/
Information Security Context, Requirements and Scope

Information Security Context, Requirements and Scope

Owned by Jan Tenenberg
Last updated: 28 May 2022
8 min read

Introduction

Vertic Pty Ltd is committed to protecting the security of its business information in the face of incidents and unwanted events and has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC 27001:2013, the international standard for information security.

The purpose of this document is to describe the way the business operates, internal and external factors influencing it and to highlight in general terms the potential consequences of a security breach. This will allow the most appropriate mix of control measures to be put in place to reduce the level of risk and to ensure that plans are available and tested to manage the impact of any interruptions that do occur.

Specifically, this document sets out:

  • The context of the organization

  • External and internal issues relevant to the purpose of Vertic Pty Ltd

  • Interested parties relevant to the ISMS

  • Information security requirements of these interested parties

  • The scope of the ISMS, including its boundaries and applicability

This document will be updated at least annually and when significant change happens to the relevant areas covered.

Organisational context

The organisational context of Vertic Pty Ltd is set out in the following sections. Given the fast-moving nature of the business and the markets in which it operates the context will change over time. This document will be reviewed on an annual basis and any significant changes incorporated. The ISMS will also be updated to cater for the implications of such changes.

Activities

Vertic Pty Ltd undertakes a wide range of business activities within its target sectors and is constantly developing new products and services to bring to market.

Vertic, formed in 2010, is a specialist consulting firm, focusing on the delivery of Salesforce digital solutions. Salesforce is a cloud-based CRM which, most of the time, requires implementation services which could include the following:

  • Project Management, including Scope and Budget Management

  • Solution Design and Architecture

  • Solution Development and Deployment

  • System Testing and Performance Testing

  • User Training and Solution Documentation

Vertic provides its services primarily within the Australian non-profit sector across solutions such as fundraising, membership, payment, and NDIS functions. Vertic operated mainly in Victoria and New South Wales with limited customers outside these geographic areas.

Functions

Vertic Pty Ltd consists of the following organisational functions:

  • Project Management

  • Solution Design and Architecture Consulting

  • Solution Testing and Deployment

  • Implementation Advice and Guidance

  • Technical Development (Programming)

  • Reporting and Dashboard Development

  • Solution Documentation and Training Material Development

 

An organization chart is shown below:

 


Figure 1: Organization chart

The Vertic team is based in Melbourne, Australia. At times, team members may temporarily relocate but ultimately Vertic’s base is Melbourne, Australia. Our outsourced development team is in Europe.

Services

Vertic Pty Ltd offers the following major services to its customers:

  • Salesforce platform implementation services as detailed in section 2.2

  • Packaged Solutions, including payment solutions. These are high-margin implementations.

  • Ongoing support services, including recurring revenue streams to assist clients with maintaining their Salesforce systems.

  • All services are delivered within Salesforce development guidelines, and we are registered Salesforce partners.

Major partnerships

Vertic Pty Ltd has a policy of forming partnerships with other organisations which complement its own offerings and bring increased benefits to its customers.

The following major partnerships are currently in place:

  • Salesforce, as this is the digital platform we implement. We are registered Salesforce implementation and ISV (independent software vendor) partners.

  • We implement the following Salesforce products:

    • Salesforce Sales Cloud

    • Salesforce Service Cloud

    • Salesforce Pardot Marketing

    • Salesforce Field Service Lightning

    • Salesforce Experience Cloud

  • All IP developed during an implementation belongs to our clients exclusively, as detailed in our CSA (client services agreement)

Interfaces and dependencies with other organisations

Vertic Pty Ltd has relationships with several organisations to which it has outsourced aspects of its business activities. These are summarised in the following table.

ORGANIZATION NAME

OUTSOURCED ACTIVITIES

INTERFACES

DEPENDENCIES

Salesforce

Data Centre Hosting

Development

Delivery of the SaaS application

Atlassian

Data Centre Hosting

Project Management

Delivery of Solutions

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Table 1: Outsourced activities

These outsourced relationships are considered when defining the scope of the ISMS.


Objectives and policies

The purpose of the ISMS is to ensure that Vertic Pty Ltd is still able to meet its defined business objectives and comply with its policies in the face of potential and actual security incidents. This section sets out what the major business objectives and policies are for the current financial year so that a clear relationship can be established between these and the objectives of the ISMS.

Business objectives

For the financial year 2022/2023 Vertic Pty Ltd has set the following major business objectives:

  • Maintenance of current technical support clients; these are recurring revenue clients

  • Growth into packaged solutions, specifically for the NDIS sector (via our Maica offering)

  • Revenue growth of 10%, as staffing constraints limit our ability to maintain quality beyond this.

Business policies

Policies have been set by the organization in a variety of areas and these must be taken account of during the information security planning process to ensure that they are met. The main relevant policies are:

  • Corporate Risk Management Strategy

  • Human Resources Policy

  • Home Working Policy

  • Flexible Working Policy

  • Equality and Diversity Policy

  • Internet Acceptable Use Policy

  • Information Security Policy

  • IT Access Control Policy

  • Legal Responsibilities Policy

Internal and external issues

There are a number of internal and external issues that are relevant to the purpose of Vertic Pty Ltd and that affect the ability of the ISMS to achieve its intended outcome(s).

Internal issues

With regard to the Vertic Pty Ltd business itself, there are a number of relevant internal issues.

