Information Security Context, Requirements and Scope¶
Purpose. This document establishes the organizational context of Soon, the internal and external issues relevant to its Information Security Management System (ISMS), the needs and expectations of interested parties, and the scope and boundaries of the ISMS. It satisfies ISO/IEC 27001:2022 clauses 4.1 (understanding the organization and its context), 4.2 (interested parties), 4.3 (determining the scope of the ISMS) and 4.4 (the ISMS itself). It is the foundational document on which the rest of the ISMS is built.
1. Introduction¶
Soon is committed to protecting the confidentiality, integrity and availability of the business and customer information it holds, in the face of incidents and unwanted events. To this end Soon has implemented an Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022, the international standard for information security.
This document describes the way the business operates, the internal and external factors that influence it, and the potential consequences of a security breach. This understanding allows the most appropriate mix of controls to be selected to reduce risk to an acceptable level and to ensure that plans are available and tested to manage the impact of any disruption.
Specifically, this document sets out:
- The context of the organization (clause 4.1)
- External and internal issues relevant to the purpose of Soon (clause 4.1)
- Interested parties relevant to the ISMS and their requirements (clause 4.2)
- The scope of the ISMS, including its boundaries and applicability (clause 4.3)
This document is reviewed at least annually and whenever a significant change occurs in the areas it covers.
2. Organizational context (Clause 4.1)¶
Given the fast-moving nature of the business and the markets in which it operates, this context will change over time. It is reviewed annually and any significant change is reflected in the ISMS.
2.1 What the organization does¶
Soon provides a cloud-based Workforce Management (WFM) platform delivered as Software-as-a-Service (SaaS). The platform helps organizations manage workforce operations, with core functionality covering:
- Employee and shift scheduling (including intraday scheduling)
- Time and attendance monitoring
- Labour forecasting and AI-assisted auto-scheduling
- Leave and absence management
- Employee communications and calendar integrations
- Custom enterprise workforce solutions
Customers access the service over the internet on a subscription basis and do not install, maintain or manage any underlying infrastructure.
2.2 Organizational facts¶
| Attribute | Detail |
|---|---|
| Legal entity | Soon Technologies (privately held, independent — not part of a group) |
| Founded | 2019 |
| Sector | Business software / HR technology (HRTech), WFM SaaS |
| Delivery model | Multi-tenant SaaS, subscription / tiered pricing with add-ons |
| Workforce | Small, fully remote team; no physical offices or data centres |
| Hosting | Amazon Web Services, EU-West-1 (Ireland); all customer data in the EU |
| Customer base | SMEs to large multinationals across healthcare, hospitality, manufacturing and contact centres |
| Geographies served | Europe, Asia and the Americas |
| Data residency | European Union (GDPR-aligned) |
| Security contact | security@soon.works |
2.3 Functions and structure¶
Soon operates the following functions: Sales & Marketing; Finance & Accounting; Human Resources; Operations; Product Research & Development; Project Management; Risk & Compliance; Consulting; Information Technology; Governance.
Due to the size and nature of the business, all functions are carried out by a small, fully remote team, with team members holding responsibilities across multiple functional areas. There are no physical offices and no on-premises data centres; all core data is stored in managed cloud services hosted in the EU. The remote model is supported by standardized procedures and shared accountability, and is explicitly included within the ISMS scope (see §6).
2.4 Products and services¶
The platform is offered through a tiered model (e.g. Team, Business, Enterprise) with optional add-ons (e.g. Advanced Forecasting).
