Compliance: Scope

Scope is one of the most operationally consequential decisions in any compliance program — it determines which entities, processes, data types, and geographies fall under a given regulatory obligation, and which do not. Misreading scope is the primary driver of both over-compliance (wasting resources on unnecessary controls) and under-compliance (leaving regulated activities unprotected). This page explains how scope is defined in major regulatory frameworks, how scoping decisions are made in practice, and where the hard classification boundaries lie.

Definition and scope

In regulatory and standards contexts, scope refers to the defined boundary that separates activities, systems, and parties that must meet specific compliance requirements from those that do not. Scope is not self-evident — it must be actively determined by mapping organizational activities against the applicability clauses of each framework.

The compliance standards overview establishes that different frameworks use different scoping triggers. The Payment Card Industry Data Security Standard (PCI DSS), maintained by the PCI Security Standards Council, scopes any system component that stores, processes, or transmits cardholder data, or that could affect the security of such data — a deliberately broad definition. The Health Insurance Portability and Accountability Act (HIPAA), enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, scopes covered entities (health plans, healthcare clearinghouses, and most healthcare providers) plus business associates who handle protected health information on their behalf (45 CFR §164.104).

ISO/IEC 27001, published by the International Organization for Standardization, requires organizations to define their Information Security Management System (ISMS) scope as a formal documented output — Clause 4.3 explicitly mandates that the scope account for interfaces and dependencies between activities performed by the organization and those performed by external parties.

A scoping determination has four structural components:

1. Subject boundary — which legal entities, subsidiaries, or business units are included
2. Data boundary — which data classifications or categories trigger obligations
3. System boundary — which IT environments, networks, or physical locations fall within scope
4. Third-party boundary — which vendors, contractors, or processors inherit compliance obligations through data flows or contractual relationships

How it works

Scoping follows a structured process that runs before control selection and risk assessment. The process framework for compliance maps this sequence in detail, but the core scoping workflow proceeds through three phases.

Phase 1 — Regulatory trigger identification. The organization identifies which regulations apply based on industry sector, data types handled, and geographic markets served. The Federal Trade Commission (FTC) Act Section 5 applies to virtually all commercial entities operating in the United States; sector-specific rules like the Gramm-Leach-Bliley Act (GLBA) apply only to financial institutions as defined by the FTC's Safeguards Rule (16 CFR Part 314).

Phase 2 — Data flow mapping. Scoping teams trace how regulated data enters, moves through, and exits organizational systems. PCI DSS v4.0 (released March 2022 by the PCI Security Standards Council) introduced the requirement that organizations use a targeted risk analysis to justify the scope of certain customized controls — making data flow documentation a prerequisite for scope validation, not just an audit artifact.

Phase 3 — Scope reduction and segmentation. Once the raw scope is established, organizations apply segmentation controls to isolate regulated environments from out-of-scope systems. PCI DSS explicitly allows network segmentation to reduce the scope of cardholder data environments, provided the segmentation is verified annually and tested through penetration testing. NIST Special Publication 800-37 (Risk Management Framework) similarly recommends system boundary definition as a foundational step before control selection.

Common scenarios

Scenario 1 — Multi-subsidiary organizations. A parent company with 12 subsidiaries may find that only 3 subsidiaries process payment card data. Only those 3 fall within PCI DSS scope — but only if adequate segmentation prevents cardholder data from traversing shared infrastructure used by the other 9 subsidiaries.

Scenario 2 — Cloud-hosted environments. Cloud service providers operate under a shared responsibility model. Under HIPAA, a cloud provider storing electronic protected health information (ePHI) for a covered entity is a business associate, and the Business Associate Agreement (BAA) must explicitly document which obligations each party carries. The HHS Office for Civil Rights published guidance in 2016 confirming that cloud providers are business associates even when they have no ability to decrypt the data they host.

Scenario 3 — Contracted processors vs. controllers. Under state privacy laws modeled on the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) and enforced by the California Privacy Protection Agency (CPPA), the distinction between a "business" (controller) and a "service provider" (processor) determines entirely different sets of obligations. A vendor receiving personal information under a written contract that prohibits secondary use falls outside the CCPA's definition of a third party — a scoping exclusion that must be documented with signed contractual language.

Decision boundaries

The hardest scoping decisions arise where regulatory text uses functional rather than categorical definitions. Three recurring boundary types require explicit analysis:

• Incidental contact vs. meaningful access — A janitorial contractor with physical access to server rooms does not become a HIPAA business associate unless the access creates a meaningful opportunity to access ePHI, per HHS guidance.
• Regulated data co-mingled with non-regulated data — When a database contains both PCI-scoped cardholder data and non-payment records, the entire database system falls within PCI scope unless the cardholder data fields are isolated through tokenization or encryption rendering them unreadable.
• Geographic scope under state law — The CCPA applies to businesses that meet specific revenue or data volume thresholds and do business in California, regardless of where the business is incorporated or headquartered (Cal. Civ. Code §1798.140).

Additional source documentation supporting scoping determinations can be found through compliance public resources and references, which catalogs agency guidance documents, official framework publications, and regulatory definitions relevant to boundary analysis.

📜 4 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

References

• 16 CFR Part 314
• 45 CFR §164.104
• Cal. Civ. Code §1798.140
• authoritynetwork.org