Context Analysis

Purpose

ISO 27001 Clause 4 requires understanding the organisation and its context, the external and internal issues relevant to the ISMS. This analysis informs risk assessment, control selection, and strategic decisions.

Review Frequency: Annually (in management review) or when significant changes occur

Last Updated: 2026-05-21 Next Review: 2026-11-21

External Context

Legal and Regulatory Environment

Australian Privacy Act 1988:

• Relevance. High
• Impact. Governs personal information handling
• Our Context. Minimal impact due to zero knowledge architecture. we minimise personal information collection. During credential issuance, a date of birth is processed ephemerally and immediately discarded. No names, addresses, or ID documents are collected
• Monitoring. Track amendments affecting technical data (IP addresses, device identifiers)

Notifiable Data Breaches (NDB) Scheme:

• Relevance. Medium
• Impact. Requires notification if “eligible data breach” occurs
• Our Context. Low risk. No PII means no “eligible data breach” likely. If signing keys compromised, notification to relying parties (not individuals)
• Monitoring. OAIC guidance and case law

General Data Protection Regulation (GDPR):

• Relevance. Low (not operating in EU currently)
• Impact. Would apply if serving EU residents
• Our Context. If we expand internationally, GDPR compliance would be easier due to zero knowledge design
• Monitoring. Track extraterritorial applicability

Consumer Data Right (CDR) / Privacy Act Reforms:

• Relevance. Low currently
• Impact. Future reforms may expand privacy obligations
• Our Context. Proactive monitoring to ensure compliance if scope expands
• Monitoring. Australian government consultations

ISO 27001:2022 Standard:

• Relevance. High
• Impact. Defines ISMS requirements and 93 Annex A controls
• Our Context. Pursuing certification when commercially justified
• Monitoring. ISO updates, transitional guidance

Industry Standards (SLSA, NIST, OWASP):

• Relevance. High
• Impact. Best practices for supply chain security and secure development
• Our Context. Already implementing SLSA Level 3
• Monitoring. Updates to frameworks and tooling

Threat Surface

Cryptographic Attacks:

• Threat. Advances in cryptanalysis or quantum computing
• Impact. Could compromise BLS12-381 or RedJubjub
• Our Context. Monitoring NIST post-quantum standardisation; migration plan by 2030-2035
• Trend. Post-quantum algorithms maturing, but practical quantum threat still distant

Supply Chain Attacks (e.g., npm, cargo platform):

• Threat. Malicious dependencies, typosquatting, compromised build tools
• Impact. Could inject vulnerabilities or backdoors into our code
• Our Context. SLSA Level 3 mitigates this (hermetic builds, signed provenance)
• Trend. Increasing frequency (SolarWinds, Log4Shell, etc.)
• Monitoring. GitHub security advisories, Dependabot alerts

Phishing and Social Engineering:

• Threat. Attackers targeting team members to gain access
• Impact. Could lead to credential theft or malicious code commits
• Our Context. MFA and security awareness training reduce risk
• Trend. Sophisticated, machine-generated phishing increasing

DDoS Attacks on Verifier API:

• Threat. Overload Verifier API to deny service
• Impact. Relying parties unable to verify proofs
• Our Context. Cloudflare provides DDoS protection (mitigates most attacks)
• Trend. DDoS-for-hire services readily available

Signing Key Theft:

• Threat. Adversary gains access to production signing keys
• Impact. Could issue fraudulent credentials (catastrophic)
• Our Context. Highest risk. Keys stored in Cloudflare KV with restricted access
• Mitigation. Key rotation, audit logging, minimal access

Zero-Day Vulnerabilities in Dependencies:

• Threat. Undisclosed vulnerabilities in Rust, TypeScript, or cryptographic libraries
• Impact. Could compromise cryptographic operations or expose data
• Our Context. Monitoring CVEs, patching rapidly, fuzzing for unknown bugs

Market and Competitive Surface

Age Verification Market:

• Trend. Growing demand due to online safety regulations (Australia, UK, EU considering age verification laws)
• Opportunity. Privacy-preserving solutions (like Provii) increasingly attractive
• Competition. Traditional age verification (ID checks) vs. privacy-preserving methods

Privacy Expectations:

• Trend. Increasing user awareness of privacy risks
• Opportunity. Zero knowledge approach aligns with privacy expectations
• Risk. If zero knowledge becomes standard, no longer a differentiator

Transparency Movement:

• Trend. Open-source and transparency valued in security products
• Opportunity. Our fully public ISMS and open source code builds trust
• Risk. Transparency also exposes implementation details to adversaries (managed through security by design, not obscurity)

Competitor Security Incidents:

• Monitoring. Public disclosures of breaches in identity/age verification space
• Learning. Understand attack vectors to strengthen our defences

Technology Trends

Edge Computing (Cloudflare Workers):

