test.
Key takeaways
- Scope = the system boundary around five components (DC 200, DC3): infrastructure, software, people, procedures, and data — not a list of controls.
- Only Security is mandatory. Availability, Processing Integrity, Confidentiality, and Privacy are optional categories selected from your service commitments — each one expands testing.
- Cloud providers are carved out, not tested. AWS, GCP, and Azure are subservice organizations; you disclose them and the complementary controls (CSOCs) you assume, but their controls stay outside your audit.
- Right-size, don't over-audit. A vendor is only a subservice organization if its controls are necessary to meet a criterion; ordinary vendors stay out of scope entirely.
What "scope" actually means in SOC 2 — the system boundary and five components
In a SOC 2 examination, "scope" is not a list of controls — it is the system boundary: the specific set of things your report describes and your auditor tests. That boundary is defined in the AICPA's DC section 200 (2018 Description Criteria, with revised implementation guidance — 2022), the criteria your Section 3 system description must satisfy. Get the boundary right and everything downstream — control selection, evidence requests, cost — follows cleanly. Get it wrong and every phase inherits the error.
DC section 200 frames the description around required disclosures: the types of services provided, the principal service commitments and system requirements, the components of the system, and the period covered. Two of those disclosures do the heavy lifting during scoping. The system components (criterion DC3) tell you what is in the boundary; the service commitments and system requirements tell you which Trust Services Categories the boundary must satisfy. Naming both explicitly is what separates a defensible scope from a guess.
The five system components: infrastructure, software, people, procedures, data
DC3 defines a system as five interacting components. Scoping means drawing the boundary around specific instances of each one — this production database, that identity provider, these on-call engineers — rather than around the abstract category. The table maps each component to a concrete SaaS example.
| Component (DC3) | Definition | In-scope example (SaaS) | Common out-of-scope example |
|---|---|---|---|
| Infrastructure | The physical and virtual resources that support the system | Production compute, networking, and databases in AWS us-east-1 | The corporate office Wi-Fi and printers |
| Software | The programs and operating software that run the system | The production application, container images, and CI/CD pipeline | Marketing website CMS with no customer data |
| People | The personnel involved in operating and using the system | Engineering, SRE/security, and support staff with production access | Sales and finance staff with no production access |
| Procedures | The automated and manual procedures that operate the system | Access reviews, change management, incident response runbooks | Internal expense-approval workflow |
| Data | The information used, processed, or produced by the system | Customer data in the application database and backups | Internal HR records unrelated to the service |
The pattern is consistent: a component instance is in scope when it touches customer data or supports a service commitment, and out of scope when it does neither.
Production environment vs corporate environment — where founders draw the line
The most common founder question is whether laptops, HR tools, and the marketing site are "in scope." The clean line is your production environment — the systems that deliver the service and hold customer data — plus the corporate systems that govern access to production (identity, code, and endpoint management). Your Okta or Google Workspace tenant, your GitHub organization, and your MDM are in scope because they control who reaches production. A corporate finance tool that never touches production or customer data usually is not. Scope also has boundary dimensions beyond production-versus-corporate: which product lines, regions, legal entities, and data centers are inside the boundary. A multi-product company can scope one product now and expand later, but the report must say exactly which.
Step-by-step: how to define your SOC 2 scope
The workflow below is the seven-step method we run in a scoping session — the same sequence reflected in our audit methodology. Each step produces an artifact that feeds the next.
Step 1 — Inventory what stores, processes, or transmits customer data
Start with data, not systems. List every place customer data lives or moves: application databases, object storage, message queues, data warehouses, backups, and logs. Add the systems that operate on that data — the application itself, batch jobs, and integrations. This inventory is the raw material for the boundary; anything that stores, processes, or transmits customer data is a candidate for in-scope.
Step 2 — Map the data flow, then map each asset to the five components
Before you assign components, draw the data-flow diagram — the single most useful scoping artifact. Trace customer data through four stages: how it enters (APIs, web app, file uploads), where it is stored (primary database, caches, backups), how it is processed (application services, pipelines, analytics), and how it exits (exports, webhooks, third-party integrations). The trust boundary is the line around everything in that flow plus the systems that govern access to it. Once the flow is clear, tag each asset against the five DC3 components (infrastructure, software, people, procedures, data). Any asset that appears in the flow but you intend to exclude needs a documented reason.