These include:

  • Uncertainties in employee private concerns; a few employees have encountered personal matters that have required time away from Vertic

  • Location moves; at times, employees have required to move and relocate, especially in recent times in Europe

  • Resources and knowledge of the organization; it’s difficult to find the right resources, both in terms of skill and experience.

  • These general internal issues will be considered in more detail as part of the risk assessment process.

External issues

With regard to the external environment in which Vertic Pty Ltd operates, there are a number of relevant external issues.

These include:

  • Political landscape; this is particularly relevant for our outsourced technical team, as they are natively based in Belarus.

  • Economic impacts of COVID; most organisations in Australia have been impacted by COVID in some way so Vertic is no exception to this

  • Supporting technologies and infrastructure; we rely on the NDIS digital systems and policies as well as Salesforce to ensure our products are marketable and attractive to our clients.

  • These general external issues will be considered in more detail as part of the risk assessment process.

Risk appetite

The ISMS is designed to address the major risks that are identified to the information security of Vertic Pty Ltd. In identifying, assessing and managing these risks there are several options open to the organization according to its appetite for risk.

In general terms the organisation’s appetite for risk may be said to be moderate; the strategy of the organization is to accept reasonable levels of risk whilst making some effort to ensure measures are in place to handle risks if they occur.

This general level of risk appetite will be applied to the risk assessments that are carried out as part of the ISMS and will determine the actions that need to be taken to mitigate risk to an acceptable degree.

The criteria for assessing risk in the context of the organisation’s appetite for risk are defined in a separate ISMS document Risk Assessment and Treatment Process.

Interested parties and their requirements

This section of the document sets out the interested parties that are relevant to the ISMS and their requirements. It also summarises the applicable legal and regulatory requirements to which the organization subscribes.

Interested parties

An interested party is defined as “a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity”.

The following are defined as interested parties that are relevant to the ISMS:

 

  • Shareholders

  • Suppliers

  • Customers

  • Regulatory bodies

  • Employees of the organization

  • Contractors providing services to the organization

  • National or local government organisations

 

A list for each Interested Party is shown below:

Name of organization: Salesforce

The nature of the interest: Digital platform provider

Degree of influence over the organization: Medium

 

Name of organization: NDIS (National Disability Insurance Scheme)

The nature of the interest: Digital services provider

Degree of influence over the organization: Medium

Purpose and scope of the ISMS

Purpose

The purpose of the ISMS is to:

  1. Understand the organisation’s needs and the necessity for establishing information security management policy and objectives

  2. Implement and operate controls and measures for managing the organisation’s overall capability to manage information security incidents

  3. Monitor and review the performance and effectiveness of the ISMS

  4. Continually improve the organisation’s information security based on objective measurement

This purpose applies to the scope of the ISMS as defined below.

Potential impact of an information security incident

The impact of any specific incident will obviously depend upon its nature and a comprehensive risk assessment is maintained to assess and mitigate those that can be reasonably identified. In general terms the potential impact of an inability to perform normal business processes will be shown in one or more of the following key areas:

  • Loss of sales revenue

  • Loss of reputation/customer confidence

  • Breach of contractual obligations

  • Loss of business opportunity

  • Any potential impact of a security incident could potentially have impacts on Vertic’s credibility and therefore on our ability to secure clients which will ultimately lead to loss of revenue.

Information security objectives

Based on the requirements and issues set out in this document, the following major objectives are set for information security:

  • Objective 1 – Maintain shareholder confidence

  • Objective 2 – Maintain customer service levels & data security

  • Objective 3 – Minimise loss of revenue

The success of the ISMS will be judged on its ability to meet these overall objectives.

Scope of the ISMS

The defined scope of the Vertic Pty Ltd ISMS considers the internal and external issues referred to in sections 3.1 and 3.2 of this document, the requirements referred to in section 4 and the organizational interfaces and dependencies described in section 2.7. It also reflects the needs of interested parties and the legal and regulatory requirements that are applicable to the organization.

The scope is defined below in terms of the parts of the organization, products and services and related activities.

Organisational

The ISMS includes the following parts of the Vertic Pty Ltd organization:

  • Head Office, based in Melbourne, Australia

  • Any remote offices (primarily Home Offices) for Vertic’s employees

Products and services

The following products and services are within the scope of the ISMS:

  • Vertic’s implementation services

  • Vertic’s ongoing technical support services

Activities

The following activities are within the scope of the ISMS:

  • Project Management

  • Solution Design & Implementation

  • Solution Deployment (using the Salesforce Platform)

  • Client Communications (using the Atlassian Platform)

Exclusions

The following areas are specifically excluded from the scope of the ISMS:

Any outsourced Tasks and Activities not directly implemented by Vertic Pty Ltd

 

Related content

Information Security Policy
Information Security Policy
Vertic Quality Management System (VQMS)
More like this
Vertic's Information Security Roles Responsibilities and Authorities
Vertic's Information Security Roles Responsibilities and Authorities
Vertic Quality Management System (VQMS)
More like this
Executive Support Letter
Executive Support Letter
Vertic Quality Management System (VQMS)
More like this
Procedure for Internal Audits
Procedure for Internal Audits
Vertic Quality Management System (VQMS)
More like this
Information Security Roles Responsibilities, Procedures, and Authorities
Information Security Roles Responsibilities, Procedures, and Authorities
Vertic Quality Management System (VQMS)
More like this
Vertic Operational Implementation Processes
Vertic Operational Implementation Processes
Vertic Quality Management System (VQMS)
More like this