diff --git a/docs/security/GAP_ANALYSIS_REPORT.md b/docs/security/GAP_ANALYSIS_REPORT.md index ac440b7..e273ad1 100644 --- a/docs/security/GAP_ANALYSIS_REPORT.md +++ b/docs/security/GAP_ANALYSIS_REPORT.md @@ -28,7 +28,7 @@ This report assesses the current state of the Tender Management (TM) ISMS agains | **Clause 8** (Operation) | ๐ŸŸก Partial | Technical controls strong; operational procedures incomplete | | **Clause 9** (Performance evaluation) | ๐Ÿ”ด Minimal | No internal audit program or management review yet | | **Clause 10** (Improvement) | ๐Ÿ”ด Minimal | Corrective action process not formalized | -| **Annex A** (93 controls) | ๐ŸŸก Partial | ~35% implemented, ~40% partial, ~15% N/A (physical/cloud), ~10% not started | +| **Annex A** (93 controls) | ๐ŸŸก Partial | 6 implemented (7% of 81 applicable), 56 partial (69%), 19 not implemented (23%), 12 N/A (13%) โ€” per [SoA ยง7](./STATEMENT_OF_APPLICABILITY.md#7-summary-statistics) | ### Key Strengths @@ -181,13 +181,13 @@ Full control-level detail: [Statement of Applicability](./STATEMENT_OF_APPLICABI | Theme | Total Controls | Implemented | Partial | Not Impl. | N/A | |-------|----------------|-------------|---------|-----------|-----| -| **A.5** Organizational | 37 | 8 | 22 | 5 | 2 | -| **A.6** People | 8 | 1 | 4 | 3 | 0 | -| **A.7** Physical | 14 | 0 | 0 | 0 | 14 | -| **A.8** Technological | 34 | 12 | 16 | 6 | 0 | -| **Total** | **93** | **21** | **42** | **14** | **16** | +| **A.5** Organizational | 37 | 2 | 25 | 10 | 0 | +| **A.6** People | 8 | 0 | 6 | 2 | 0 | +| **A.7** Physical | 14 | 0 | 3 | 0 | 11 | +| **A.8** Technological | 34 | 4 | 22 | 7 | 1 | +| **Total** | **93** | **6** | **56** | **19** | **12** | -*Percentages approximate; "Partial" indicates control exists but lacks full documentation, testing, or operating evidence.* +*Counts match [Statement of Applicability ยง7.1](./STATEMENT_OF_APPLICABILITY.md#71-by-theme). "Partial" indicates the control exists but lacks full documentation, testing, or operating evidence.* ### A.5 โ€” Top Organizational Gaps @@ -210,7 +210,9 @@ Full control-level detail: [Statement of Applicability](./STATEMENT_OF_APPLICABI ### A.7 โ€” Physical Controls -All 14 controls marked **N/A** โ€” infrastructure hosted in cloud/data center; physical security transferred to cloud provider per shared responsibility model. Provider compliance evidence required (A.5.23). +**11 N/A** โ€” cloud-hosted infrastructure; physical security transferred to cloud provider per shared responsibility model (A.7.1โ€“A.7.6, A.7.8, A.7.10โ€“A.7.13). Provider compliance evidence required (A.5.23). + +**3 Partial** โ€” A.7.7, A.7.9, A.7.14 remain applicable for personnel devices accessing TM systems (screen lock, off-premises asset security, equipment disposal). ### A.8 โ€” Top Technological Gaps @@ -224,18 +226,16 @@ All 14 controls marked **N/A** โ€” infrastructure hosted in cloud/data center; p | A.8.29 | Security testing | Not Implemented | High | | A.8.12 | Data leakage prevention | Not Implemented | Medium | -### A.8 โ€” Implemented Technical Controls (Evidence) +### A.8 โ€” Fully Implemented Technical Controls (Status = Yes) | Control | Implementation | |---------|----------------| | A.8.3 | RBAC + company-scoped middleware (`pkg/authorization`) | -| A.8.5 | JWT auth, bcrypt passwords, hCaptcha | -| A.8.9 | Env-based config with OS override (`pkg/config`) | +| A.8.4 | Git-based source control with PR workflow | | A.8.15 | Structured logging + `pkg/audit` | | A.8.26 | Govalidator, XSS policy, Swagger | -| A.8.28 | Secure coding standards (`.cursorrules`, code review) | -| A.8.6 | Rate limit configuration | -| A.8.4 | Git-based source control with PR workflow | + +Additional controls (e.g. A.8.5 authentication, A.8.9 configuration, A.8.28 secure coding) are **Partial** in the SoA โ€” implemented in code but lacking full operating evidence or completeness (MFA, vault, SAST). --- @@ -272,6 +272,7 @@ The TM platform has a **solid technical security foundation** but lacks the **op | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | 2026-06-11 | Engineering | Initial gap analysis | +| 1.1 | 2026-06-11 | Engineering | Annex A theme table and executive summary aligned with SoA ยง7 | **Review** diff --git a/docs/security/ISO27001_ROADMAP.md b/docs/security/ISO27001_ROADMAP.md index 339b25c..198ab94 100644 --- a/docs/security/ISO27001_ROADMAP.md +++ b/docs/security/ISO27001_ROADMAP.md @@ -79,8 +79,8 @@ Foundation Gap & Implement Operate Pre-Audit Certification ### 4.2 Deliverables -| # | Deliverable | ISO 27001 Reference | Owner | -|---|-------------|---------------------|-------| +| # | Deliverable | ISO 27001 Reference | Owner | Status | +|---|-------------|---------------------|-------|--------| | 1.1 | Gap analysis report | Clauses 4โ€“10 | ISO | โœ… Draft | | 1.2 | Statement of Applicability (SoA) | Annex A | ISO | โœ… Draft | | 1.3 | Information Security Policy | A.5.1 | Executive Sponsor | โœ… Draft | @@ -97,21 +97,24 @@ Based on codebase review and [Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.m | Annex A Theme | Current Maturity | Gap Priority | |---------------|------------------|--------------| -| A.5 Organizational controls | Partial (informal) | High | -| A.6 People controls | Minimal | High | -| A.7 Physical controls | N/A (cloud) | Transfer to cloud provider | -| A.8 Technological controls | Moderate (in-app) | Medium | +| A.5 Organizational controls | 2 Yes / 25 Partial / 10 No (of 37) | High | +| A.6 People controls | 0 Yes / 6 Partial / 2 No (of 8) | High | +| A.7 Physical controls | 11 N/A (cloud); 3 Partial (personnel devices) | Transfer to cloud provider | +| A.8 Technological controls | 4 Yes / 22 Partial / 7 No / 1 N/A (of 34) | Medium | -**Controls with existing technical implementation:** +*Per-theme counts: [SoA ยง7.1](./STATEMENT_OF_APPLICABILITY.md#71-by-theme).