# Statement of Applicability (SoA) — Tender Management System | Field | Value | |-------|-------| | **Document ID** | ISMS-005 | | **Version** | 1.0 | | **Status** | Draft — Pending approval | | **Owner** | Information Security Officer (ISO) | | **Last Updated** | 2026-06-11 | | **Standard** | ISO/IEC 27001:2022 Annex A | | **Scope** | [ISMS Foundation §3](./ISMS_FOUNDATION.md#3-isms-scope) | Related: [Gap Analysis Report](./GAP_ANALYSIS_REPORT.md) | [Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.md) --- ## 1. Purpose The Statement of Applicability (SoA) documents: - Which Annex A controls are **applicable** to the TM ISMS - Whether each control is **implemented**, **partially implemented**, or **not implemented** - Justification for exclusions - Reference to implementation evidence or planned remediation This document satisfies ISO/IEC 27001:2022 Clause 6.1.3(d) and is a mandatory input for certification audits. --- ## 2. Status Legend | Status | Meaning | |--------|---------| | **Yes** | Applicable and implemented with evidence | | **Partial** | Applicable; control exists but incomplete or not fully evidenced | | **No** | Applicable but not yet implemented | | **N/A** | Not applicable to scope (justification required) | --- ## 3. A.5 — Organizational Controls | ID | Control | Applicable | Status | Implementation / Justification | Risk Ref | |----|---------|------------|--------|----------------------------------|----------| | A.5.1 | Policies for information security | Yes | Partial | [Information Security Policy](./policies/information-security-policy.md) draft; pending approval | — | | A.5.2 | Information security roles and responsibilities | Yes | Partial | [ISMS Foundation §5](./ISMS_FOUNDATION.md#5-roles-and-responsibilities); named assignments pending | — | | A.5.3 | Segregation of duties | Yes | Partial | Dev vs DevOps separation informal; no single prod DB write without break-glass | R-020 | | A.5.4 | Management responsibilities | Yes | Partial | Roadmap and objectives defined; management review not yet held | — | | A.5.5 | Contact with authorities | Yes | No | No documented contacts with regulators/law enforcement | R-023 | | A.5.6 | Contact with special interest groups | Yes | No | No ISAC or security forum membership | — | | A.5.7 | Threat intelligence | Yes | No | No formal threat intel feed or process | — | | A.5.8 | Information security in project management | Yes | Partial | Major change checklist in risk procedure; informal for small changes | — | | A.5.9 | Inventory of information and other associated assets | Yes | Yes | [ISMS Foundation §4](./ISMS_FOUNDATION.md#4-information-asset-inventory) — 20 assets | — | | A.5.10 | Acceptable use of information and other associated assets | Yes | Partial | [Acceptable Use Policy](./policies/acceptable-use-policy.md) draft | — | | A.5.11 | Return of assets | Yes | No | No formal offboarding asset return checklist | R-004 | | A.5.12 | Classification of information | Yes | Yes | C1–C4 classification in ISMS Foundation | — | | A.5.13 | Labelling of information | Yes | No | Classification defined but no labelling in apps/repos | — | | A.5.14 | Information transfer | Yes | Partial | HTTPS for APIs; email via notification service; no DLP | R-017 | | A.5.15 | Access control | Yes | Partial | [Access Control Policy](./policies/access-control-policy.md); JWT + RBAC | R-003 | | A.5.16 | Identity management | Yes | Partial | Unique accounts; provisioning/deprovisioning procedure in policy | R-004 | | A.5.17 | Authentication information | Yes | Partial | bcrypt passwords; secrets in env; MFA planned | R-001, R-013 | | A.5.18 | Access rights | Yes | Partial | Quarterly review defined; not yet executed | R-004 | | A.5.19 | Information security in supplier relationships | Yes | No | No vendor security assessments | R-017, R-018 | | A.5.20 | Addressing information security within supplier agreements | Yes | No | Contracts lack security clauses review | R-017 | | A.5.21 | Managing information security in the ICT supply chain | Yes | Partial | Go modules pinned; no formal supply chain policy | R-010 | | A.5.22 | Monitoring, review and change management of supplier services | Yes | No | No annual vendor review process | R-018 | | A.5.23 | Information security for use of cloud services | Yes | Partial | Cloud-hosted MongoDB/Redis/MinIO; provider evidence not collected | R-014 | | A.5.24 | Information security incident management planning and preparation | Yes | Partial | [Incident Response Plan](./policies/incident-response-plan.md) draft | R-023 | | A.5.25 | Assessment and decision on information security events | Yes | Partial | Severity classification in IR plan; not yet tested | R-023 | | A.5.26 | Response to information security incidents | Yes | Partial | Playbooks defined; IRT contacts not finalized | R-023 | | A.5.27 | Learning from information security incidents | Yes | Partial | Post-incident review required in IR plan; no incidents recorded yet | — | | A.5.28 | Collection of evidence | Yes | Partial | Evidence handling in IR plan; chain of custody untested | — | | A.5.29 | Information security during disruption | Yes | Partial | RTO/RPO in backup policy; no full BCP document | R-014 | | A.5.30 | ICT readiness for business continuity | Yes | Partial | Backup policy; DR test not yet performed | R-014 | | A.5.31 | Legal, statutory, regulatory and contractual requirements | Yes | Partial | GDPR referenced; no requirements register | R-007 | | A.5.32 | Intellectual property rights | Yes | Partial | Open-source licenses in go.mod; no IP policy | — | | A.5.33 | Protection of records | Yes | Partial | Audit logs; retention periods not fully defined | — | | A.5.34 | Privacy and protection of PII | Yes | Partial | PII inventory; DSR process not implemented | R-007 | | A.5.35 | Independent review of information security | Yes | No | No internal audit or external review yet | — | | A.5.36 | Compliance with policies, rules and standards | Yes | No | No compliance checks or audit program | — | | A.5.37 | Documented operating procedures | Yes | Partial | ISMS procedures started; ops runbooks incomplete | — | --- ## 4. A.6 — People Controls | ID | Control | Applicable | Status | Implementation / Justification | Risk Ref | |----|---------|------------|--------|----------------------------------|----------| | A.6.1 | Screening | Yes | No | No background check policy documented | R-021 | | A.6.2 | Terms and conditions of employment | Yes | Partial | Acceptable Use Policy; HR terms not linked | — | | A.6.3 | Information security awareness, education and training | Yes | No | No training program or records | R-021 | | A.6.4 | Disciplinary process | Yes | Partial | Referenced in AUP; HR process not documented | — | | A.6.5 | Responsibilities after termination or change of employment | Yes | Partial | Deprovisioning in Access Control Policy (24 h) | R-004 | | A.6.6 | Confidentiality or non-disclosure agreements | Yes | Partial | Assumed for contractors; no central register | — | | A.6.7 | Remote working | Yes | Partial | VPN/bastion requirement in Access Control Policy | — | | A.6.8 | Information security event reporting | Yes | Partial | Reporting channels in IR plan; not communicated to staff | R-023 | --- ## 5. A.7 — Physical Controls | ID | Control | Applicable | Status | Implementation / Justification | Risk Ref | |----|---------|------------|--------|----------------------------------|----------| | A.7.1 | Physical security perimeters | N/A | N/A | Cloud provider responsibility (A.5.23) | — | | A.7.2 | Physical entry | N/A | N/A | Cloud provider responsibility | — | | A.7.3 | Securing