| Aspect | Summary |
|---|---|
| Revenue concentration | Enterprise / Custom tier is the largest source of revenue and profit |
| Dependencies | The core WFM platform is the foundation; higher tiers extend lower-tier capability; advanced modules require an active subscription |
| High-profile services | Shift scheduling, leave management, calendar integrations, and enterprise custom solutions |
| PII processed | Names, email addresses, work schedules, remote-work indicators, leave details, and optional location data. No special-category data is required, requested or processed |
| Health & safety | Not a direct H&S tool; indirectly supports safe staffing via accurate scheduling and protection of leave/health-related data |
2.4.1 Applicable external regulation¶
| Regulatory area | Relevant regulation / notes |
|---|---|
| Data protection & privacy | GDPR (EU), UK GDPR, CCPA/CPRA (US), LGPD (Brazil) |
| Network & information security | NIS2 Directive (EU) |
| AI / automated decision-making | EU AI Act and comparable emerging frameworks (relevant to forecasting & auto-scheduling) |
| Labour & employment | National and sector-specific labour laws in customer regions (working hours, leave entitlements) |
| Data retention & recordkeeping | Sectoral and jurisdictional employee-data retention/deletion requirements |
| Accessibility | European Accessibility Act (EAA); comparable laws (ADA, AODA) elsewhere |
| Payment data | PCI DSS obligations met via the payment processor (Soon does not store cardholder data) |
2.5 Supply chain¶
Delivery of the service depends on a number of supply-chain routes. The major categories are below (specific vendors are maintained in the Information Asset Inventory and Supplier Register; ISMS-DOC-A05-9-2 / A05-19).
| # | Category | Scope | Revenue dependency |
|---|---|---|---|
| 1 | Cloud infrastructure (AWS, EU regions) | Hosting of backend, frontend delivery, data storage, integrations; compute, managed databases, serverless, CDN | High |
| 2 | Development & deployment platforms | Source control, CI/CD, build automation, release management | Indirect |
| 3 | Payment processing (e.g. Stripe) | Billing, subscriptions, transactions; PCI DSS compliant | High |
| 4 | Customer support & engagement (e.g. Intercom) | Support ticketing, onboarding, knowledge base | Medium |
| 5 | Identity & access management | Enterprise SSO/SAML, directory sync, provisioning (Entra ID, Okta, Google Workspace) | Medium |
| 6 | Monitoring, analytics & error tracking (e.g. Sentry, CloudWatch, PostHog) | APM, error tracking, behavioural analytics, operational reporting | Indirect |
| 7 | Database access & migration tooling | Schema lifecycle, runtime data access, versioned migrations | High |
| 8 | Internal business-logic APIs / microservices | Forecasting, auto-scheduling, email notification, third-party data integration | High |
| 9 | Internal collaboration & knowledge tools | Documentation, project management, communication | Low |
Supplier information-security risk is managed through the Supplier Relationships Policy and Cloud Services Policy (A.5.19–A.5.23).
3. Internal and external issues (Clause 4.1)¶
3.1 Internal issues — SWOT¶
Strengths - Trust-based, flexible remote culture encouraging autonomy and responsibility. - Shared ownership — all team members are invested in the company's security posture. - Small team and informal governance enable fast decisions and rapid implementation of controls.
Weaknesses - Use of personal equipment and home/internet connections reduces centralized control over the endpoint and network environment. - Limited personnel and budget constrain investment in dedicated security infrastructure and specialist roles. - No dedicated security personnel — specialist knowledge may be inconsistently applied.
Opportunities - Early adoption of scalable security practices (MDM, MFA, incident response) builds resilience as the company grows. - The ownership culture can be leveraged for strong individual adherence to security practices. - Little legacy infrastructure — modern frameworks and tooling can be adopted easily.
Threats - Geographically dispersed team introduces legal, regulatory and logistical complexity for data protection and incident management. - Informal governance risks important actions being delayed or overlooked. - Differences in employment status (owners vs. contractors / ZZP'ers) complicate enforcement of security obligations. - Financial constraints may limit advanced controls or rapid incident response.
3.2 External issues — PESTLE¶
- Political — Evolving EU policy and regulation (GDPR, AI rules); stability of support for digitalization and cloud adoption.
- Economic — Macroeconomic fluctuations affecting customer spend; dependence on third-party providers (insolvency / cost risk); intense competition in WFM SaaS.
- Social — Rising expectations for transparency, data protection and ethical AI; shifts in remote-work trends.
- Technological — Rapid change in cybersecurity, cloud and automation; reliance on third-party platforms (AWS, Netlify, Intercom, etc.) creating external dependencies.
