SOC 2- Scoping Report Overview

   When it comes to scoping a SOC 2 report, there are two primary considerations:

1. The Trust Services Criteria.
2. The system in scope that is being audited.

Trust Services Criteria

The SOC 2 audit evaluates your system against the Trust Services Criteria, which includes one mandatory criterion and four optional ones.

1. Security (Common Criteria): This is mandatory for every SOC 2 audit. Security involves ensuring that your system is protected against unauthorized access, both physical and logical.

2. Availability: This criterion examines whether your system is available for operation and use as committed or agreed upon. It covers uptime, disaster recovery, and continuity planning.

3. Confidentiality: This criterion evaluates how your system protects confidential information, ensuring that data is only accessible to those who are authorized.

4. Processing Integrity: This examines if your system achieves its purpose accurately, completely, and in a timely manner. For instance, if your application processes financial transactions, it ensures the integrity of these processes.

5. Privacy: This criterion evaluates how personal information is collected, used, retained, disclosed, and disposed of in conformity with your privacy notice and criteria set forth by the American Institute of Certified Public Accountants (AICPA).

Selecting Trust Services Criteria

Choosing which of the Trust Services Criteria to include in your SOC 2 audit depends on the needs of your report's readers:

• Security is mandatory and relevant to all readers.
• Availability, Confidentiality, Processing Integrity, and Privacy should be considered based on what is most relevant to your application, product, and services, and what your customers expect to see.

Consulting with your auditor can help determine which criteria are most applicable. Note that including more criteria can increase the cost and complexity of the audit due to additional requirements and evidence.

System in Scope

Determining the system in scope for your SOC 2 report is flexible but must be relevant to your readers. Key elements to consider include:

• Application/Product/Service: The primary system that your customers use should be in scope. For SaaS providers, this would be the SaaS application.
• Supporting People and Processes: Include all personnel and processes that support the primary system.
• Locations: If you have physical offices or data centers, these may also need to be in scope.
• Technology Stack: Include all technologies that support the primary system, such as your corporate network, cloud infrastructure, and tools like Jira for change management.
• Supporting Corporate Systems: Systems that support your primary system, like your corporate network, email, HR, and legal or contract management systems, should also be in scope.

Summary

When scoping your SOC 2 report, ensure that the criteria and systems included are relevant and applicable to your customers, internal stakeholders, and the readers of your report. Flexibility is available, but alignment with customer expectations and internal relevance is crucial for a successful audit.

By following these guidelines, you can effectively scope your SOC 2 report to meet the necessary requirements and provide valuable assurance to your stakeholders.