Update security documentation to align with ISO/IEC 27001 standards

- Revised the Gap Analysis Report to provide detailed counts of implemented, partial, and not implemented controls, enhancing clarity on compliance status.
- Updated the ISO27001 Roadmap to include a status column for deliverables, improving tracking of progress towards certification.
- Adjusted the Statement of Applicability to reconcile summary counts with control rows and clarify the applicability of outsourced development.

These updates strengthen the documentation framework, ensuring it accurately reflects the current state of security controls and compliance efforts within the Tender Management System.
This commit is contained in:
Mazyar
2026-06-13 23:59:38 +03:30
parent 96ec0f8a8f
commit 6af5cf3c4e
3 changed files with 61 additions and 38 deletions
+15 -14
View File
@@ -28,7 +28,7 @@ This report assesses the current state of the Tender Management (TM) ISMS agains
| **Clause 8** (Operation) | 🟡 Partial | Technical controls strong; operational procedures incomplete | | **Clause 8** (Operation) | 🟡 Partial | Technical controls strong; operational procedures incomplete |
| **Clause 9** (Performance evaluation) | 🔴 Minimal | No internal audit program or management review yet | | **Clause 9** (Performance evaluation) | 🔴 Minimal | No internal audit program or management review yet |
| **Clause 10** (Improvement) | 🔴 Minimal | Corrective action process not formalized | | **Clause 10** (Improvement) | 🔴 Minimal | Corrective action process not formalized |
| **Annex A** (93 controls) | 🟡 Partial | ~35% implemented, ~40% partial, ~15% N/A (physical/cloud), ~10% not started | | **Annex A** (93 controls) | 🟡 Partial | 6 implemented (7% of 81 applicable), 56 partial (69%), 19 not implemented (23%), 12 N/A (13%) — per [SoA §7](./STATEMENT_OF_APPLICABILITY.md#7-summary-statistics) |
### Key Strengths ### Key Strengths
@@ -181,13 +181,13 @@ Full control-level detail: [Statement of Applicability](./STATEMENT_OF_APPLICABI
| Theme | Total Controls | Implemented | Partial | Not Impl. | N/A | | Theme | Total Controls | Implemented | Partial | Not Impl. | N/A |
|-------|----------------|-------------|---------|-----------|-----| |-------|----------------|-------------|---------|-----------|-----|
| **A.5** Organizational | 37 | 8 | 22 | 5 | 2 | | **A.5** Organizational | 37 | 2 | 25 | 10 | 0 |
| **A.6** People | 8 | 1 | 4 | 3 | 0 | | **A.6** People | 8 | 0 | 6 | 2 | 0 |
| **A.7** Physical | 14 | 0 | 0 | 0 | 14 | | **A.7** Physical | 14 | 0 | 3 | 0 | 11 |
| **A.8** Technological | 34 | 12 | 16 | 6 | 0 | | **A.8** Technological | 34 | 4 | 22 | 7 | 1 |
| **Total** | **93** | **21** | **42** | **14** | **16** | | **Total** | **93** | **6** | **56** | **19** | **12** |
*Percentages approximate; "Partial" indicates control exists but lacks full documentation, testing, or operating evidence.* *Counts match [Statement of Applicability §7.1](./STATEMENT_OF_APPLICABILITY.md#71-by-theme). "Partial" indicates the control exists but lacks full documentation, testing, or operating evidence.*
### A.5 — Top Organizational Gaps ### A.5 — Top Organizational Gaps
@@ -210,7 +210,9 @@ Full control-level detail: [Statement of Applicability](./STATEMENT_OF_APPLICABI
### A.7 — Physical Controls ### A.7 — Physical Controls
All 14 controls marked **N/A** — infrastructure hosted in cloud/data center; physical security transferred to cloud provider per shared responsibility model. Provider compliance evidence required (A.5.23). **11 N/A** — cloud-hosted infrastructure; physical security transferred to cloud provider per shared responsibility model (A.7.1A.7.6, A.7.8, A.7.10A.7.13). Provider compliance evidence required (A.5.23).
**3 Partial** — A.7.7, A.7.9, A.7.14 remain applicable for personnel devices accessing TM systems (screen lock, off-premises asset security, equipment disposal).
