When you are running a startup or scaleup, your business is continuously growing and changing. You introduce new services and products, and at some point you need to obtain a security / privacy certification or report.

But what if you only want to implement security measures where they are most needed, and keep your business agile where they are not? Is that possible? Can you scope a SOC2 or ISO27001 process?

The short answer is ’yes, if you do it properly’. So how does that work?

The case of Un-Beat-able

Several years ago, Un-Beat-able (fictional use case) launched a music platform. This platform became wildly successful, attracting many music fans and capital. They expanded the team and platform consequently, but there was never a need for an information security certification since the platform was not collecting sensitive data or integrating with third parties.

That all changed when Un-Beat-able launched a payment service to grow the platform. The payment service, developed by a third party, integrated with a bank. This bank is now asking Un-Beat-able for proof that they have implemented cyber security practices. Un-Beat-able is considering ISO27001 and SOC2, but is afraid that the existing organisation will be impacted heavily by the audit and certification process.

How scoping works in ISO27001

Every ISO27001 certification has the following sentence on its first page: “This certificate is valid for the following scope: Information security related to x.” where x is one or more services and/or products. Now, most companies would fill in their entire list of services and products, but this is not necessary.

In the case of Un-Beat-able, they could instead choose to include only its payment service. And this could limit the applicability of controls to the employees and other parties responsible for this service. However, Un-Beat-able will need to show, through their risk assessment and controls selection, that this is indeed the case.

How scoping works in SOC2

SOC2 scoping works a bit differently. The official guidance states: “...trust services criteria (are) to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems...”.

This statement provides two scoping mechanisms. Firstly, it allows a business to select which products or services to be in scope of the report. Secondly, it allows a business to select the criteria applying to this service. Un-Beat-able may for instance specify that the scope of the SOC2 statement is the security (criterium) of their payment service (specified service).

Is scoping always a good idea?

Un-Beat-able is operating its payment service at a higher maturity than the rest of the organisation, and a separate team has been working on this service. So in this scenario Un-Beat-able can greatly reduce the time and resources needed to become compliant. And they can always expand the scope in the next report.

However, this is not always the case. Businesses that operate at a higher maturity overall, e.g. they develop software securely by design, train their employees, and regularly test for information security weaknesses, are better prepared and more resilient towards information security risks. Alternatively it may not be possible to scope as services are too intertwined with each other. In these scenarios there is simply no added benefit of scoping, or the benefit does not justify the cost.

Conclusion

It is possible to scope ISO27001 and SOC2 tracks. The important there here is to make sure the scoping translates through to your systems, processes, and people. When it does, scoping represents a very effective way to obtain a certification fast and without breaking the bank.

- Written by Dennis van de Wiel, Founder