Step 3 — Classify every vendor: subservice organization or ordinary vendor?
Not every third party belongs in scope. The test from the AICPA guidance is whether the vendor's controls are necessary, in combination with your own controls, to meet one or more applicable trust services criteria. If yes, it is a subservice organization (e.g., your cloud host). If no, it is an ordinary vendor that can stay out of scope entirely. This single question prevents both over-scoping (auditing your CRM) and under-scoping (ignoring your hosting provider). It sits at the heart of good vendor management and third-party risk.
| Example vendor | Controls necessary to meet a TSC? | Classification | Scope treatment |
|---|---|---|---|
| AWS / GCP / Azure (hosting) | Yes — physical and infrastructure security | Subservice organization | Carve out; disclose and rely on their SOC 2 |
| Stripe (payment processing) | Often yes if in the service flow | Usually a subservice organization | Carve out; document CSOCs |
| Datadog (monitoring/logging) | Sometimes — if it processes in-scope data | Judgment call; often subservice org | Assess data exposure, then treat accordingly |
| HR / payroll SaaS | No — does not touch the service or customer data | Ordinary vendor | Out of scope entirely |
The takeaway: classification is driven by necessity to a criterion, not by how "important" a vendor feels.
Step 4 — Choose carve-out vs inclusive for each subservice organization
For every subservice organization, pick a method (detailed in the comparison below). In nearly all cases you will use the carve-out method: the provider's controls are excluded from your description and testing, but you name the provider, describe its services, and list the complementary controls you assume. The inclusive method — describing and testing the provider's controls inside your report — is technically available but requires the provider's cooperation and written assertion, which cloud providers do not offer.
Step 5 — Select your Trust Services Categories
Scope is not only which systems but which categories. Under TSP section 100, Security (the Common Criteria, CC1–CC9) is mandatory; Availability, Processing Integrity, Confidentiality, and Privacy are optional and selected from your service commitments and system requirements. Each added category brings its own criteria and expands the controls mapped to each Trust Services Criterion, along with the evidence you must produce.
Step 6 — Document CUECs and CSOCs
A complete scope names the controls you do not operate but rely on. Complementary user entity controls (CUECs) are controls you assume your customers implement — configuring SSO, managing their own admin accounts — for your controls to meet the criteria. Complementary subservice organization controls (CSOCs) are the equivalent for carved-out providers. Both are disclosures your Section 3 description must include, and defining them during scoping draws the responsibility line cleanly.
Step 7 — Write the scope statement and lock it before fieldwork
Finally, write a scope statement that names the in-scope services, the system boundary and its components, the subservice organizations and method for each, the selected categories, the CUECs and CSOCs, and the period covered. This becomes the scope paragraph of your report and the boundary in Section 3 — the exact text a buyer reads. Lock it before the observation period begins. Because a Type II tests operating effectiveness across a defined window, mid-period scope changes create testing gaps: add a system or acquire a company mid-period and that change may not be fully testable until the next cycle (which is why scope interacts closely with your choice of Type I vs Type II and observation period). With scope locked, move to a SOC 2 readiness checklist.
“Scoping is the single most impactful decision in a SOC 2 engagement. Over-scope and you burn budget auditing systems no buyer cares about; under-scope and you leave a gap that fails enterprise diligence. The right boundary covers exactly what your customers rely on — nothing more.”
— Sébastien Ruosch, CPA, Director of Audits at Auditsuisse
In-scope vs out-of-scope: a decision matrix
The two questions that settle almost every scope decision are: does it touch customer data, and does it support a service commitment? The matrix below applies them to common assets.
| System / component | Example asset | Touches customer data? | Supports a service commitment? | Decision |
|---|---|---|---|---|
| Production application | Customer-facing SaaS app | Yes | Yes | In scope |
| Application database | Primary DB + backups | Yes | Yes | In scope |
| Identity provider | Okta / Google Workspace | Governs access | Yes | In scope |
| Source control | GitHub organization | Governs prod code | Yes | In scope |
| Staging / dev environment | Non-prod with synthetic data | No (no real customer data) | No | Out of scope |
| Marketing website | Static CMS, no customer data | No | No | Out of scope |
| Internal analytics | Third-party product analytics | Depends on data sent | No | Assess, usually out |
When staging genuinely holds no production data, excluding it is both correct and defensible — but document that it uses synthetic data, or an auditor will ask.
