ISMS Context of the Organisation and Interested Parties

1. Purpose and Scope

This document defines the organisational context of VSHN AG and identifies the internal and external issues relevant to its Information Security Management System (ISMS), as required by ISO/IEC 27001:2022 clauses 4.1 and 4.2. It outlines what VSHN does, how it operates, and the factors influencing its approach to information security.

The ISMS applies to all information assets, personnel, and operations of VSHN AG, including its subsidiary in Canada. This document is intended for all VSHN AG staff, ISMS Interest Group members, and the Board of Directors.

2. Organisational Context

Founded in 2014, VSHN AG is a privately-owned Swiss IT service company headquartered in Zurich with a subsidiary in Vancouver, Canada. With around 41 employees, VSHN specialises in operating IT platforms based on DevOps, automation, and lean startup principles. Its key offerings include system engineering, cloud and configuration management, continuous delivery, 24/7 operations, and DevOps consulting.

VSHN serves software developers and web agencies, primarily within the German-speaking part of Switzerland. The company has recently successfully attracted customers in Germany and Austria and has long-term plans to offer its services internationally

The Organizational Structure outlines the structure of the organisation, with an overview of all Teams and VSHNeers in VSHN showing all teams and VSHNeers.

A list of provided services and products is available in the VSHN Offerings - Portfolio Overview.

Partnerships are detailed in Partner Management, and the list of key suppliers can be found in Monitoring and Evaluation of Supplier Services.

2.1. Objectives and Policies

The objective of the ISMS is to ensure that VSHN AG can comply with the defined business objectives and policies of VSHN AG even in the event of potential and actual security incidents.

Business and organisational objectives are set hierarchically:

  • The Board (“Verwaltungsrat”)

    • set the 1-3 or 5 year strategy (representing the Shareholders of the company) and financial targets, usually in collaboration with Product Management. This is usually communicated using internal announcements via E-Mail and All-hands events, and recorded on a Wiki page.

    • review and refine the understanding and formulation of our Vision and Mission statements and high level market positioning, publicly visible here VSHN’s Identity.

  • Product Management is responsible to set yearly OKRs (Objectives with Key Results) for the Business Areas of VSHN or generally for the whole business, usually in collaboration with the Board - the board has to consent to these objectives. Tracked on VSHN OKRs Overview.

  • Product Management is then responsible to break down the yearly objectives into more tangible shorter-term objectives, usually quarterly Business Areas Objectives, or Product Roadmaps. Tracked on VSHN OKRs Overview and specific product management tooling (for example Jira Product Roadmaps).

  • Teams might also set Team-level objectives.

  • Responsible Teams or Roles plan the initiatives and work packages to contribute to set team and Business Area objectives.

Policies are established by the responsible roles (for example People (HR), Finance, Organizational Development, Technical Committees and Work Group or on the Team level) and are usually documented publicly in our VSHN Handbook or if confidential, in our wiki. Policies are binding through either the work contract, team level or VSHN wide agreements, and must be considered when planning information security to ensure that they are adhered to, also such policies are also reviewed and adapted where needed to comply with ISMS policies. The ISMS relevant policies can also be found in the handbook at ISMS Policies and in Confluence in VSHN ISMS.

3. Internal and External Issues

VSHN’s ability to achieve ISMS objectives depends on understanding both internal and external issues.

3.1. Internal Issues

Relevant internal factors include the flat hierarchy based on Sociocracy 3.0, well-defined roles, a strong security culture, low staff turnover, and a stable growth trajectory. Challenges include high operational complexity, partial role overlap, and risks linked to heavy reliance on specific personnel and systems.

Topic

Requirements

Strengths

Weaknesses

ISMS Coverage

Organizational structure

  • Independent organization of information security

  • Independence of the company

  • Short decision-making and communication channels

  • Personnel costs are high

Yes - The ISMS ensures independence of information security through defined governance, roles, and procedures.

Roles and responsibilities

  • Clear definition of roles and competencies

  • Clear definition available

  • Individuals cover different roles

Yes - The ISMS establishes role-based access control and responsibilities to reduce risk of role overlap.

Business strategy and objective

  • ISMS is a central component of the business strategy

  • Commitment of the Board of Directors

  • Provision of the necessary resources

  • Other areas could be weighted higher

Yes - ISMS objectives are aligned with the organisation’s strategic goals and are regularly reviewed.

Skills and resources

  • Proof of competence, maintenance, development

  • Regular training courses

  • Low staff turnovera a

* Lack of training

Yes - Ongoing training, onboarding, and awareness programmes are part of the ISMS implementation.

Organizational culture

  • Identification with ISMS

  • Integration of the ISMS into existing processes and guidelines

  • -

Yes - The ISMS is integrated into the corporate culture and documented in security policies and routines.

Information systems and processes

  • Maintaining operational safety

  • High degree of automation

  • 24/7 operations & readiness

  • Lack of standardization of information systems

Yes - ISMS includes controls for system availability, backup, incident response, and standardised procedures.

