Context of the Organization & Interested Parties
Document ID: DPWAT-ISMS-GOV-002
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-08-18
Next review: 12 months after effective date (or on major change)
1. Internal and external issues (ISO 27001 clause 4.1)
Internal issues:
- Small, remote-first company with a mix of employees and contractors/consultants.
- Heavy use of SaaS/cloud services; minimal on-prem infrastructure.
- Projects are customer-driven; security requirements vary by customer contract.
- Limited dedicated security staffing; governance is shared across leadership roles.
External issues:
- Customer expectations and contractual commitments (including confidentiality and IP protection).
- Regulatory requirements (e.g., GDPR and local labor/accounting rules).
- Supplier/third-party dependencies (Google, GitHub, Apple/iCloud, Cloudflare, JetBrains, coworking space, etc.).
- Security threat landscape (phishing, credential theft, device loss, SaaS compromise, supply-chain risks).
Context analysis (PEST/SWOT summary)
PEST factors:
| Factor | Key considerations |
|---|---|
| Political | EU regulatory environment stable; Romania EU member state; no material political risk to operations |
| Economic | Software consultancy demand steady; EUR/RON currency considerations for international clients |
| Social | Remote work normalized post-pandemic; talent market competitive; security awareness improving industry-wide |
| Technological | Rapid AI/LLM adoption in development workflows; increasing SaaS dependency; evolving threat landscape |
SWOT summary:
| Strengths | Weaknesses |
|---|---|
| Agile, cloud-native operations | Small team limits redundancy |
| Strong technical expertise | Limited dedicated security resources |
| Established customer relationships | Dependency on key personnel |
| Opportunities | Threats |
|---|---|
| Growing demand for secure development | Sophisticated phishing/social engineering |
| ISO certification as differentiator | Supply chain attacks on SaaS providers |
| AI-assisted security tooling | Regulatory complexity (multi-jurisdiction) |
2. Interested parties and requirements (ISO 27001 clause 4.2)
| Interested party | Needs/expectations | How we address |
|---|---|---|
| Customers | Confidentiality of source code and data; controlled access; incident communication | Contracts, access control, secure development, incident management |
| Employees/contractors | Clear rules, tools, training, safe remote work | Policies, onboarding, training, acceptable use |
| Certification body / auditor | Evidence that ISMS is implemented and effective | Registers, records, internal audits, management review |
| Regulators / authorities | Compliance with applicable legal requirements | Compliance monitoring, privacy/PII policy, incident reporting decision process |
| Key suppliers (SaaS/cloud) | Secure use of services; account governance | Supplier management, access controls, monitoring |
| DP COWORKING SRL (related entity) | Proper separation of operations; clarity on tool administration responsibilities | Supplier register, access controls, periodic review |
| Coworking facility & on-site service providers | Appropriate behavior and access limitations | Physical security policy, visitor rules, supplier classification |
3. Applicable legal and regulatory requirements
DP WAT operates within the European Union legal framework, with personnel and customers in Romania, Germany, Netherlands, and the UK. Applicable requirements include:
| Category | Requirement | Notes |
|---|---|---|
| Data protection | GDPR (EU) / UK GDPR | DP WAT is typically a processor when handling customer data; DPAs are signed as part of customer contracts. DP WAT is never controller for PII or sensitive personal data. |
| Contractual | Customer contracts, NDAs, DPAs | Security requirements vary by customer; DPAs signed with most customers. |
| Employment | Romanian labor law; contractor agreements | Confidentiality clauses, offboarding obligations. |
| Corporate | Romanian commercial/accounting law | Standard business compliance; Administrator (Anna Boros) handles. |
Legal requirements monitoring
The Administrator (Anna Boros) monitors changes to applicable legal and regulatory requirements through:
- Monitorul Oficial (Romanian Official Gazette) — primary source for Romanian legislative changes
- Public regulatory sources — ANSPDCP (data protection), ANAF (fiscal), Ministry of Labor
- Industry news and professional networks — for early awareness of upcoming changes
- External advisors — legal counsel and accounting firm flag relevant changes
Special attention is given to changes in the Romanian Fiscal Code and GDPR guidance. Material changes are discussed in management review and documented as needed.
4. Contractual requirements
Customer-specific security requirements are identified during project kickoff (see template-project-security-checklist) and tracked as needed.