SOC 2 Scoping and Pricing Questionnaire

The intent of this form is to gather initial information about your technology infrastructure and
intent so that we can properly plan a SOC 2 audit. All information provided in this form is
strictly confidential. Send completed forms to Steve Vasconcellos at:
svasconcellos@clarknuber.com.

Section 1: Tell Us More About Your Needs

1. What is your role in the organization?
Executive Leadership (Founder, CEO, COO, CFO)
IT or Engineering Leadership
Security Program Management
Other – (please describe)

2. Help us understand your business. Can you describe it below?

3. Do you have dedicated security management personnel?

Yes
No
4. What is driving compliance for you?
Immediate customer requirement
Staying ahead of customer requirements
Other – (please describe)

Sensitive Protected Information

 5. What type of report do you need?
Type 1
Type 2
Not sure

6. What criteria do you want included in your report? Select all that apply:
Security
Confidentiality
Integrity
Availability
Privacy
Not sure? Security is the minimum required criteria. Read more about the various criteria here.

7. When would you like to be compliant by?

Section 2: Tell Us About the Scope and Bounds of Your Security

Program
1. What type of sensitive data are you trying to secure? Select all that apply:
Personally identifiable information
Electronic health information
General confidential client information

Sensitive Protected Information

 2. What is the best option that describes your scope?

Custom web application

Custom web application and supporting financial or ERP system
Entire organization including people, process, and technologies
Other, please describe:

3. How would you describe your system architecture? Select all that apply:
Monolith architecture on public cloud (e.g. AWS)
Virtual instances (e.g. EC2)
How many instances?
Serverless instances (e.g. Fargate)
Microservice architecture on public cloud
Orchestration of containers
How many containers? (General range is fine):
Serverless computing
On-premise physical servers or private cloud (including hybrid cloud models)
How many servers? (General range is fine):
Architecture comprising third-party business applications

Section 3: Tell Us About Your Security Program

1. Do you have a list of security controls mapped to applicable compliance frameworks?

Yes
No

Sensitive Protected Information

2. Have you been audited against a compliance framework before? Select all that apply:
Yes
In accordance with established standards (e.g., SOC, ISO, NIST, HIPAA, SSPA)
High level review of documentation by third party consultants
No

3. Do you have common IT security policies in place (e.g., IT security, incident response,
business continuity)?
Yes
No
Some

4. What are your biggest security concerns? Can you describe them below?

Sensitive Protected Information