- Legal — GDPR, EU AI Act, NIS2; data-residency, cross-border transfer and sensitive-data obligations.
- Environmental — Extreme-weather disruption risk to cloud availability; growing expectations for sustainable operations.
3.3 Risk appetite¶
Soon's overall risk appetite is assessed as Moderate. As a small, bootstrapped, fully-remote organization, Soon takes a pragmatic approach: it accepts certain risks where mitigation would be disproportionate to impact, but actively mitigates any risk that could affect customer data, regulatory compliance, operational continuity, or reputation. Risk criteria are defined in the Risk Assessment and Treatment Process (ISMS-DOC-06-2).
4. Interested parties and their requirements (Clause 4.2)¶
An interested party is "a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity."
| Ref | Interested party | Key requirement(s) | Addressed by ISMS? |
|---|---|---|---|
| R1 | Customers (data controllers) | Confidentiality, integrity & availability of their data; GDPR-compliant processing; service uptime; DPA; breach notification | Yes — access control, encryption, availability mgmt, incident response, DPA |
| R2 | Customers' employees (data subjects) | Lawful, fair processing of personal data; data-subject rights | Yes — privacy policy, data subject rights process |
| R3 | Shareholders / owners | Protect company value; avoid breaches & reputational damage; maintain revenue | Yes — overall ISMS effectiveness |
| R4 | Employees & contractors | Clear security responsibilities; secure tooling; lawful handling of their own data | Yes — HR security, acceptable use, remote working policies |
| R5 | Suppliers / sub-processors (AWS, Stripe, Intercom, etc.) | Clear security obligations; defined responsibilities under shared-responsibility model | Yes — supplier & cloud policies, agreements |
| R6 | Regulators / DPAs (e.g. EU supervisory authorities) | Demonstrable GDPR/NIS2 compliance; timely breach notification | Yes — legal register, breach notification procedure |
| R7 | Prospective enterprise customers | Evidence of security maturity for vendor due diligence / security reviews | Yes — SoA, certification, Security Overview |
| R8 | Certification body | Conformity with ISO/IEC 27001:2022 | Yes — full ISMS |
| R9 | Payment networks (PCI) | Secure handling of payment flows | Partial — delegated to PCI-compliant processor; Soon stores no card data |
Legal, regulatory and contractual requirements are identified, accessed and assessed via the Legal, Regulatory and Contractual Requirements Procedure (ISMS-DOC-A05-31-1) and recorded in the corresponding register.
5. Purpose and potential impact¶
5.1 Purpose of the ISMS¶
- Understand the organization's needs and the necessity of an information security policy and objectives.
- Implement and operate controls to manage information security and incidents.
- Monitor and review the performance and effectiveness of the ISMS.
- Continually improve information security based on objective measurement.
5.2 Potential impact of an information security incident¶
| Impact area | Relevance to Soon |
|---|---|
| Loss of sales revenue | High — outages or breaches can cause churn, service credits and lost subscription income |
| Loss of reputation / customer confidence | High — trust in data integrity, forecasting and availability is core to the value proposition |
| Inability to meet legal obligations | High — GDPR processing on behalf of customers; breach-notification duties |
| Breach of contractual obligations | High — uptime, confidentiality and data-protection commitments in customer contracts |
| Loss of business opportunity | High — enterprise procurement requires demonstrable security |
| Fines and penalties | Medium/High — GDPR fines; SLA penalties |
| Operational disruption to forecasting/scheduling | High (Soon-specific) — incorrect staffing decisions, missed service levels |
| Internal resource strain | Medium (Soon-specific) — small team; incident response diverts from product work |
| Risk to life / health & safety | Not applicable — Soon does not operate in environments where an incident directly endangers life |
5.3 Information security objectives¶
These high-level objectives are detailed, measured and tracked in the Information Security Objectives and Plan (ISMS-DOC-06-1).
- Protect the confidentiality and integrity of customer data — prevent unauthorized access to or alteration of PII and operational data.
- Ensure high availability of the platform — maintain reliable access during business-critical hours (operational), and embed security throughout the SDLC (development).
