SOC 2 Scoping Worksheet
How to Choose the Right Trust Services Criteria (Without Costly Mistakes)
Before you begin your SOC 2 journey, there is one decision that matters more than most people realize:
what exactly should your audit include?
Over-scope your SOC 2 and you’ll increase cost, complexity, and audit time. Under-scope it and you risk failing enterprise due diligence, delaying major deals, or repeating the audit later.
SOC 2 scoping is not administrative. It’s strategic.
This worksheet helps you choose criteria that match your business reality not guesses.
Step 1: Clarify Your Business Model
Start with the basics. Your scope should reflect how customers use and depend on your system.
- Are we a SaaS provider?
- Are we in FinTech or HealthTech?
- Do customers rely on our system to operate daily?
- Do we offer uptime guarantees in contracts?
If your platform is mission-critical, your SOC 2 scope will likely extend beyond the mandatory Security criterion.
The more customers depend on you, the broader your scope may need to be.
Step 2: Understand the Five SOC 2 Trust Services Criteria
SOC 2 includes five Trust Services Criteria (TSC). Every SOC 2 report includes Security. The others depend on what your business actually does.
Trust Services Criteria:
Security (Mandatory), Availability, Processing Integrity, Confidentiality, Privacy
Security (Required for Everyone)
Security covers core protections such as access management, risk assessment, monitoring, incident response,
and change management.
Rule: If you handle customer data, Security is non-negotiable.
Availability (Include if…)
Include Availability when downtime would materially impact customers or you commit to uptime in contracts.
- You provide uptime SLAs
- Customers rely on system reliability to operate
- Downtime creates contractual or operational risk
Processing Integrity (Include if…)
Include Processing Integrity if your system processes transactions or automated outputs that affect customer outcomes.
- You process payments or financial transactions
- You run billing, payroll, or automated calculations
- Errors would directly impact customer results
Confidentiality (Include if…)
Confidentiality is relevant when customers store sensitive or proprietary information in your platform.
- Customers share trade secrets or proprietary business data
- You store sensitive financial or internal information
- You support B2B workflows where confidentiality is a buying requirement
Privacy (Include if…)
Include Privacy if you collect or process personal data (PII), operate in regulated sectors, or serve customers
with privacy-driven procurement requirements.
- You handle personal data (PII)
- HealthTech, HR platforms, consumer-facing apps
- Customers reference PIPEDA or Québec’s Law 25 in security reviews
Step 3: Evaluate Customer Expectations
This is where scoping becomes real. SOC 2 should align with customer expectations not internal assumptions.
- Have customers explicitly requested certain criteria?
- Are you selling to enterprise or regulated industries?
- Do questionnaires flag privacy, uptime, or transaction concerns?
Step 4: Avoid the Two Biggest SOC 2 Scoping Mistakes
Mistake 1: Over-Scoping “Just to Be Safe”
- Increases audit cost and timeline
- Expands documentation and evidence requirements
- Slows readiness and adds complexity
More criteria ≠ more credibility. The best scopes are precise.
Mistake 2: Under-Scoping to Save Money
- Creates red flags in due diligence
- Forces expensive re-audits later
- Slows enterprise sales cycles
SOC 2 is often a sales enabler.
Under-scoping can undermine the exact trust you’re trying to build.
Step 5: Perform a Readiness Reality Check
Before you finalize scope, validate that your program can support it. Confirm:
- Policies align to the chosen criteria
- Access reviews and approvals are documented
- Incident response is defined and testable
- Risk assessments are current
- A readiness assessment is completed (or scheduled)
Unsure whether your SOC 2 scope supports growth or risks rework?
Avoid expensive mistakes before your audit begins.
Industry-Based SOC 2 Scoping Examples
To help clarify, here are common scoping patterns. Use these as guidance then tailor based on your customers and contracts.
| Industry | Common SOC 2 Scope (Typical) | Add When… |
|---|---|---|
| B2B SaaS | Security + Confidentiality | Availability (SLA-driven) |
| FinTech | Security + Availability + Processing Integrity | Confidentiality (sensitive client data) |
| HealthTech | Security + Confidentiality + Privacy | Availability (clinical/operational reliance) |
| MSPs | Security + Confidentiality | Availability (managed uptime commitments) |
| HR / People Ops Platforms | Security + Confidentiality + Privacy | Processing Integrity (payroll/calculations) |
Reminder: Scoping must reflect your real risk profile not marketing ambition.
Why SOC 2 Scoping Is a Strategic Decision
SOC 2 is not just a compliance exercise. It’s a trust signal, a sales accelerator, and a risk governance framework.
Your scope determines whether SOC 2 becomes a growth tool or an expensive checkbox.
How Canadian Cyber Helps You Scope Smartly
Canadian Cyber helps organizations scope and prepare SOC 2 the right way through:
- SOC 2 readiness assessments
- Trust Services Criteria gap analysis
- vCISO-led scoping workshops
- Control mapping aligned to your industry
- Ongoing compliance oversight (so you don’t drift)
We ensure your SOC 2 scope matches your business model, meets customer expectations, avoids unnecessary complexity, and supports long-term growth.
Final Takeaway
SOC 2 scoping is not about choosing more. It’s about choosing wisely.
The right criteria reduce audit risk, accelerate sales, and build enterprise trust.
The wrong scope costs time, money, and credibility.
👉 Scope smart. Prepare early. Certify confidently.
👉 Canadian Cyber helps you design a SOC 2 strategy that works for your business.
Stay Connected With Canadian Cyber
Follow us for SOC 2 strategy insights, compliance readiness guidance, and cybersecurity leadership tips:
