From 6af5cf3c4e692be530a43aa77073b616afe8a047 Mon Sep 17 00:00:00 2001 From: Mazyar Date: Sat, 13 Jun 2026 23:59:38 +0330 Subject: [PATCH] Update security documentation to align with ISO/IEC 27001 standards - Revised the Gap Analysis Report to provide detailed counts of implemented, partial, and not implemented controls, enhancing clarity on compliance status. - Updated the ISO27001 Roadmap to include a status column for deliverables, improving tracking of progress towards certification. - Adjusted the Statement of Applicability to reconcile summary counts with control rows and clarify the applicability of outsourced development. These updates strengthen the documentation framework, ensuring it accurately reflects the current state of security controls and compliance efforts within the Tender Management System. --- docs/security/GAP_ANALYSIS_REPORT.md | 29 ++++++------- docs/security/ISO27001_ROADMAP.md | 25 +++++++----- docs/security/STATEMENT_OF_APPLICABILITY.md | 45 +++++++++++++++------ 3 files changed, 61 insertions(+), 38 deletions(-) diff --git a/docs/security/GAP_ANALYSIS_REPORT.md b/docs/security/GAP_ANALYSIS_REPORT.md index ac440b7..e273ad1 100644 --- a/docs/security/GAP_ANALYSIS_REPORT.md +++ b/docs/security/GAP_ANALYSIS_REPORT.md @@ -28,7 +28,7 @@ This report assesses the current state of the Tender Management (TM) ISMS agains | **Clause 8** (Operation) | ๐ŸŸก Partial | Technical controls strong; operational procedures incomplete | | **Clause 9** (Performance evaluation) | ๐Ÿ”ด Minimal | No internal audit program or management review yet | | **Clause 10** (Improvement) | ๐Ÿ”ด Minimal | Corrective action process not formalized | -| **Annex A** (93 controls) | ๐ŸŸก Partial | ~35% implemented, ~40% partial, ~15% N/A (physical/cloud), ~10% not started | +| **Annex A** (93 controls) | ๐ŸŸก Partial | 6 implemented (7% of 81 applicable), 56 partial (69%), 19 not implemented (23%), 12 N/A (13%) โ€” per [SoA ยง7](./STATEMENT_OF_APPLICABILITY.md#7-summary-statistics) | ### Key Strengths @@ -181,13 +181,13 @@ Full control-level detail: [Statement of Applicability](./STATEMENT_OF_APPLICABI | Theme | Total Controls | Implemented | Partial | Not Impl. | N/A | |-------|----------------|-------------|---------|-----------|-----| -| **A.5** Organizational | 37 | 8 | 22 | 5 | 2 | -| **A.6** People | 8 | 1 | 4 | 3 | 0 | -| **A.7** Physical | 14 | 0 | 0 | 0 | 14 | -| **A.8** Technological | 34 | 12 | 16 | 6 | 0 | -| **Total** | **93** | **21** | **42** | **14** | **16** | +| **A.5** Organizational | 37 | 2 | 25 | 10 | 0 | +| **A.6** People | 8 | 0 | 6 | 2 | 0 | +| **A.7** Physical | 14 | 0 | 3 | 0 | 11 | +| **A.8** Technological | 34 | 4 | 22 | 7 | 1 | +| **Total** | **93** | **6** | **56** | **19** | **12** | -*Percentages approximate; "Partial" indicates control exists but lacks full documentation, testing, or operating evidence.* +*Counts match [Statement of Applicability ยง7.1](./STATEMENT_OF_APPLICABILITY.md#71-by-theme). "Partial" indicates the control exists but lacks full documentation, testing, or operating evidence.* ### A.5 โ€” Top Organizational Gaps @@ -210,7 +210,9 @@ Full control-level detail: [Statement of Applicability](./STATEMENT_OF_APPLICABI ### A.7 โ€” Physical Controls -All 14 controls marked **N/A** โ€” infrastructure hosted in cloud/data center; physical security transferred to cloud provider per shared responsibility model. Provider compliance evidence required (A.5.23). +**11 N/A** โ€” cloud-hosted infrastructure; physical security transferred to cloud provider per shared responsibility model (A.7.1โ€“A.7.6, A.7.8, A.7.10โ€“A.7.13). Provider compliance evidence required (A.5.23). + +**3 Partial** โ€” A.7.7, A.7.9, A.7.14 remain applicable for personnel devices accessing TM systems (screen