Carve-out vs inclusive method explained
Once a vendor is a subservice organization, DC section 200 (criterion DC7) gives you two ways to treat it in the report. The choice affects report length, cost, and who has to cooperate.
| Dimension | Carve-out method | Inclusive method |
|---|---|---|
| Whose controls are described | Only yours; the subservice org is named and its services described | Yours and the subservice org's controls |
| Whose controls are tested | Only yours | Yours and the subservice org's |
| Subservice cooperation required | None | Yes — including a written assertion |
| Disclosure required (DC7) | Name the org, its services, and the CSOCs you assume | Full description of the org's system and controls |
| Effect on report length / cost | Shorter, lower cost | Longer, higher cost |
| When to choose | Almost always — especially for cloud providers | Rare — when you control the subservice org and want it inside one report |
Why AWS, GCP, and Azure are always carved out in practice
Major cloud providers are, as a matter of near-universal practitioner practice, treated as carved-out subservice organizations. This is not an AICPA rule — the inclusive method is technically permitted for any subservice organization — but it is what happens in reality: hyperscalers will not participate in a customer's audit, provide a written assertion, or open their controls to your auditor. Instead they publish their own SOC 2 report, which you obtain and rely on. You disclose the provider, describe the services it supplies, and document the CSOCs you assume (for example, that AWS enforces physical data-center security).
When the inclusive method makes sense (rarely)
The inclusive method is worth considering only when you have influence over the subservice organization — for instance, a wholly owned affiliate or a small, closely partnered processor — and a buyer wants a single report covering both. Even then, it requires the subservice organization's written assertion and adds testing scope, so most teams still carve out. The CUEC/CSOC quick reference below keeps the complementary-control vocabulary straight.
| Term | Who implements | DC reference | Example control |
|---|---|---|---|
| CUEC — complementary user entity control | Your customer (the user entity) | DC section 200, DC6 | Customer configures SSO and manages its own admin access |
| CSOC — complementary subservice organization control | The carved-out subservice organization | DC section 200, DC7 | Cloud provider enforces physical data-center security |
Choosing Trust Services Categories and how they change scope
Category selection is a scope decision with real cost consequences: each optional category adds criteria and evidence. Anchor the choice to your service commitments and system requirements — the DC-defined concept that governs which categories apply — rather than adding categories speculatively.
| Category | Mandatory? | Include when... | Typical trigger (SaaS / healthtech) |
|---|---|---|---|
| Security (Common Criteria) | Yes | Always — CC1–CC9 are the baseline | Every SOC 2 report |
| Availability | No | You make uptime or SLA commitments | Contracts promise 99.9% uptime |
| Processing Integrity | No | Accuracy of processing matters to customers | Payments, billing, data transformation |
| Confidentiality | No | You commit to protecting confidential (non-personal) data | Handling customer IP or trade secrets |
| Privacy | No | You collect and govern personal information per a privacy notice | Consumer PII; healthtech handling of personal data |
Most B2B SaaS start with Security plus Availability; healthtech handling personal data often adds Confidentiality and Privacy and pairs SOC 2 with a HIPAA assessment.
Worked example — a Series A B2B SaaS on AWS (with a healthtech PHI variant)
Here is an anonymized scope statement of the kind that becomes the boundary in Section 3 of a report.
In-scope system. The production SaaS application hosted on AWS (us-east-1), its application database, object storage, and supporting data pipelines; plus the corporate systems that govern access to production — the Okta identity tenant, the GitHub organization for production code, and endpoint management for engineers with production access.
Subservice organizations (carved out). AWS (hosting/infrastructure) and the payment processor. Each is named, its services described, and the CSOCs assumed are documented; the company relies on each provider's own SOC 2 report.
Out of scope. Staging and development environments (synthetic data only), the marketing website, and internal tools that do not touch customer data (HR, expense management).
Categories. Security and Availability.
Healthtech PHI variant. If the same platform handles protected health information, the data component now includes PHI, so the boundary adds the systems that store and transmit it, and the category selection typically adds Confidentiality and Privacy. The PHI-handling systems are scoped jointly with the HIPAA analysis so one boundary serves both examinations.
