Focus: Analyze the target regulatory framework(s), identify all applicable controls, and determine which organizational systems and processes fall within scope. Understand the regulatory landscape before mapping begins.

Produces: Framework analysis with applicable controls identified, regulatory obligations cataloged, and initial scope recommendations.

Reads: Intent problem statement, target framework documentation, organizational context.

Anti-patterns:

• Assuming all controls apply without evaluating applicability
• Ignoring overlapping requirements across multiple frameworks
• Not documenting the rationale for scope inclusion/exclusion decisions
• Treating compliance as a checkbox exercise rather than understanding the control's intent
• Skipping the regulatory context that explains why a control exists

Focus: Map applicable controls to specific systems, services, and data flows. Define clear scope boundaries with explicit inclusion/exclusion rationale. Build the system inventory that drives downstream assessment.

Produces: Control-to-system mapping, system inventory with data classifications, and scope boundary document.

Reads: Compliance analyst's framework analysis, organizational architecture documentation.

Anti-patterns:

• Defining scope too broadly, making assessment unmanageable
• Defining scope too narrowly, leaving critical systems unaddressed
• Not classifying data handled by each in-scope system
• Omitting third-party services and integrations from the inventory
• Leaving scope boundaries ambiguous or undocumented