When building out a security or compliance program, one of the most frequently underestimated steps is personnel scoping. For startups, it’s common to default to including only full-time employees. However, both SOC 2 and ISO 27001 frameworks require a more expansive and thoughtful approach. Excluding contractors, vendors, or temporary workers, especially those with system access, could result in serious audit gaps and undermine your organization’s security posture.
Why Personnel Scoping Matters
In both SOC 2 and ISO 27001, the people who interact with your systems, data, and environments form the foundation of your security controls. These frameworks require that organizations demonstrate appropriate oversight and control over all individuals who could impact the confidentiality, integrity, or availability of systems and data.
SOC 2, for example, emphasizes access control, system monitoring, and training—all of which must apply to anyone with access to in-scope systems. ISO 27001 similarly requires that roles and responsibilities be defined and that controls extend to all personnel operating within the scope of the Information Security Management System (ISMS).
Startups often move fast, scaling with flexible, distributed teams that include:
Freelancers and independent contractors
Offshore development partners
Temporary or part-time technical staff
Advisors with access to systems or data
While they may not appear in traditional HR systems, these individuals often have privileged access and influence over security-relevant operations. That means they must be accounted for in personnel scoping, subject to the same onboarding, access management, policy acknowledgment, and training as employees.
How to Scope Personnel for SOC 2 and ISO 27001
A strong scoping process starts with access, not job titles. To align with SOC 2 and ISO 27001 requirements:
Inventory your identity and access management systems (e.g., Okta, Azure AD) to identify users with access to in-scope systems.
Review user accounts and access listings within in-scope applications, cloud service providers, databases, etc.
Map roles and responsibilities across the organization, including contractors, to ensure coverage under relevant controls.
Apply key requirements consistently, such as security awareness training, device compliance, and policy acknowledgment to all scoped personnel.
Review scope periodically, especially as teams evolve or contractors roll on/off projects.
This cross-functional process should involve stakeholders from security, engineering, HR, and legal to maintain alignment as the organization grows.