ISMS Scope

1. Purpose, Scope and User

The purpose of this policy is to determine the boundaries and applicability of the VSHN’s ISMS. It covers in a high level what VSHN does, which products and services are in scope, and what information needs to be protected.

The main purpose of this document is that the CISO and the ISM Governance role has a reference for working with the ISMS. The CISO is responsible to educate VSHNeers where needed about the scope.

2. VSHN’s Identity

VSHN’s identity and its vision is documented in the handbook and the ISMS. This identity is the overall purpose and reason why VSHN exist and VSHN’s ISMS should be an integral part of the identity.

Main points of VSHN’s identity are:

VSHN helps the software industry to continually focus on their core business.
VSHN is a technology leader at bringing new solutions into continuous operations.
VSHN is not one product or one business; there are various business areas with different products and (managed) services.

3. Companies

The scope includes both legal entities, VSHN AG (Switzerland) and VSHN Canada - The DevOps Company Inc. as a 100% daughter company of VSHN AG. The Canada branch uses most of the supporting processes from VSHN Switzerland and has own assets to be protected.

4. Value Streams

VSHN’s core business lies within the value streams and their products and services. All value streams are documented in the handbook in the Organizational Structure section. Below a representation of the structure:

All developed and managed products and services fall within the scope of the ISMS, with distinct boundaries for each. Physical infrastructure is out of scope for all value streams or products.

4.1. AppFlow

AppFlow primarily focuses on consulting and delivering solutions for customers. The scope includes the team members doing consulting and the data they process during the consulting. The final deliverable of the consulting is outside the scope if not managed by VSHN.

4.2. AppOps

The scope includes services defined in the VSHN Product overview as AppOps. The boundary is set where the product description ends and the customer uses the service with its data. Customer owned data using the service is out of the ISMS scope.

4.3. Application Catalog

The scope includes all services developed and documented in the Service Overview in VSHN Products documentation. Also included are the SLA and Data Protection which are guaranteed in the documentation. Customer owned data using the service is out of the ISMS scope.

4.4. Managed OpenShift & APPUiO

The scope includes all services as defined by Managed OpenShift respectively APPUiO product. The workloads running on top those services are out of the ISMS scope. Customer owned data using the service is out of the ISMS scope.

4.5. Managed Server based Services

The scope includes all relevant software and configurations needed to provide the service/product as defined in the specific product description or the general Managed Service description. Out of scope is the everything below the layer of the operating system (hypervisor, hardware, physical network). Customer owned data using the service is out of the ISMS scope.

5. Corporate IT

The scope includes all IT systems which are running services for VSHN, these are namely:

Services run as managed services
Services run as workload on APPUiO
Services run as SaaS on any provider
Employee laptops
Any other IT component storing VSHN data
Physical servers such as backup servers

6. Supporting processes

The scope includes all supporting processes and domains in VSHN which are needed to run the business. They are documented in Supporting Domains or as Roles and cover the following.

People Strategy and Operations (HR)
Marketing
Sales and Account Management
Business Strategy
Product Management
Finance: Accounting, Budgeting, Procurement
Legal & Compliance

7. Data

The scope includes:

Customer data VSHN processes on behalf of the customer is included into the scope.
Customer and company data on the computers of VSHN AG.
Customer and company physical documents at the location of VSHN AG.

Out of scope of VSHN’s ISMS is:

Customer data which are processed by the customer’s own services using VSHN services.

8. Physical Locations

The scope includes VSHN’s office in Zürich, Neugasse 10, including the assets in the storage room. Mainly the information stored on paper and the proper functioning of the infrastructure such as office WLAN and printer have to be protected by ISMS processes. The coffee room in the entrance is out of scope.

Outside of the scope is the additional meeting room called VSHNtower in the top floor in Neugasse 6. This room is comparable to a coffee shop location. No data shall be stored there.

VSHN Canada does not have physical locations.

9. Reference Documents

ISO/IEC 27001:2022 Standard, Section 4.3
Wiki Documentation about Kontext der Organisation und interessierte Parteien

This policy is tracked by the CISO and approved by the management with ticket ISMS-152

Approval date	2024-06-25
Approved with	ISMS-1333 in MR 1027
Last reviewed	2024-06-25 with ISMS-1333
Classification	Public

Approval date

2024-06-25

Approved with

ISMS-1333 in MR 1027

Last reviewed

2024-06-25 with ISMS-1333

Classification

Public