ISMS Scope

Document ID: DPWAT-ISMS-GOV-001
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-08-18
Next review: 2027-02-01 (or on major change)

1. Purpose

This document defines the scope and boundaries of DP WAT’s Information Security Management System (ISMS) in line with ISO/IEC 27001:2022 clause 4.3.

2. Organization

• Legal entity: DP WAT S.R.L.
• Standard: ISO/IEC 27001:2022 (adopted as SR EN ISO/IEC 27001:2023 on certificate)
• Headquarter (certificate): 16 Anton Pavlovici Cehov Street, 2nd Room, Timișoara, 300776, Timiș County, Romania.
• Work site (certificate): 5 Proclamația de la Timișoara Street, 2nd Floor, A Office, Timișoara, 300054, Timiș County, Romania.
• Operating model: Remote-first within the European Union; minimal on-premise infrastructure.

3. Scope statement

In scope:

• Custom software development activities (customer-oriented).
• Information technology consulting activities.
• Development of B2B cloud solutions.
• DP WAT-managed information and supporting systems used to deliver services, including but not limited to:
• Identity and collaboration: Google Workspace
• Team chat (as applicable): Slack workspace devplant (owned/administrated at tenant level by DP COWORKING SRL)
• Cloud platforms: Google Cloud, Microsoft Azure
• Source code and CI/CD: GitHub (and/or other code hosting as used per project)
• Issue tracking/project management: JetBrains (e.g., YouTrack)
• Cloud storage: Google Drive, iCloud Drive
• Website and edge services: Cloudflare
• AI services used for delivery (as applicable): OpenAI, Anthropic (Claude)
• Business tooling (as applicable): LinkedIn, Adobe
• Company-owned endpoints used for work (primarily Apple laptops and mobile phones).
• Customer-owned endpoints used for DP WAT work when they access DP WAT information/systems (treated as third-party assets with risk-based controls).
• People and processes supporting delivery (employees, contractors, consultants).

3.1 Certificate scope wording (for alignment)

The current certificate scope wording provided by DP WAT (redacted registration number/dates) is:

Custom software development activities (customer-oriented)
Information technology consulting activities
Development of B2B cloud solutions

Out of scope / exclusions (must match reality):

• Customer-owned production infrastructure where DP WAT has no administrative control, except for access explicitly granted to DP WAT for support work.
• Security configuration management of customer-owned devices (DP WAT does not manage them), except for DP WAT-required behavioral controls and access controls.
• Physical security controls for facilities not operated by DP WAT (e.g., coworking), except requirements imposed on DP WAT staff/visitors and supplier management controls.

4. Customer projects and data access

DP WAT maintains a register of active and recent customer projects: customer-project-register

The register documents per project: - Infrastructure ownership (DP WAT-managed vs customer-managed) - DP WAT access to infrastructure and production data - Data sensitivity classification - Environment separation practices - Identity provider/user management

This informs risk assessment and helps ensure controls are proportionate to actual data access.

5. Interfaces and dependencies

DP WAT depends on external providers for key ISMS processes (identity, source code hosting, project management, storage, communications). Supplier management, incident handling, and continuity planning address these dependencies.