offices, rooms and facilities | N/A | N/A | No on-premise TM infrastructure | — | | A.7.4 | Physical security monitoring | N/A | N/A | Cloud provider responsibility | — | | A.7.5 | Protecting against physical and environmental threats | N/A | N/A | Cloud provider responsibility | — | | A.7.6 | Working in secure areas | N/A | N/A | No secure areas for TM systems | — | | A.7.7 | Clear desk and clear screen | Yes | Partial | AUP references screen lock; not enforced | — | | A.7.8 | Equipment siting and protection | N/A | N/A | Cloud-hosted servers | — | | A.7.9 | Security of assets off-premises | Yes | Partial | AUP device encryption requirement for prod access | — | | A.7.10 | Storage media | N/A | N/A | No removable media for TM data stores | — | | A.7.11 | Supporting utilities | N/A | N/A | Cloud provider responsibility | — | | A.7.12 | Cabling security | N/A | N/A | Cloud provider responsibility | — | | A.7.13 | Equipment maintenance | N/A | N/A | Cloud provider responsibility | — | | A.7.14 | Secure disposal or re-use of equipment | Yes | Partial | AUP prohibits local PII storage; no disposal procedure | — | *Note: A.7.7, A.7.9, A.7.14 remain applicable for personnel devices accessing TM systems.* --- ## 6. A.8 — Technological Controls | ID | Control | Applicable | Status | Implementation / Justification | Risk Ref | |----|---------|------------|--------|----------------------------------|----------| | A.8.1 | User endpoint devices | Yes | Partial | AUP device requirements; no MDM | — | | A.8.2 | Privileged access rights | Yes | Partial | Break-glass procedure; no PAM tool | R-020 | | A.8.3 | Information access restriction | Yes | Yes | RBAC + company-scoped middleware (`pkg/authorization`) | R-003 | | A.8.4 | Access to source code | Yes | Yes | Git repo with PR review; branch protection (assumed) | — | | A.8.5 | Secure authentication | Yes | Partial | JWT, bcrypt, hCaptcha; MFA not yet enabled | R-001, R-002 | | A.8.6 | Capacity management | Yes | Partial | Rate limit config; no capacity monitoring | R-012 | | A.8.7 | Protection against malware | Yes | No | No malware scanning on uploads or endpoints | R-011 | | A.8.8 | Management of technical vulnerabilities | Yes | No | No govulncheck/SAST in CI | R-010 | | A.8.9 | Configuration management | Yes | Partial | `pkg/config` env priority; secrets in flat env files | R-013 | | A.8.10 | Information deletion | Yes | Partial | Domain delete operations; no retention/deletion policy | R-007 | | A.8.11 | Data masking | Yes | No | Passwords excluded from API responses; no masking elsewhere | — | | A.8.12 | Data leakage prevention | Yes | No | No DLP tooling | R-008 | | A.8.13 | Information backup | Yes | Partial | [Backup & Recovery Policy](./policies/backup-and-recovery-policy.md); tests not yet run | R-006, R-014 | | A.8.14 | Redundancy of information processing facilities | Yes | Partial | Depends on cloud provider HA; not documented | R-014 | | A.8.15 | Logging | Yes | Yes | Structured service logging; `pkg/audit` for security events | R-008, R-015 | | A.8.16 | Monitoring activities | Yes | Partial | Application logs only; no SIEM or alerting | R-015 | | A.8.17 | Clock synchronization | Yes | Partial | NTP assumed on cloud hosts; not verified | — | | A.8.18 | Use of privileged utility programs | Yes | Partial | DB admin tools restricted; no formal policy | R-020 | | A.8.19 | Installation of software on operational systems | Yes | Partial | Container/deploy pipeline; no formal whitelist | R-016 | | A.8.20 | Networks security | Yes | Partial | HTTPS in prod; DB not public; no documented network diagram | — | | A.8.21 | Security of network services | Yes | Partial | TLS to external APIs; no network service inventory | — | | A.8.22 | Segregation of networks | Yes | Partial | Dev/staging/prod separated; informal | — | | A.8.23 | Web filtering | Yes | No | No web filtering for staff endpoints | — | | A.8.24 | Use of cryptography | Yes | Partial | TLS in transit; at-rest encryption TBD | R-005 | | A.8.25 | Secure development life cycle | Yes | Partial | `.cursorrules`, code review, Clean Architecture | — | | A.8.26 | Application security requirements | Yes | Yes | Govalidator, XSS policy, Swagger, response standards | R-009 | | A.8.27 | Secure system architecture and engineering principles | Yes | Partial | Clean Architecture, DI, no global state | — | | A.8.28 | Secure coding | Yes | Partial | Coding standards documented; no SAST | R-009, R-010 | | A.8.29 | Security testing in development and acceptance | Yes | No | Unit tests exist; no security test suite or DAST | R-009 | | A.8.30 | Outsourced development | Yes | N/A | No outsourced development of TM backend | — | | A.8.31 | Separation of development, test and production environments | Yes | Partial | Separate env configs; staging data may contain real data | — | | A.8.32 | Change management | Yes | Partial | Git PR workflow; no formal change procedure | R-022 | | A.8.33 | Test information | Yes | Partial | Staging should use anonymized data; not enforced | — | | A.8.34 | Protection of information systems during audit testing | Yes | No | No audit testing procedure | — | --- ## 7. Summary Statistics | Category | Count | |----------|-------| | Total Annex A controls | 93 | | Applicable | 77 | | Not applicable (N/A) | 16 | | **Implemented (Yes)** | 21 | | **Partial** | 42 | | **Not implemented (No)** | 14 | ### Applicable Controls by Status ``` Implemented ████████░░░░░░░░░░░░░░ 27% Partial █████████████████░░░░░ 55% Not impl. █████░░░░░░░░░░░░░░░░░ 18% ``` --- ## 8. Priority Remediation (Applicable "No" and Critical "Partial") | Priority | Control(s) | Action | Target | Owner | |----------|------------|--------|--------|-------| | P0 | A.8.8 | Add govulncheck + dependency scanning to CI | Q2 2026 | Engineering | | P0 | A.8.16 | Deploy centralized logging and alerting | Q3 2026 | DevOps | | P0 | A.5.35, A.5.36 | Establish internal audit program | Q1 2027 | ISO | | P1 | A.6.3 | Launch security awareness training | Q3 2026 | ISO | | P1 | A.5.19–A.5.22 | Vendor security assessments | Q4 2026 | ISO | | P1 | A.8.24 | Enable encryption at rest | Q3 2026 | DevOps | | P1 | A.8.5 | Enable MFA for admin users | Q3 2026 | Engineering | | P1 | A.8.29 | Add security testing to CI/CD | Q3 2026 | Engineering | | P2 | A.5.5 | Document authority contacts (GDPR DPA) | Q3 2026 | DPO | | P2 | A.8.7 | Malware scan on file uploads | Q4 2026 | Engineering | | P2 | A.8.12 | Evaluate DLP for log pipeline | Q4 2026 | DevOps | --- ## 9. Exclusion Justifications | Control(s) | Justification | |------------|---------------| | A.7.1–A.7.6, A.7.8, A.7.10–A.7.13 | TM infrastructure is fully cloud-hosted; physical controls are the responsibility of the cloud/IaaS provider per shared responsibility model. Evidence collected via A.5.23. | | A.8.30 | All TM backend development is in-house; no outsourced development of scoped applications. | --- ## 10. Document Control | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | 2026-06-11 | Engineering | Initial SoA for 93 Annex A controls | **Approval** | Role | Name | Signature | Date | |------|------|-----------|------| | ISO | _Pending_ | | | | Executive Sponsor | _Pending_ | | | **Next review:** Quarterly or upon significant scope/control change --- ## 11. Cross-Reference Index | Document | Purpose | |----------|---------| | [GAP_ANALYSIS_REPORT.md](./GAP_ANALYSIS_REPORT.md) | Clause-level gap detail | | [RISK_ASSESSMENT_MATRIX.md](./RISK_ASSESSMENT_MATRIX.md) | Risk IDs linked in SoA | | [ISO27001_ROADMAP.md](./ISO27001_ROADMAP.md) | Remediation timeline | | [policies/](./policies/) | Policy evidence for A.5.x controls |