lock, off-premises asset security, equipment disposal). ### A.8 โ€” Top Technological Gaps @@ -224,18 +226,16 @@ All 14 controls marked **N/A** โ€” infrastructure hosted in cloud/data center; p | A.8.29 | Security testing | Not Implemented | High | | A.8.12 | Data leakage prevention | Not Implemented | Medium | -### A.8 โ€” Implemented Technical Controls (Evidence) +### A.8 โ€” Fully Implemented Technical Controls (Status = Yes) | Control | Implementation | |---------|----------------| | A.8.3 | RBAC + company-scoped middleware (`pkg/authorization`) | -| A.8.5 | JWT auth, bcrypt passwords, hCaptcha | -| A.8.9 | Env-based config with OS override (`pkg/config`) | +| A.8.4 | Git-based source control with PR workflow | | A.8.15 | Structured logging + `pkg/audit` | | A.8.26 | Govalidator, XSS policy, Swagger | -| A.8.28 | Secure coding standards (`.cursorrules`, code review) | -| A.8.6 | Rate limit configuration | -| A.8.4 | Git-based source control with PR workflow | + +Additional controls (e.g. A.8.5 authentication, A.8.9 configuration, A.8.28 secure coding) are **Partial** in the SoA โ€” implemented in code but lacking full operating evidence or completeness (MFA, vault, SAST). --- @@ -272,6 +272,7 @@ The TM platform has a **solid technical security foundation** but lacks the **op | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | 2026-06-11 | Engineering | Initial gap analysis | +| 1.1 | 2026-06-11 | Engineering | Annex A theme table and executive summary aligned with SoA ยง7 | **Review** diff --git a/docs/security/ISO27001_ROADMAP.md b/docs/security/ISO27001_ROADMAP.md index 339b25c..198ab94 100644 --- a/docs/security/ISO27001_ROADMAP.md +++ b/docs/security/ISO27001_ROADMAP.md @@ -79,8 +79,8 @@ Foundation Gap & Implement Operate Pre-Audit Certification ### 4.2 Deliverables -| # | Deliverable | ISO 27001 Reference | Owner | -|---|-------------|---------------------|-------| +| # | Deliverable | ISO 27001 Reference | Owner | Status | +|---|-------------|---------------------|-------|--------| | 1.1 | Gap analysis report | Clauses 4โ€“10 | ISO | โœ… Draft | | 1.2 | Statement of Applicability (SoA) | Annex A | ISO | โœ… Draft | | 1.3 | Information Security Policy | A.5.1 | Executive Sponsor | โœ… Draft | @@ -97,21 +97,24 @@ Based on codebase review and [Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.m | Annex A Theme | Current Maturity | Gap Priority | |---------------|------------------|--------------| -| A.5 Organizational controls | Partial (informal) | High | -| A.6 People controls | Minimal | High | -| A.7 Physical controls | N/A (cloud) | Transfer to cloud provider | -| A.8 Technological controls | Moderate (in-app) | Medium | +| A.5 Organizational controls | 2 Yes / 25 Partial / 10 No (of 37) | High | +| A.6 People controls | 0 Yes / 6 Partial / 2 No (of 8) | High | +| A.7 Physical controls | 11 N/A (cloud); 3 Partial (personnel devices) | Transfer to cloud provider | +| A.8 Technological controls | 4 Yes / 22 Partial / 7 No / 1 N/A (of 34) | Medium | -**Controls with existing technical implementation:** +*Per-theme counts: [SoA ยง7.1](./STATEMENT_OF_APPLICABILITY.md#71-by-theme).* + +**Controls with Status = Yes in SoA (fully evidenced):** | Control | Evidence in Codebase | |---------|---------------------| -| A.8.5 Secure authentication | `pkg/authorization`, bcrypt passwords | +| A.5.9, A.5.12 | Asset inventory; information classification | | A.8.3 Access restriction | RBAC + company-scoped middleware | -| A.8.26 Application security requirements | Govalidator, XSS policy, Swagger | +| A.8.4 Access to source code | Git repo with PR review | | A.8.15 Logging | Structured service logging, `pkg/audit` | -| A.8.9 Configuration management | `pkg/config` env priority | -| A.8.6 Capacity / rate limiting | `RateLimitConfig` | +| A.8.26 Application security requirements | Govalidator, XSS policy, Swagger | + +**Additional partial in-app controls** (e.g. A.8.5 authentication, A.8.9 configuration, A.8.6 rate limiting) are implemented in code but not yet fully evidenced in the SoA. **Priority gaps to close in Phase 2:** diff --git a/docs/security/STATEMENT_OF_APPLICABILITY.md b/docs/security/STATEMENT_OF_APPLICABILITY.md index 7c8427b..98c2268 100644 --- a/docs/security/STATEMENT_OF_APPLICABILITY.md +++ b/docs/security/STATEMENT_OF_APPLICABILITY.md @@ -153,7 +153,7 @@ This document satisfies ISO/IEC 27001:2022 Clause 6.1.3(d) and is a mandatory in | A.8.27 | Secure system architecture and engineering principles | Yes | Partial | Clean Architecture, DI, no global state | โ€” | | A.8.28 | Secure coding | Yes | Partial | Coding standards documented; no SAST | R-009, R-010 | | A.8.29 | Security testing in development and acceptance | Yes | No | Unit tests exist; no security test suite or DAST | R-009 | -| A.8.30 | Outsourced development | Yes | N/A | No outsourced development of TM backend | โ€” | +| A.8.30 | Outsourced development | N/A | N/A | All TM backend development is in-house; no outsourced development of scoped applications | โ€” | | A.8.31 | Separation of development, test and production environments | Yes | Partial | Separate env configs; staging data may contain real data | โ€” | | A.8.32 | Change management | Yes | Partial | Git PR workflow; no formal change procedure | R-022 | | A.8.33 | Test information | Yes | Partial | Staging should use anonymized data; not enforced | โ€” | @@ -163,21 +163,39 @@ This document satisfies ISO/IEC 27001:2022 Clause 6.1.3(d) and is a mandatory in ## 7. Summary Statistics -| Category | Count | -|----------|-------| -| Total Annex A controls | 93 | -| Applicable | 77 | -| Not applicable (N/A) | 16 | -| **Implemented (Yes)** | 21 | -| **Partial** | 42 | -| **Not implemented (No)** | 14 | +Counts derived from the control rows in ยง3โ€“ยง6 (authoritative source for cross-document reporting). -### Applicable Controls by Status +### 7.1 By Theme + +| Theme | Total | Implemented (Yes) | Partial | Not impl. (No) | N/A | +|-------|-------|-------------------|---------|----------------|-----| +| **A.5** Organizational | 37 | 2 | 25 | 10 | 0 | +| **A.6** People | 8 | 0 | 6 | 2 | 0 | +| **A.7** Physical | 14 | 0 | 3 | 0 | 11 | +| **A.8** Technological | 34 | 4 | 22 | 7 | 1 | +| **Total** | **93** | **6** | **56** | **19** | **12** | + +### 7.2 Overall + +| Category | Count | % of all 93 | +|----------|-------|-------------| +| Total Annex A controls | 93 | 100% | +| Not applicable (N/A) | 12 | 13% | +| **Applicable** | **81** | **87%** | +| Implemented (Yes) | 6 | 6% | +| Partial | 56 | 60% | +| Not implemented (No) | 19 | 20% | + +*Applicable = Total โˆ’ N/A. Yes/Partial/No counts apply only to applicable controls (6 + 56 + 19 = 81).* + +### 7.3 Applicable Controls by Status + +Percentages below are of **81 applicable** controls (excluding 12 N/A). ``` -Implemented โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ 27% -Partial โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘ 55% -Not impl. โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ 18% +Implemented โ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ 7% (6/81) +Partial โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘ 69% (56/81) +Not impl. โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ 23% (19/81) ``` --- @@ -214,6 +232,7 @@ Not impl. โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | 2026-06-11 | Engineering | Initial SoA for 93 Annex A controls | +| 1.1 | 2026-06-11 | Engineering | Reconciled summary counts with control rows; fixed A.8.30 applicability | **Approval**