### A.8 — Top Technological Gaps ### A.8 — Top Technological Gaps
@@ -224,18 +226,16 @@ All 14 controls marked **N/A** — infrastructure hosted in cloud/data center; p
| A.8.29 | Security testing | Not Implemented | High | | A.8.29 | Security testing | Not Implemented | High |
| A.8.12 | Data leakage prevention | Not Implemented | Medium | | A.8.12 | Data leakage prevention | Not Implemented | Medium |
### A.8 — Implemented Technical Controls (Evidence) ### A.8 — Fully Implemented Technical Controls (Status = Yes)
| Control | Implementation | | Control | Implementation |
|---------|----------------| |---------|----------------|
| A.8.3 | RBAC + company-scoped middleware (`pkg/authorization`) | | A.8.3 | RBAC + company-scoped middleware (`pkg/authorization`) |
| A.8.5 | JWT auth, bcrypt passwords, hCaptcha | | A.8.4 | Git-based source control with PR workflow |
| A.8.9 | Env-based config with OS override (`pkg/config`) |
| A.8.15 | Structured logging + `pkg/audit` | | A.8.15 | Structured logging + `pkg/audit` |
| A.8.26 | Govalidator, XSS policy, Swagger | | A.8.26 | Govalidator, XSS policy, Swagger |
| A.8.28 | Secure coding standards (`.cursorrules`, code review) |
| A.8.6 | Rate limit configuration | Additional controls (e.g. A.8.5 authentication, A.8.9 configuration, A.8.28 secure coding) are **Partial** in the SoA — implemented in code but lacking full operating evidence or completeness (MFA, vault, SAST).
| A.8.4 | Git-based source control with PR workflow |
--- ---
@@ -272,6 +272,7 @@ The TM platform has a **solid technical security foundation** but lacks the **op
| Version | Date | Author | Changes | | Version | Date | Author | Changes |
|---------|------|--------|---------| |---------|------|--------|---------|
| 1.0 | 2026-06-11 | Engineering | Initial gap analysis | | 1.0 | 2026-06-11 | Engineering | Initial gap analysis |
| 1.1 | 2026-06-11 | Engineering | Annex A theme table and executive summary aligned with SoA §7 |
**Review** **Review**
+14 -11
View File
@@ -79,8 +79,8 @@ Foundation Gap & Implement Operate Pre-Audit Certification
### 4.2 Deliverables ### 4.2 Deliverables
| # | Deliverable | ISO 27001 Reference | Owner | | # | Deliverable | ISO 27001 Reference | Owner | Status |
|---|-------------|---------------------|-------| |---|-------------|---------------------|-------|--------|
| 1.1 | Gap analysis report | Clauses 410 | ISO | ✅ Draft | | 1.1 | Gap analysis report | Clauses 410 | ISO | ✅ Draft |
| 1.2 | Statement of Applicability (SoA) | Annex A | ISO | ✅ Draft | | 1.2 | Statement of Applicability (SoA) | Annex A | ISO | ✅ Draft |
| 1.3 | Information Security Policy | A.5.1 | Executive Sponsor | ✅ Draft | | 1.3 | Information Security Policy | A.5.1 | Executive Sponsor | ✅ Draft |
@@ -97,21 +97,24 @@ Based on codebase review and [Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.m
| Annex A Theme | Current Maturity | Gap Priority | | Annex A Theme | Current Maturity | Gap Priority |
|---------------|------------------|--------------| |---------------|------------------|--------------|
| A.5 Organizational controls | Partial (informal) | High | | A.5 Organizational controls | 2 Yes / 25 Partial / 10 No (of 37) | High |
| A.6 People controls | Minimal | High | | A.6 People controls | 0 Yes / 6 Partial / 2 No (of 8) | High |
| A.7 Physical controls | N/A (cloud) | Transfer to cloud provider | | A.7 Physical controls | 11 N/A (cloud); 3 Partial (personnel devices) | Transfer to cloud provider |
| A.8 Technological controls | Moderate (in-app) | Medium | | A.8 Technological controls | 4 Yes / 22 Partial / 7 No / 1 N/A (of 34) | Medium |
**Controls with existing technical implementation:** *Per-theme counts: [SoA §7.1](./STATEMENT_OF_APPLICABILITY.md#71-by-theme).*
**Controls with Status = Yes in SoA (fully evidenced):**
| Control | Evidence in Codebase | | Control | Evidence in Codebase |
|---------|---------------------| |---------|---------------------|
| A.8.5 Secure authentication | `pkg/authorization`, bcrypt passwords | | A.5.9, A.5.12 | Asset inventory; information classification |
| A.8.3 Access restriction | RBAC + company-scoped middleware | | A.8.3 Access restriction | RBAC + company-scoped middleware |
| A.8.26 Application security requirements | Govalidator, XSS policy, Swagger | | A.8.4 Access to source code | Git repo with PR review |
| A.8.15 Logging | Structured service logging, `pkg/audit` | | A.8.15 Logging | Structured service logging, `pkg/audit` |
| A.8.9 Configuration management | `pkg/config` env priority | | A.8.26 Application security requirements | Govalidator, XSS policy, Swagger |
| A.8.6 Capacity / rate limiting | `RateLimitConfig` |
**Additional partial in-app controls** (e.g. A.8.5 authentication, A.8.9 configuration, A.8.6 rate limiting) are implemented in code but not yet fully evidenced in the SoA.
