Skip to main content

Environment Scope : Environments which are part of audit

1. Primary focus = “In-scope systems”


  • Production environment (AWS in our case) will definitely be in scope — because that’s where customer data is stored/processed.
  • Development environments (GCP in your case) can also be in scope if they:
    • Contain any real customer data (even for testing/troubleshooting). [currently yes]____--> Solution: Avoid customer data to be on SQL GCP
    • Are used to deploy to production. [currently yes]______--> Solution : Host Jenkins on AWS / Use GIT CICD to keep GCP out of scope (Affects costing)
    • Have network connectivity to production systems. yes -> we have monitoring instances (apollo) on GCP so, it falls into scope] Solution : Use signoz cloud / Host apollo on AWS to keep GCP out of scope. (Affects costing)

If your dev environments are completely isolated and contain only synthetic/test data, the auditor might scope them out — but you have to prove that isolation and data policy.


2. The auditor’s perspective


When they audit, they’ll:

  • Map all systems that affect the confidentiality, integrity, and availability of your service.
  • Include all cloud providers, SaaS tools, CI/CD pipelines, and admin workstations that touch those systems.

So, even if GCP is “just for dev,” if you use it for:

  • CI/CD builds that push to AWS
  • Staging environments where customer data is temporarily loaded for debugging
  • Testing that requires live connections to production APIs
    … then GCP will be in scope.


On current analysis, yes GCP will fall into the scope of audit. We can avoid that if we opt in to make proper isolation and prove them to the auditor properly.

scope:

chatgpt web search :

https://www.assurancelab.cpa/resources/post/soc2-scope