Employee relations

  • Binding employee knowledge to the company

  • Low fluctuation

  • Small teams

  • Flat hierarchy due to Sociocracy 3.0

  • High proportion of home office can lead to decoupling from the company

Yes - The ISMS requires knowledge retention, staff awareness and documentation of security-relevant processes.

Financial development of the company

  • Steady growth necessary in the medium term

  • Rolling budget and liquidity planning established

  • Stabilization achieved by the end of 2023

  • Decline in sales in 2022 and 2023

  • Focused on certain specific technical areas.

Partially - While financial planning is outside the ISMS scope, financial stability supports ISMS resourcing.

Contractual relationships

  • Compliance with contractual relationships

  • Central storage of contracts

  • Regular review of contractual relationships

  • Large number of different contract terms

Yes - Contractual obligations, SLAs, and NDAs are managed and monitored under ISMS compliance checks.

3.2. External Issues

External factors include evolving legal and regulatory environments (for example GDPR, Swiss DSG), political stability, environmental risks, supplier reliability, technological advancements, and global competition.

Topic

Requirements

Opportunities

Threats

ISMS Coverage

Possible legal or regulatory changes e. g. with regard to personal data

  • Compliance with the regulations

  • Legal certainty in Switzerland

  • Regulations from abroad that also affect us or our customers, for example EU General Data Protection Regulation

  • For data storage abroad, possibly relevant for customers

  • For some customers, services must be provided exclusively from within Switzerland

Yes - Compliance with GDPR, DSG, and FINMA is embedded in ISMS policy and legal monitoring processes.

Political unrest

  • Ensuring the safety of employees

  • Ensuring the operation of services

  • Politically stable environment

  • May be relevant for expansion abroad

  • Relevant for customers if data is stored abroad

Yes - Business continuity planning and location risk assessments are ISMS controls that mitigate this.

Environmental risks for example forest fires, floods

  • Ensuring the safety of employees

  • Ensuring the operation of services

  • NTT Data Center Rümlang (Cloudscale): secure location

  • Neugasse 10: Risk of flooding according to Zurich hazard map

Yes - Physical security and disaster recovery measures are part of the ISMS risk treatment plan.

Economic factors: Loss of suppliers

  • Services must be guaranteed

  • Regional suppliers

  • Short information channels

  • High supplier transparency

  • Fast migration of affected customers to another supplier possible

  • Partly small, young companies with cluster risk

Yes - Supplier risk assessment and contingency planning are part of the ISMS supplier management process.

Increasing globalization of supply and demand

  • avoid losing customers to competitors as far as possible

  • International growth (VSHN Canada)

  • Cost pressure due to competition from abroad

Partially - ISMS indirectly supports business reputation and client retention via trustworthy operations.

Technological progress

  • further develop our products in line with market requirements

  • Growth based on extensive experience and knowledge

  • Competitors who develop better products and services

Yes - ISMS is regularly updated to address technological change, new threats, and secure new tools.

Climate Change

  • Ensure operational state of services

  • Fulfill customers expectations

  • Selection of data centers with renewable energies and/or a small carbon footprint

  • rising electricity costs due to cooling

4. Interested Parties and Their Requirements

The following groups have an interest in VSHN’s ISMS, each with specific needs and expectations:

  • Customers: Expect confidentiality, integrity, and availability of services and data.

  • Suppliers and Partners: Must comply with contractual security controls.

  • Regulators and Industry Bodies: Impose legal and standards-based compliance requirements.

  • Employees: Need training and awareness to uphold security procedures.

  • Management: Ensures resources, oversight, and alignment with risk appetite.

  • Auditors and Certification Bodies: Validate ISMS effectiveness and conformity.

  • Media and Public: Hold expectations regarding VSHN’s reputation and transparency.

Communication with interested parties takes place in accordance with this document: Kommunikation

5. Risk Appetite

VSHN AG adopts a moderate risk appetite, aiming to balance operational agility with appropriate controls to protect its information assets. Risks are assessed and managed in line with the methodology defined in the Risk Assessment and Risk Treatment document: ISMS Risk Methodology.

6. Legal and Contractual Requirements

VSHN complies with all applicable Swiss and international legal, regulatory, and contractual requirements relevant to information security, including but not limited to data protection laws, procurement regulations, intellectual property rights, and labour laws.

The list of legal, official and contractual requirements can be viewed here: Liste gesetzlicher amtlicher vertraglicher Anforderungen

7. Document Ownership and Review

This document is owned by the Board of Directors and must be reviewed at least annually with Repeating Ticket - Annual Review of "02 Context of the Organisation and Interested Parties" or following significant organisational changes. Review and updates are conducted according to Sociocracy 3.0 governance processes.

Until 2025 this policy existed as [Deprecated] 02 Kontext der Organisation und interessierte Parteien and was in German; for full history see that page.

8. Reference Documents

  • ISO/IEC 27001:2022 Standard sections:

    • 4.1 - Understanding the organization and its context

    • 4.2 - Understanding the needs and expectations of interested parties

  • the documents mentioned above

This policy is tracked and approved by the CISO with ticket ISMS-225

Approval date

2025-05-19

Approved with

ISMS-1308

Last reviewed

2026-03-03 with ISMS-1924

Classification

Public