Knowing which of your organization’s production systems are in scope sets you up for a strong compliance posture and an easy audit.

For example, say that your organization provides a service or application for payment processing. Your compliance framework helps ensure that you’re handling sensitive payment data appropriately. In this case, all production systems that support payment processing would be considered in-scope production systems.

In-scope production systems can be hosted and managed by a CSP (i.e., in the cloud) or in a data center at one of your organization’s physical locations (i.e., on premises). Depending on your organization’s information technology (IT) infrastructure and environment set up, your in-scope production systems may be only cloud-based, only on premises, or a combination of the two.

Knowing the common components of in-scope production systems allows you to implement compliance controls across your infrastructure. System components include consoles, databases, firewalls, applications, operating systems, and networks.

The production cloud console is a dashboard interface that provides access to any cloud-based production resources that support your organization’s in-scope service.

Examples: Google Cloud console, Amazon Web Services (AWS) Management Console, and Microsoft Azure Serial Console

Production databases are repositories where your organization stores any customer or sensitive data it collects or manages in order to provide an in-scope service.

Production firewalls are the technical barriers used to control network traffic coming into and going out of your production environment. Firewalls can be physical devices like proxy servers, software like host-based applications, or virtual appliances in a private or public cloud like Microsoft Hyper-V, AWS, and Google Cloud Platform (GCP).

Production applications are the software offerings an organization provides to a customer as part of the organization’s services – in other words, it’s your organization’s product; the first S in SaaS.

Examples: browser-based word processors, integrated messagers, and data processing software.

The production operating system is the software your organization uses to access, operate, and manage its services and system components.

Examples: Windows, MacOS, Linux, OracleVM VirtualBox, and Kernel Virtual Machine (KVM)

The production network is the segment of your organization’s network where production assets reside and where customer data is stored. This part of the network is used to provide your organization’s in-scope services. For organizations whose service is only hosted using a CSP, the production network is limited to their production cloud console.

The code repository that's used to make production changes to your infrastructure and software. Examples of this include (GitHub, Bitbucket etc.)