- Comply with applicable legal and regulatory requirements — GDPR and other statutory/contractual obligations.
- Maintain customer trust and confidence — transparency, responsiveness and resilience in incident management.
- Minimize operational and financial impact of incidents — proactive controls and clear incident response.
6. Scope of the ISMS (Clause 4.3)¶
The scope considers the internal/external issues (§3), the requirements of interested parties (§4), and applicable legal and regulatory requirements.
6.1 Scope statement¶
The ISMS covers the design, development, operation, maintenance and support of Soon's cloud-based Workforce Management (WFM) SaaS platform, including its AI-powered forecasting and auto-scheduling services, customer-facing APIs and dashboards, and the supporting cloud infrastructure operated by Soon on Amazon Web Services (EU-West-1, Ireland). It applies to all Soon personnel and contractors and to all information assets used in delivering the service, across Soon's fully-remote operating model. Customer data is processed and stored within the European Union.
6.2 Organizational scope¶
Included: Software development; platform maintenance & operations; customer support & success; infrastructure & cloud management (third-party platforms configured and operated directly by Soon). All personnel and contractors, operating remotely within the EU, are in scope. Controls for remote and mobile working (secure endpoint configuration, awareness training, encrypted communications, access control) apply.
6.3 Products, services and activities in scope¶
- Soon's web-based WFM platform
- AI-powered forecasting and auto-scheduling services
- API integrations and data interfaces provided to customers
- Customer dashboards and administrative tooling
- Internal tooling for support, monitoring and troubleshooting of production systems
Activities: design, development, testing and deployment of the platform and forecasting modules; configuration and maintenance of cloud infrastructure; data handling, storage and processing; customer onboarding and support; incident detection, response and resolution; security monitoring, auditing and continual improvement.
6.4 Interfaces and dependencies¶
The ISMS operates within a shared-responsibility model. AWS and other sub-processors are responsible for the security of the underlying infrastructure (independently certified to ISO/IEC 27001, SOC 1/2, PCI DSS); Soon is responsible for security in the platform and for the configuration of the services it operates. These interfaces are managed through the supplier and cloud policies.
6.5 Exclusions and justification¶
| Excluded | Justification |
|---|---|
| Marketing and general finance activities not involving customer data or production systems | No impact on the confidentiality, integrity or availability of customer data |
| Third-party systems not configured/managed by Soon (e.g. external client environments, customer-side tooling) | Outside Soon's operational control; governed by the customer or supplier |
| Physical/environmental security of data centres | Inherited from AWS (certified); Soon operates no data centres or offices |
These exclusions do not compromise the ISMS's ability to achieve its intended outcomes: protection of customer data, system availability, and legal/regulatory compliance. Annex A controls relating to physical and on-premises environments are addressed as inherited or not applicable in the Statement of Applicability (ISMS-FORM-06-2), with justification.
7. The ISMS (Clause 4.4)¶
Soon establishes, implements, maintains and continually improves the ISMS, including the processes needed and their interactions, in accordance with ISO/IEC 27001:2022. The interaction of ISMS processes is described in the ISMS Process Interaction Overview (ISMS-DOC-08-1).
8. Related documents¶
- ISMS-DOC-05-4 — Information Security Policy
- ISMS-DOC-06-1 — Information Security Objectives and Plan
- ISMS-DOC-06-2 — Risk Assessment and Treatment Process
- ISMS-FORM-06-2 — Statement of Applicability
- ISMS-DOC-A05-9-2 — Information Asset Inventory
- ISMS-DOC-A05-31-1 — Legal, Regulatory and Contractual Requirements Procedure
- ISMS-DOC-08-1 — ISMS Process Interaction Overview
Change log¶
| Version | Date | Author | Comments |
|---|---|---|---|
| 0.1 | 2023-12-11 | A. Cardinali | First draft (source docx) |
| 0.2 | 2025-09-15 | A. Cardinali | Changes and additional information added |
| 1.0-draft | 2026-06-25 | ISMS | Re-authored as canonical markdown; grounded in Soon Security Overview; clause mapping, interested-parties and impact tables completed |