• Trend. Increasing adoption for low-latency, scalable services
• Opportunity. Aligns with our architecture
• Risk. Dependency on Cloudflare availability

Zero knowledge Proof Innovation:

• Trend. ZKP tooling improving (faster proving, smaller proofs)
• Opportunity. Stay current with libraries (bellman, arkworks) for performance gains
• Risk. Cryptographic assumptions may evolve; need to track research

Post-Quantum Cryptography:

• Trend. NIST standardisation finalized August 2024 (ML-KEM, ML-DSA)
• Timeline. Practical quantum threat estimated 2030-2035
• Action. Monitor and plan migration (not urgent yet)

WebAssembly and Mobile SDKs:

• Trend. Cross-platform development simplifying (UniFFI for Rust → Swift/Kotlin)
• Opportunity. Expand platform support efficiently
• Risk. New attack surfaces (mobile malware, browser extensions)

Economic and Financial Factors

Funding and Budget:

• Context. Small, bootstrapped organisation
• Impact. Security budget limited; prioritise cost-effective controls (open source tools, cloud-managed security)
• Risk. May defer expensive certifications or external audits until revenue supports

Cloudflare and GitHub Pricing:

• Context. Currently within free/low tiers
• Impact. Cost increases if usage scales
• Opportunity. Cloudflare/GitHub offer startup programs if needed

Insurance (Cyber Liability):

• Context. Not currently held
• Impact. Potential future consideration if handling sensitive data or large-scale deployments
• Trend. Insurers requiring stronger security posture (ISO 27001 helps)

Internal Context

Organisational Structure

Small, Fully Remote Team:

• Characteristics. Lean, high autonomy, distributed geographically
• Benefits. Agility, focus, low overhead
• Challenges. Limited redundancy (single points of failure), work-life boundaries, communication overhead

Roles:

• ISMS Owner
• Security Lead
• Developer(s)

Decision-Making: Flat structure, rapid decision-making, direct communication

Culture and Values

Transparency:

• Value. Radical transparency in security practices
• Manifestation. Public ISMS documentation, open source code, public incident postmortems
• Impact on ISMS. All policies and procedures documented publicly (no “security through obscurity”)

Privacy-First:

• Value. User privacy paramount
• Manifestation. Zero knowledge architecture, minimal PII processing (DOB processed ephemerally during issuance only)
• Impact on ISMS. Simplified data protection requirements, but cryptographic controls critical

Technical Excellence:

• Value. High-quality, well-tested code
• Manifestation. testing (unit, integration, fuzz), code review, CI/CD automation
• Impact on ISMS. Strong secure development lifecycle

Continuous Improvement:

• Value. Iterative refinement
• Manifestation. Regular retrospectives, internal audits, metric-driven improvements
• Impact on ISMS. ISMS not static, evolves based on learnings

Information Assets

Cryptographic Keys (Highest Criticality):

• RedJubjub signing keys (production and development)
• HMAC secrets for API authentication
• Impact. Compromise = catastrophic (fraudulent credentials)

Source Code (Public, but integrity critical):

• provii-crypto, provii-verifier, provii-issuer, SDKs
• Impact. Tampering could introduce vulnerabilities

Infrastructure Access (Cloudflare, GitHub):

• API tokens, account credentials
• Impact. Unauthorized access could disrupt service or compromise keys

Documentation (Public):

• ISMS, API docs, technical architecture
• Impact. Inaccurate documentation could lead to misuse

Operational Data (Logs, Analytics):

• IP addresses (90 days retention). Standard audit log entries are retained for 90 days. Critical security events (such as detected attacks, replay attempts, and IP blocks) are retained for up to 365 days to support security investigation.
• Audit logs (standard retention: 90 days; critical security event logs retained for up to 365 days)
• Impact. Privacy risk if improperly disclosed

Technology Stack

Languages:

• Rust (cryptography, backend)
• TypeScript/JavaScript (SDK, frontend)
• Swift/Kotlin (mobile via UniFFI)

Infrastructure:

• Cloudflare Workers (serverless edge compute)
• Cloudflare KV (key-value storage)
• Cloudflare Durable Objects (stateful edge)
• GitHub (source control, CI/CD)

Dependencies:

• bellman, bls12_381, redjubjub (cryptography)
• wasm-bindgen (WebAssembly)
• Extensive npm and cargo dependencies

Implications:

• Dependency on Cloudflare and GitHub (supplier risk)
• Supply chain security critical (SLSA Level 3)
• Cryptographic library quality paramount

Processes

Development:

• Git-based workflow (pull requests, code review)
• Automated testing and security scanning (CI/CD)
• Continuous deployment (via GitHub Actions + wrangler)

Risk Management:

• Quarterly risk assessments
• Risk register maintained

Incident Response:

