Update security documentation to align with ISO/IEC 27001 standards
- Revised the Gap Analysis Report to provide detailed counts of implemented, partial, and not implemented controls, enhancing clarity on compliance status. - Updated the ISO27001 Roadmap to include a status column for deliverables, improving tracking of progress towards certification. - Adjusted the Statement of Applicability to reconcile summary counts with control rows and clarify the applicability of outsourced development. These updates strengthen the documentation framework, ensuring it accurately reflects the current state of security controls and compliance efforts within the Tender Management System.
This commit is contained in:
@@ -79,8 +79,8 @@ Foundation Gap & Implement Operate Pre-Audit Certification
|
||||
|
||||
### 4.2 Deliverables
|
||||
|
||||
| # | Deliverable | ISO 27001 Reference | Owner |
|
||||
|---|-------------|---------------------|-------|
|
||||
| # | Deliverable | ISO 27001 Reference | Owner | Status |
|
||||
|---|-------------|---------------------|-------|--------|
|
||||
| 1.1 | Gap analysis report | Clauses 4–10 | ISO | ✅ Draft |
|
||||
| 1.2 | Statement of Applicability (SoA) | Annex A | ISO | ✅ Draft |
|
||||
| 1.3 | Information Security Policy | A.5.1 | Executive Sponsor | ✅ Draft |
|
||||
@@ -97,21 +97,24 @@ Based on codebase review and [Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.m
|
||||
|
||||
| Annex A Theme | Current Maturity | Gap Priority |
|
||||
|---------------|------------------|--------------|
|
||||
| A.5 Organizational controls | Partial (informal) | High |
|
||||
| A.6 People controls | Minimal | High |
|
||||
| A.7 Physical controls | N/A (cloud) | Transfer to cloud provider |
|
||||
| A.8 Technological controls | Moderate (in-app) | Medium |
|
||||
| A.5 Organizational controls | 2 Yes / 25 Partial / 10 No (of 37) | High |
|
||||
| A.6 People controls | 0 Yes / 6 Partial / 2 No (of 8) | High |
|
||||
| A.7 Physical controls | 11 N/A (cloud); 3 Partial (personnel devices) | Transfer to cloud provider |
|
||||
| A.8 Technological controls | 4 Yes / 22 Partial / 7 No / 1 N/A (of 34) | Medium |
|
||||
|
||||
**Controls with existing technical implementation:**
|
||||
*Per-theme counts: [SoA §7.1](./STATEMENT_OF_APPLICABILITY.md#71-by-theme).*
|
||||
|
||||
**Controls with Status = Yes in SoA (fully evidenced):**
|
||||
|
||||
| Control | Evidence in Codebase |
|
||||
|---------|---------------------|
|
||||
| A.8.5 Secure authentication | `pkg/authorization`, bcrypt passwords |
|
||||
| A.5.9, A.5.12 | Asset inventory; information classification |
|
||||
| A.8.3 Access restriction | RBAC + company-scoped middleware |
|
||||
| A.8.26 Application security requirements | Govalidator, XSS policy, Swagger |
|
||||
| A.8.4 Access to source code | Git repo with PR review |
|
||||
| A.8.15 Logging | Structured service logging, `pkg/audit` |
|
||||
| A.8.9 Configuration management | `pkg/config` env priority |
|
||||
| A.8.6 Capacity / rate limiting | `RateLimitConfig` |
|
||||
| A.8.26 Application security requirements | Govalidator, XSS policy, Swagger |
|
||||
|
||||
**Additional partial in-app controls** (e.g. A.8.5 authentication, A.8.9 configuration, A.8.6 rate limiting) are implemented in code but not yet fully evidenced in the SoA.
|
||||
|
||||
**Priority gaps to close in Phase 2:**
|
||||
|
||||
|
||||
Reference in New Issue
Block a user