Update security documentation to align with ISO/IEC 27001 standards

- Revised the Gap Analysis Report to provide detailed counts of implemented, partial, and not implemented controls, enhancing clarity on compliance status.
- Updated the ISO27001 Roadmap to include a status column for deliverables, improving tracking of progress towards certification.
- Adjusted the Statement of Applicability to reconcile summary counts with control rows and clarify the applicability of outsourced development.

These updates strengthen the documentation framework, ensuring it accurately reflects the current state of security controls and compliance efforts within the Tender Management System.
This commit is contained in:
Mazyar
2026-06-13 23:59:38 +03:30
parent 96ec0f8a8f
commit 6af5cf3c4e
3 changed files with 61 additions and 38 deletions
+15 -14
View File
@@ -28,7 +28,7 @@ This report assesses the current state of the Tender Management (TM) ISMS agains
| **Clause 8** (Operation) | 🟡 Partial | Technical controls strong; operational procedures incomplete |
| **Clause 9** (Performance evaluation) | 🔴 Minimal | No internal audit program or management review yet |
| **Clause 10** (Improvement) | 🔴 Minimal | Corrective action process not formalized |
| **Annex A** (93 controls) | 🟡 Partial | ~35% implemented, ~40% partial, ~15% N/A (physical/cloud), ~10% not started |
| **Annex A** (93 controls) | 🟡 Partial | 6 implemented (7% of 81 applicable), 56 partial (69%), 19 not implemented (23%), 12 N/A (13%) — per [SoA §7](./STATEMENT_OF_APPLICABILITY.md#7-summary-statistics) |
### Key Strengths
@@ -181,13 +181,13 @@ Full control-level detail: [Statement of Applicability](./STATEMENT_OF_APPLICABI
| Theme | Total Controls | Implemented | Partial | Not Impl. | N/A |
|-------|----------------|-------------|---------|-----------|-----|
| **A.5** Organizational | 37 | 8 | 22 | 5 | 2 |
| **A.6** People | 8 | 1 | 4 | 3 | 0 |
| **A.7** Physical | 14 | 0 | 0 | 0 | 14 |
| **A.8** Technological | 34 | 12 | 16 | 6 | 0 |
| **Total** | **93** | **21** | **42** | **14** | **16** |
| **A.5** Organizational | 37 | 2 | 25 | 10 | 0 |
| **A.6** People | 8 | 0 | 6 | 2 | 0 |
| **A.7** Physical | 14 | 0 | 3 | 0 | 11 |
| **A.8** Technological | 34 | 4 | 22 | 7 | 1 |
| **Total** | **93** | **6** | **56** | **19** | **12** |
*Percentages approximate; "Partial" indicates control exists but lacks full documentation, testing, or operating evidence.*
*Counts match [Statement of Applicability §7.1](./STATEMENT_OF_APPLICABILITY.md#71-by-theme). "Partial" indicates the control exists but lacks full documentation, testing, or operating evidence.*
### A.5 — Top Organizational Gaps
@@ -210,7 +210,9 @@ Full control-level detail: [Statement of Applicability](./STATEMENT_OF_APPLICABI
### A.7 — Physical Controls
All 14 controls marked **N/A** — infrastructure hosted in cloud/data center; physical security transferred to cloud provider per shared responsibility model. Provider compliance evidence required (A.5.23).
**11 N/A** — cloud-hosted infrastructure; physical security transferred to cloud provider per shared responsibility model (A.7.1A.7.6, A.7.8, A.7.10A.7.13). Provider compliance evidence required (A.5.23).
**3 Partial** — A.7.7, A.7.9, A.7.14 remain applicable for personnel devices accessing TM systems (screen lock, off-premises asset security, equipment disposal).
### A.8 — Top Technological Gaps
@@ -224,18 +226,16 @@ All 14 controls marked **N/A** — infrastructure hosted in cloud/data center; p
| A.8.29 | Security testing | Not Implemented | High |
| A.8.12 | Data leakage prevention | Not Implemented | Medium |
### A.8 — Implemented Technical Controls (Evidence)
### A.8 — Fully Implemented Technical Controls (Status = Yes)
| Control | Implementation |
|---------|----------------|
| A.8.3 | RBAC + company-scoped middleware (`pkg/authorization`) |
| A.8.5 | JWT auth, bcrypt passwords, hCaptcha |
| A.8.9 | Env-based config with OS override (`pkg/config`) |
| A.8.4 | Git-based source control with PR workflow |
| A.8.15 | Structured logging + `pkg/audit` |
| A.8.26 | Govalidator, XSS policy, Swagger |
| A.8.28 | Secure coding standards (`.cursorrules`, code review) |
| A.8.6 | Rate limit configuration |
| A.8.4 | Git-based source control with PR workflow |
Additional controls (e.g. A.8.5 authentication, A.8.9 configuration, A.8.28 secure coding) are **Partial** in the SoA — implemented in code but lacking full operating evidence or completeness (MFA, vault, SAST).
---
@@ -272,6 +272,7 @@ The TM platform has a **solid technical security foundation** but lacks the **op
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2026-06-11 | Engineering | Initial gap analysis |
| 1.1 | 2026-06-11 | Engineering | Annex A theme table and executive summary aligned with SoA §7 |
**Review**