• Defined process (Detect → Assess → Contain → Eradicate → Recover → Learn)
• Contact: security@maelstrom.au

Change Management:

• Standard changes (automated via CI/CD)
• Normal changes (require approval)
• Emergency changes (immediate, with post-implementation review)

Resource Constraints

Staffing:

• Constraint. Small team = limited capacity
• Impact. Must prioritise highest-value security activities; automation essential
• Mitigation. Lean processes, cloud-managed security (Cloudflare DDoS, GitHub security scanning)

Budget:

• Constraint. Limited budget for security tools and external audits
• Impact. Prioritize open source tools, defer expensive certifications until ready
• Mitigation. ISO 27001 certification pursued when commercially justified

Time:

• Constraint. Security competes with feature development
• Impact. Must integrate security into development (shift-left)
• Mitigation. Automated security (CI/CD scanning), security as requirement (not afterthought)

Interested Parties

Customers / Relying Parties

Who: Websites and apps using Provii for age verification

Needs and Expectations:

• Reliable age verification (uptime, performance)
• Secure proof verification (no fraudulent proofs accepted)
• Privacy-preserving (no user PII exposed to relying party or Maelstrom AI)
• Transparent security practices (ISMS documentation)
• Responsive support (incident communication, API changes)

How we address:

• Cloudflare edge network with global redundancy (best-effort availability; no contractual SLA at current tier)
• Rigorous testing and code review
• Public ISMS and incident postmortems
• Public API documentation and changelog

End Users (Individuals Proving Age)

Who: Individuals using wallets to generate and present age proofs

Needs and Expectations:

• Privacy (no PII shared with anyone)
• Security (wallet credentials not stolen or misused)
• Usability (wallet app easy to use)
• Transparency (understand how their data is protected, or not collected)

How we address:

• Zero knowledge proofs (no PII in proofs)
• Wallet SDK security (open source, auditable)
• Public documentation (Privacy Policy, FAQs)

Team Members

Needs and Expectations:

• Clear security policies and procedures
• Usable security tools (not onerous)
• Support when security questions arise
• Training to understand responsibilities

How we address:

• Public, searchable ISMS documentation
• MFA, password managers (standard tools)
• Security Lead available for consultation
• Onboarding and annual training

Suppliers (Cloudflare, GitHub)

Needs and Expectations:

• Compliance with terms of service
• Responsible use of services
• Timely payment

How we address:

• Follow Cloudflare/GitHub terms
• Security best practices (don’t abuse services)
• Maintain accounts in good standing

Regulators (OAIC, Future Auditors)

Needs and Expectations:

• Compliance with Privacy Act
• (Future) Compliance with ISO 27001:2022
• Evidence of security controls
• Incident notification if required

How we address:

• Zero-knowledge architecture is designed to support privacy compliance
• ISMS implementation per ISO 27001
• Evidence collection and retention
• Incident response procedure includes notification requirements

Community (Open-Source, Privacy Advocates)

Needs and Expectations:

• Transparency in security and privacy practices
• Open-source code (auditable)
• Ethical use of technology (no surveillance)

How we address:

• Fully public ISMS documentation
• All repositories open source (GitHub)
• Privacy-by-design architecture

Strategic Direction

Mission

Provide privacy-preserving age verification that protects individuals while enabling responsible online services.

Vision (3-5 years)

• ISO 27001 certification pursued when commercially justified
• Widely adopted by relying parties valuing privacy
• Proven security (no major incidents, successful audits)
• Thought leadership in zero knowledge applications

Objectives (Security-Related)

1. Achieve ISO 27001 certification when commercially justified
2. Maintain zero major incidents (P0/P1) through 2026
3. Scale securely to support increasing relying parties
4. Build trust through transparency and public documentation
5. Continuous improvement of ISMS and security posture

Implications for ISMS

Opportunities

• Zero-knowledge architecture is designed to simplify data protection and support privacy compliance
• Cloud-native infrastructure enables scalable security (Cloudflare DDoS, edge compute)
• Open-source allows community review and builds trust
• Small team enables agility and rapid security improvements

Challenges

• Resource constraints require prioritisation and automation
• Cryptographic complexity demands expertise and rigorous testing
• Supply chain risks require SLSA Level 3 and dependency vigilance
• Single points of failure (small team, Cloudflare dependency) require business continuity planning

ISMS Priorities

1. Cryptographic key protection (highest risk)
2. Supply chain security (SLSA Level 3 maintained)
3. Incident response readiness (rapid detection and response)
4. Continuous monitoring (vulnerabilities, supplier status, threat surface)
5. ISO 27001 certification (structured approach, external validation)

Related Documents

• ISMS Scope - Boundaries of ISMS
• Risk Register - Risks informed by this context
• Management Review - Context reviewed annually
• Information Security Policy - Objectives aligned with context

Document Information