When a team comes to us for SOC 2 or PCI readiness, the instinct — theirs and most consultants' — is to start generating documentation. Policies, procedures, evidence templates. We start somewhere else: with a map of what is actually in scope, and a hard conversation about how much of it needs to be.
Scope is the single biggest driver of both compliance cost and ongoing burden. Every system in scope needs controls, evidence, and maintenance — forever, not just until the audit. A cardholder-data environment that touches twelve systems is more than twice the work of one that touches five. So before we write a policy, we ask whether that data needs to flow where it flows, whether that system needs the access it has, whether that integration could be brokered through something already in scope.
The reductions compound. Tokenising card data can pull entire systems out of PCI scope. Routing health data through a single audited service can shrink a HIPAA footprint dramatically. Each system removed is policies you never write, evidence you never collect, and an attack surface you no longer defend. The scoping phase routinely pays for itself before we author a single control.
Only then do we write. And because the remaining scope reflects how the team actually works, the policies describe reality instead of fighting it — which is the difference between a program that survives the first quarter after the auditor leaves and one that quietly rots. Compliance that does not match reality is not compliance; it is theatre with a deadline.