Compliance-automation platforms such as Vanta, Drata, and Secureframe can auto-discover in-scope infrastructure and monitor for scope drift between periods — useful for keeping the boundary current. They accelerate inventory, but they do not replace the judgment calls above: whether a vendor is truly a subservice organization, which categories your commitments require, and where the production/corporate line sits are decisions a qualified auditor validates.
Common scoping mistakes (and how to avoid them)
Over-scoping. Including non-critical systems and unneeded categories inflates auditor effort, evidence volume, and cost without improving buyer trust. Start from the data flow and add only what touches customer data or a service commitment.
Under-scoping. Excluding a system that quietly processes customer data (a logging pipeline, an analytics sink) creates a gap that enterprise procurement diligence will find. Trace the full data flow, including egress, before excluding anything.
Misclassified vendors. Treating an ordinary vendor as a subservice organization wastes effort; missing a real subservice organization (your host) undermines the report. Apply the necessity-to-a-criterion test consistently.
Scope drift between periods. Adding products, regions, or entities mid-observation-period breaks testability. Lock scope before the window opens and manage changes deliberately. Many scope-related exceptions surface in our roundup of common SOC 2 findings, and scope directly drives your audit timeline. For definitions of the terms used here, see the compliance glossary.
Frequently asked questions
How do you scope systems for a SOC 2 audit?
Draw a boundary around the five system components in AICPA DC section 200 — infrastructure, software, people, procedures, and data — that store, process, or transmit customer data or support your service commitments. Include those systems, carve out cloud subservice organizations, and exclude unrelated internal tools and staging environments.
What is the difference between the carve-out and inclusive method in SOC 2?
Under the carve-out method, a subservice organization's controls are excluded from testing but named and disclosed alongside the complementary controls you rely on. Under the inclusive method, the subservice organization's controls are described and tested inside your report. Carve-out is far more common because it needs no cooperation from the provider.
Is AWS in scope for my SOC 2 report?
In practice, no. Cloud providers like AWS, GCP, and Azure are treated as carved-out subservice organizations. You disclose them by name, rely on their own SOC 2 report, and document the complementary subservice organization controls you assume — but their controls are not tested inside your audit.
What is a subservice organization in SOC 2?
A subservice organization is a vendor whose controls are necessary, combined with your own, to meet one or more trust services criteria — for example, your cloud host. If a vendor's controls are not necessary to meet a criterion, it is an ordinary vendor and can stay out of your SOC 2 scope entirely.
How do I decide which Trust Services Criteria to include in SOC 2?
Security (the Common Criteria) is mandatory. Add Availability if you make uptime commitments, Processing Integrity for transaction or payment accuracy, Confidentiality for non-personal sensitive data, and Privacy for personal data governed by your privacy notice. Each added category expands testing and evidence scope.
What are complementary user entity controls (CUECs)?
CUECs are controls a SOC 2 report assumes your customers implement so your controls can meet the applicable criteria — for example, configuring SSO or managing their own admin access. Defining CUECs during scoping clarifies where your responsibility ends and the customer's begins.
What happens if you over-scope or under-scope SOC 2?
Over-scoping adds non-critical systems and unneeded categories, inflating auditor effort, evidence volume, and cost without improving buyer trust. Under-scoping omits systems that touch customer data, creating gaps that fail enterprise procurement diligence. The right scope covers exactly what customers rely on.
Sources & further reading
- AICPA & CIMA — DC section 200, 2018 Description Criteria for a Description of a Service Organization's System in a SOC 2® Report (With Revised Implementation Guidance — 2022) — the source of the five system components (DC3) and the CUEC/CSOC disclosures (DC6, DC7).
- AICPA & CIMA — TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (With Revised Points of Focus — 2022) — the criteria and categories you select during scoping.
- AICPA — Statement on Standards for Attestation Engagements No. 18, as amended (through SSAE No. 21, for reports dated on or after June 15, 2022). SOC 2 examinations are performed under AT-C section 105 and AT-C section 205 (Assertion-Based Examination Engagements); AT-C section 320 applies to SOC 1, not SOC 2.
Get your scope right the first time
Auditsuisse is a US & Swiss licensed CPA firm. We'll run a scoping session, draw a defensible system boundary, classify your subservice organizations, and quote a fixed fee — see our SOC 2 audit services and scope optimization, or book a call.
Request Consultation