Update security documentation to align with ISO/IEC 27001 standards

- Revised the Gap Analysis Report to provide detailed counts of implemented, partial, and not implemented controls, enhancing clarity on compliance status.
- Updated the ISO27001 Roadmap to include a status column for deliverables, improving tracking of progress towards certification.
- Adjusted the Statement of Applicability to reconcile summary counts with control rows and clarify the applicability of outsourced development.

These updates strengthen the documentation framework, ensuring it accurately reflects the current state of security controls and compliance efforts within the Tender Management System.
This commit is contained in:
Mazyar
2026-06-13 23:59:38 +03:30
parent 96ec0f8a8f
commit 6af5cf3c4e
3 changed files with 61 additions and 38 deletions
+32 -13
View File
@@ -153,7 +153,7 @@ This document satisfies ISO/IEC 27001:2022 Clause 6.1.3(d) and is a mandatory in
| A.8.27 | Secure system architecture and engineering principles | Yes | Partial | Clean Architecture, DI, no global state | — |
| A.8.28 | Secure coding | Yes | Partial | Coding standards documented; no SAST | R-009, R-010 |
| A.8.29 | Security testing in development and acceptance | Yes | No | Unit tests exist; no security test suite or DAST | R-009 |
| A.8.30 | Outsourced development | Yes | N/A | No outsourced development of TM backend | — |
| A.8.30 | Outsourced development | N/A | N/A | All TM backend development is in-house; no outsourced development of scoped applications | — |
| A.8.31 | Separation of development, test and production environments | Yes | Partial | Separate env configs; staging data may contain real data | — |
| A.8.32 | Change management | Yes | Partial | Git PR workflow; no formal change procedure | R-022 |
| A.8.33 | Test information | Yes | Partial | Staging should use anonymized data; not enforced | — |
@@ -163,21 +163,39 @@ This document satisfies ISO/IEC 27001:2022 Clause 6.1.3(d) and is a mandatory in
## 7. Summary Statistics
| Category | Count |
|----------|-------|
| Total Annex A controls | 93 |
| Applicable | 77 |
| Not applicable (N/A) | 16 |
| **Implemented (Yes)** | 21 |
| **Partial** | 42 |
| **Not implemented (No)** | 14 |
Counts derived from the control rows in §3–§6 (authoritative source for cross-document reporting).
### Applicable Controls by Status
### 7.1 By Theme
| Theme | Total | Implemented (Yes) | Partial | Not impl. (No) | N/A |
|-------|-------|-------------------|---------|----------------|-----|
| **A.5** Organizational | 37 | 2 | 25 | 10 | 0 |
| **A.6** People | 8 | 0 | 6 | 2 | 0 |
| **A.7** Physical | 14 | 0 | 3 | 0 | 11 |
| **A.8** Technological | 34 | 4 | 22 | 7 | 1 |
| **Total** | **93** | **6** | **56** | **19** | **12** |
### 7.2 Overall
| Category | Count | % of all 93 |
|----------|-------|-------------|
| Total Annex A controls | 93 | 100% |
| Not applicable (N/A) | 12 | 13% |
| **Applicable** | **81** | **87%** |
| Implemented (Yes) | 6 | 6% |
| Partial | 56 | 60% |
| Not implemented (No) | 19 | 20% |
*Applicable = Total N/A. Yes/Partial/No counts apply only to applicable controls (6 + 56 + 19 = 81).*
### 7.3 Applicable Controls by Status
Percentages below are of **81 applicable** controls (excluding 12 N/A).
```
Implemented ████████░░░░░░░░░░░░░░ 27%
Partial █████████████████░░░░░ 55%
Not impl. █████░░░░░░░░░░░░░░░░░ 18%
Implemented ██░░░░░░░░░░░░░░░░░░░ 7% (6/81)
Partial █████████████████░░░░░ 69% (56/81)
Not impl. █████░░░░░░░░░░░░░░░░░ 23% (19/81)
```
---
@@ -214,6 +232,7 @@ Not impl. █████░░░░░░░░░░░░░░░░░
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2026-06-11 | Engineering | Initial SoA for 93 Annex A controls |
| 1.1 | 2026-06-11 | Engineering | Reconciled summary counts with control rows; fixed A.8.30 applicability |
**Approval**