Reference 2026-03-29

SOC 2 and ISO 27001 Scope

A reference document explaining what 'scope' means in SOC 2 and ISO 27001, with examples of which systems, personnel, and infrastructure are in and out of scope.

Download this resource

Download SOC 2 and ISO 27001 Scope (DOCX)

Download

This document explains what "scope" means in the context of SOC 2 and ISO 27001 compliance. It defines the four categories subject to scoping (personnel, infrastructure, code, and physical offices), lists the four types of customer data to consider, and provides concrete examples of in-scope and out-of-scope systems.

Want help implementing this?

Get introed to the founders of our transition partner and Vanta's #1 compliance implementation partner.

Get Introed