* + +**Controls with Status = Yes in SoA (fully evidenced):** | Control | Evidence in Codebase | |---------|---------------------| -| A.8.5 Secure authentication | `pkg/authorization`, bcrypt passwords | +| A.5.9, A.5.12 | Asset inventory; information classification | | A.8.3 Access restriction | RBAC + company-scoped middleware | -| A.8.26 Application security requirements | Govalidator, XSS policy, Swagger | +| A.8.4 Access to source code | Git repo with PR review | | A.8.15 Logging | Structured service logging, `pkg/audit` | -| A.8.9 Configuration management | `pkg/config` env priority | -| A.8.6 Capacity / rate limiting | `RateLimitConfig` | +| A.8.26 Application security requirements | Govalidator, XSS policy, Swagger | + +**Additional partial in-app controls** (e.g. A.8.5 authentication, A.8.9 configuration, A.8.6 rate limiting) are implemented in code but not yet fully evidenced in the SoA. **Priority gaps to close in Phase 2:** diff --git a/docs/security/STATEMENT_OF_APPLICABILITY.md b/docs/security/STATEMENT_OF_APPLICABILITY.md index 7c8427b..98c2268 100644 --- a/docs/security/STATEMENT_OF_APPLICABILITY.md +++ b/docs/security/STATEMENT_OF_APPLICABILITY.md @@ -153,7 +153,7 @@ This document satisfies ISO/IEC 27001:2022 Clause 6.1.3(d) and is a mandatory in | A.8.27 | Secure system architecture and engineering principles | Yes | Partial | Clean Architecture, DI, no global state | โ€” | | A.8.28 | Secure coding | Yes | Partial | Coding standards documented; no SAST | R-009, R-010 | | A.8.29 | Security testing in development and acceptance | Yes | No | Unit tests exist; no security test suite or DAST | R-009 | -| A.8.30 | Outsourced development | Yes | N/A | No outsourced development of TM backend | โ€” | +| A.8.30 | Outsourced development | N/A | N/A | All TM backend development is in-house; no outsourced development of scoped applications | โ€” | | A.8.31 | Separation of development, test and production environments | Yes | Partial | Separate env configs; staging data may contain real data | โ€” | | A.8.32 | Change management | Yes | Partial | Git PR workflow; no formal change procedure | R-022 | | A.8.33 | Test information | Yes | Partial | Staging should use anonymized data; not enforced | โ€” | @@ -163,21 +163,39 @@ This document satisfies ISO/IEC 27001:2022 Clause 6.1.3(d) and is a mandatory in ## 7. Summary Statistics -| Category | Count | -|----------|-------| -| Total Annex A controls | 93 | -| Applicable | 77 | -| Not applicable (N/A) | 16 | -| **Implemented (Yes)** | 21 | -| **Partial** | 42 | -| **Not implemented (No)** | 14 | +Counts derived from the control rows in ยง3โ€“ยง6 (authoritative source for cross-document reporting). -### Applicable Controls by Status +### 7.1 By Theme + +| Theme | Total | Implemented (Yes) | Partial | Not impl. (No) | N/A | +|-------|-------|-------------------|---------|----------------|-----| +| **A.5** Organizational | 37 | 2 | 25 | 10 | 0 | +| **A.6** People | 8 | 0 | 6 | 2 | 0 | +| **A.7** Physical | 14 | 0 | 3 | 0 | 11 | +| **A.8** Technological | 34 | 4 | 22 | 7 | 1 | +| **Total** | **93** | **6** | **56** | **19** | **12** | + +### 7.2 Overall + +| Category | Count | % of all 93 | +|----------|-------|-------------| +| Total Annex A controls | 93 | 100% | +| Not applicable (N/A) | 12 | 13% | +| **Applicable** | **81** | **87%** | +| Implemented (Yes) | 6 | 6% | +| Partial | 56 | 60% | +| Not implemented (No) | 19 | 20% | + +*Applicable = Total โˆ’ N/A. Yes/Partial/No counts apply only to applicable controls (6 + 56 + 19 = 81).* + +### 7.3 Applicable Controls by Status + +Percentages below are of **81 applicable** controls (excluding 12 N/A). ``` -Implemented โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ 27% -Partial โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘ 55% -Not impl. โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ 18% +Implemented โ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ 7% (6/81) +Partial โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘ 69% (56/81) +Not impl. โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ 23% (19/81) ``` --- @@ -214,6 +232,7 @@ Not impl. โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | 2026-06-11 | Engineering | Initial SoA for 93 Annex A controls | +| 1.1 | 2026-06-11 | Engineering | Reconciled summary counts with control rows; fixed A.8.30 applicability | **Approval**