Defining the system boundary requires identifying where regulated or sensitive data resides, how it flows, who accesses it, and which systems support it. We begin with data flow mapping, asset identification, and role analysis before documenting scope. Poor boundary definition is one of the most common causes of scope expansion during review. A clearly justified boundary prevents drift and supports defensible implementation.