**Priority gaps to close in Phase 2:** **Priority gaps to close in Phase 2:**
+32 -13
View File
@@ -153,7 +153,7 @@ This document satisfies ISO/IEC 27001:2022 Clause 6.1.3(d) and is a mandatory in
| A.8.27 | Secure system architecture and engineering principles | Yes | Partial | Clean Architecture, DI, no global state | — | | A.8.27 | Secure system architecture and engineering principles | Yes | Partial | Clean Architecture, DI, no global state | — |
| A.8.28 | Secure coding | Yes | Partial | Coding standards documented; no SAST | R-009, R-010 | | A.8.28 | Secure coding | Yes | Partial | Coding standards documented; no SAST | R-009, R-010 |
| A.8.29 | Security testing in development and acceptance | Yes | No | Unit tests exist; no security test suite or DAST | R-009 | | A.8.29 | Security testing in development and acceptance | Yes | No | Unit tests exist; no security test suite or DAST | R-009 |
| A.8.30 | Outsourced development | Yes | N/A | No outsourced development of TM backend | — | | A.8.30 | Outsourced development | N/A | N/A | All TM backend development is in-house; no outsourced development of scoped applications | — |
| A.8.31 | Separation of development, test and production environments | Yes | Partial | Separate env configs; staging data may contain real data | — | | A.8.31 | Separation of development, test and production environments | Yes | Partial | Separate env configs; staging data may contain real data | — |
| A.8.32 | Change management | Yes | Partial | Git PR workflow; no formal change procedure | R-022 | | A.8.32 | Change management | Yes | Partial | Git PR workflow; no formal change procedure | R-022 |
| A.8.33 | Test information | Yes | Partial | Staging should use anonymized data; not enforced | — | | A.8.33 | Test information | Yes | Partial | Staging should use anonymized data; not enforced | — |
@@ -163,21 +163,39 @@ This document satisfies ISO/IEC 27001:2022 Clause 6.1.3(d) and is a mandatory in
## 7. Summary Statistics ## 7. Summary Statistics
| Category | Count | Counts derived from the control rows in §3–§6 (authoritative source for cross-document reporting).
|----------|-------|
| Total Annex A controls | 93 |
| Applicable | 77 |
| Not applicable (N/A) | 16 |
| **Implemented (Yes)** | 21 |
| **Partial** | 42 |
| **Not implemented (No)** | 14 |
### Applicable Controls by Status ### 7.1 By Theme
| Theme | Total | Implemented (Yes) | Partial | Not impl. (No) | N/A |
|-------|-------|-------------------|---------|----------------|-----|
| **A.5** Organizational | 37 | 2 | 25 | 10 | 0 |
| **A.6** People | 8 | 0 | 6 | 2 | 0 |
| **A.7** Physical | 14 | 0 | 3 | 0 | 11 |
| **A.8** Technological | 34 | 4 | 22 | 7 | 1 |
| **Total** | **93** | **6** | **56** | **19** | **12** |
### 7.2 Overall
| Category | Count | % of all 93 |
|----------|-------|-------------|
| Total Annex A controls | 93 | 100% |
| Not applicable (N/A) | 12 | 13% |
| **Applicable** | **81** | **87%** |
| Implemented (Yes) | 6 | 6% |
| Partial | 56 | 60% |
| Not implemented (No) | 19 | 20% |
*Applicable = Total N/A. Yes/Partial/No counts apply only to applicable controls (6 + 56 + 19 = 81).*
### 7.3 Applicable Controls by Status
Percentages below are of **81 applicable** controls (excluding 12 N/A).
``` ```
Implemented ████████░░░░░░░░░░░░░░ 27% Implemented ██░░░░░░░░░░░░░░░░░░░ 7% (6/81)
Partial █████████████████░░░░░ 55% Partial █████████████████░░░░░ 69% (56/81)
Not impl. █████░░░░░░░░░░░░░░░░░ 18% Not impl. █████░░░░░░░░░░░░░░░░░ 23% (19/81)
``` ```
--- ---
@@ -214,6 +232,7 @@ Not impl. █████░░░░░░░░░░░░░░░░░
| Version | Date | Author | Changes | | Version | Date | Author | Changes |
|---------|------|--------|---------| |---------|------|--------|---------|
| 1.0 | 2026-06-11 | Engineering | Initial SoA for 93 Annex A controls | | 1.0 | 2026-06-11 | Engineering | Initial SoA for 93 Annex A controls |
| 1.1 | 2026-06-11 | Engineering | Reconciled summary counts with control rows; fixed A.8.30 applicability |
**Approval** **Approval**