Some of the most common questions we hear from our customers involve audit scope. Questions like: “Which Trust Services Criteria do I need to include in my SOC 2 report?” 

“How long should my audit window be?”

“Are contractors and freelancers in scope for my audit?”

Below we’ll answer common questions about employees and audit scope for specific frameworks including SOC 2, ISO 27001, PCI DSS, and HIPAA, along with other audit scope FAQs.

How to define audit scope for personnel

As remote work, third-party contractors, and freelancers become more commonplace, understanding which employees are in scope for an information security audit is increasingly complex. Knowing which employees to include or exclude has a significant impact on your audit’s success — and your larger information security practices. 

Let’s examine the criteria to determine which employees are in scope for key information security frameworks. 

SOC 2

In general, all employees who have access to the systems or data under audit should be considered in scope.

Start by identifying the systems, processes, and data that are relevant to your selected Trust Services Criteria. Then consider which employees have access. This may include IT staff, network administrators, data analysts, engineers, product designers — any employees who play a role in the development, implementation, or management of the systems or processes being audited.

What about contractors?

Our compliance expert Rob Gutierrez explained it well during a recent Secureframe | Office Hours Q&A session: “The scope of a SOC 2 relates to customer data, so the key question is: does the contractor have access to customer data? If the answer is yes, they need to adhere to those requirements. If the answer is no, then they’re out of scope and you don’t need to worry about it.”

To determine whether contract or freelance workers are in scope for your audit, you should consider the nature of their work and the level of access they have to your organization's systems and data. For example, a DevOps contractor that has access to customer or company data would be considered in scope for the audit. A freelance designer providing website or branding services that does not have access to sensitive information would be considered out of scope.

ISO 27001

All employees who have access to information or systems within the Information Security Management System (ISMS) being audited should be considered in scope for the audit.

Start by defining the scope of your ISMS — which information needs to be protected, and which systems are used to process that information? Which employees have access to these systems or data? Any employees who have access to company email, cloud services, or shared network drives should be considered.

Any employees who play a role in the development, implementation, or management of the ISMS may also be in scope. Think members of the information security team, compliance officers, and executives responsible for maintaining the organization's security posture.

Contract or freelance workers may need to be included in your ISO 27001 audit if they have access to information or systems that are relevant to the ISMS being audited. In many cases, contract or freelance workers are considered to be part of an organization's extended workforce and may have access to the same systems, processes, and data as regular employees.

HIPAA

HIPAA regulations apply to both covered entities (healthcare providers, health plans, and healthcare clearinghouses) as well as their business associates (organizations that handle protected health information on behalf of covered entities, such as claims and payment processors, data analysts, and CPA and accounting firms).

To identify which personnel are in scope for HIPAA compliance, consider the following:

• Healthcare Providers: All personnel involved in providing healthcare services, including doctors, nurses, therapists, administrative staff, support staff, and any other staff who have access to protected health information (PHI) are in scope.
• Health Plans: Personnel involved in administering health plans, processing claims, handling enrollment, customer service, or managing PHI/ePHI are in scope.
• Healthcare Clearinghouses: Personnel responsible for processing or transmitting health-related transactions or handling PHI/ePHI fall within scope.
• Business Associates: Any employees or contractors of business associates who handle or have access to PHI are in scope for HIPAA compliance.

In general, in-scope personnel include anyone who: 

• Handles PHI/ePHI
• Has access to systems or applications that store or transmit PHI/ePHI
• Plays a role in the development, implementation, or management of HIPAA policies and procedures

It's crucial to conduct a comprehensive analysis of your organization's specific operations and workflows to identify all personnel who handle or have access to PHI/ePHI. This analysis should involve reviewing job roles, access privileges, and responsibilities within your organization.

Once you have determined which employees are in scope, you can develop appropriate policies, training programs, and security controls to ensure compliance with HIPAA rules and requirements.

PCI DSS

Which employees have access to your cardholder data environment (CDE)? These are the employees that are in scope for PCI compliance. 

You can determine the scope of your CDE by documenting how cardholder data and payment information flows through your environment and any connected systems. Any systems that store, process, or transmit cardholder data or authentication data — as well as any systems inside the same physical or logical network — are part of your CDE and are subject to PCI requirements. Any employees, contractors, or freelancers that have access to these systems fall within scope. 

In addition, PCI SAQ-D 9.2 requires organizations to establish procedures to “distinguish on-site personnel and visitors”, for example with ID badges. (According to the PCI SSC, on-site personnel includes all full and part-time employees, temporary employees, contractors, and consultants.) So a marketing or design freelancer that doesn’t interact with your CDE would typically be considered out of scope — unless you have a physical location. In that case, the contractor will need an ID badge and would fall in scope. 

Audit scope FAQs

The scoping phase lays the foundation for the entire information security audit, defining the boundaries, objectives, and areas of focus. By answering some of the most frequently asked questions around audit scope, we hope to demystify the process and shed light on best practices. 

Why is it important to properly scope an audit?

Define too wide a scope, and you’ll waste time and resources putting controls in place to address risks that don’t exist for your organization. The audit will also take longer and cost more to complete. 

On the other hand, define too narrow a scope and you could be overlooking critical security risks. Plus, customers likely won’t have the level of assurance they need to do business with you. 

Can the audit scope change during the audit process?

Yes, it’s possible for the audit scope to be adjusted during the audit process. For example, if new risks emerge, or if significant changes occur within the organization's environment.

Can the audit scope include third-party vendors or partners?

Third-party vendors or partners that have a direct impact on the organization's information security or data handling processes are typically included in the audit scope. This helps ensure that the organization's entire security posture is adequately assessed and that third-party risk has been taken into account. 

How do I determine my audit window?

Most information security standards recommend an audit window of 6-12 months. Some frameworks such as SOC 2 offer greater flexibility and allow shorter, 3-month audit windows. 

Our compliance experts recommend companies that have an urgent need for a SOC 2 Type II report select a 3-month audit period for their initial report, then move to a 12-month period with annual audits. 

Do I need separate audit reports for different product lines or business locations?

Some organizations choose to limit audit scope to a single product line or data center location. For example, Alphabet has separate SOC 2 reports for Google Workspace, Google Cloud, Apigee, AppSheet, Looker, and Payment Gateway. Pursuing SOC 2 reports for multiple products and locations will ultimately depend on which customers and prospects require an audit report. 

Simplify your compliance audits with Secureframe

When it comes to scoping an information security audit, focus on the information. What data needs to be protected? What does it need to be protected from, and how? Who has access to it? 

Whether you’re scoping your first audit or your fiftieth, Secureframe simplifies and fortifies your entire compliance program. Our platform makes it easy to narrow the scope of your audit to specific personnel, resources, devices, assets, etc. as needed to speed up time to compliance and deliver an efficient audit. 

Architected by compliance experts and former auditors, our platform streamlines audit prep and helps thousands of companies maintain continuous compliance with the world’s most rigorous security and privacy standards. To learn more, book a demo with a product expert today.