# ISO/IEC 27001 Certification Roadmap — Tender Management System | Field | Value | |-------|-------| | **Document ID** | ISMS-003 | | **Version** | 1.0 | | **Status** | Active roadmap | | **Owner** | Information Security Officer (ISO) | | **Last Updated** | 2026-06-11 | | **Target Certification** | ISO/IEC 27001:2022 | Related: [ISMS Foundation](./ISMS_FOUNDATION.md) | [Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.md) --- ## 1. Executive Summary This roadmap defines a phased path from the current informal security practices to a certifiable ISMS for the Tender Management backend platform. The plan spans approximately **12–18 months** from foundation to Stage 2 certification audit, assuming dedicated part-time security ownership (0.25–0.5 FTE). ### Current State - Strong technical controls in application layer (JWT, RBAC, validation, XSS, audit logging) - No formal ISMS documentation, policies, or certified processes - Risk assessment and asset inventory now documented (initial versions) ### Target State - Documented and operating ISMS aligned with ISO/IEC 27001:2022 - Risk treatment plans executed for High and Critical risks - Internal audit program and management review cycle established - Successful Stage 1 and Stage 2 certification audits --- ## 2. Certification Timeline Overview ``` Phase 0 ──► Phase 1 ──► Phase 2 ──► Phase 3 ──► Phase 4 ──► Phase 5 Foundation Gap & Implement Operate Pre-Audit Certification (Complete) Policies Controls ISMS Readiness Audit │ │ │ │ │ │ Jun 2026 Jul-Aug Sep-Nov Dec-Mar Apr-Jun Jul-Sep 2027 ``` | Phase | Name | Duration | Key Deliverable | |-------|------|----------|-----------------| | **0** | Foundation | 2 weeks | ISMS scope, asset inventory, risk matrix *(this release)* | | **1** | Gap Analysis & Policies | 6–8 weeks | Policy suite, SoA draft, gap report | | **2** | Control Implementation | 10–12 weeks | Technical and procedural controls | | **3** | ISMS Operation | 12+ weeks | Internal audits, KPIs, management review | | **4** | Pre-Audit Readiness | 4–6 weeks | Mock audit, evidence pack, corrective actions | | **5** | Certification Audit | 4–8 weeks | Stage 1 + Stage 2 with accredited CB | --- ## 3. Phase 0 — Foundation (Complete) **Status:** ✅ Complete as of 2026-06-11 | Task | Deliverable | Status | |------|-------------|--------| | Define ISMS scope | [ISMS_FOUNDATION.md §3](./ISMS_FOUNDATION.md#3-isms-scope) | ✅ | | Create asset inventory | [ISMS_FOUNDATION.md §4](./ISMS_FOUNDATION.md#4-information-asset-inventory) | ✅ | | Initial risk assessment | [RISK_ASSESSMENT_MATRIX.md](./RISK_ASSESSMENT_MATRIX.md) | ✅ | | Assign interim ISO role | Pending management approval | ⬜ | | Executive briefing on ISMS scope | Presentation / sign-off | ⬜ | --- ## 4. Phase 1 — Gap Analysis & Policy Framework **Target:** Jul–Aug 2026 (6–8 weeks) ### 4.1 Objectives - Map existing controls to ISO 27001:2022 Annex A - Identify gaps and produce Statement of Applicability (SoA) - Publish core ISMS policies ### 4.2 Deliverables | # | Deliverable | ISO 27001 Reference | Owner | Status | |---|-------------|---------------------|-------|--------| | 1.1 | Gap analysis report | Clauses 4–10 | ISO | ✅ Draft | | 1.2 | Statement of Applicability (SoA) | Annex A | ISO | ✅ Draft | | 1.3 | Information Security Policy | A.5.1 | Executive Sponsor | ✅ Draft | | 1.4 | Access Control Policy | A.5.15–A.5.18 | ISO | ✅ Draft | | 1.5 | Incident Response Plan | A.5.24–A.5.28 | ISO | ✅ Draft | | 1.6 | Backup & Recovery Policy | A.8.13 | DevOps | ✅ Draft | | 1.7 | Acceptable Use Policy | A.6.2 | HR / ISO | ✅ Draft | | 1.8 | Risk Assessment Procedure | Clause 6.1.2 | ISO | ✅ Draft | | 1.9 | ISMS scope approval (signed) | Clause 4.3 | Executive Sponsor | ✅ Draft — pending signature | ### 4.3 Annex A Gap Snapshot (Initial) Based on codebase review and [Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.md): | Annex A Theme | Current Maturity | Gap Priority | |---------------|------------------|--------------| | A.5 Organizational controls | 2 Yes / 25 Partial / 10 No (of 37) | High | | A.6 People controls | 0 Yes / 6 Partial / 2 No (of 8) | High | | A.7 Physical controls | 11 N/A (cloud); 3 Partial (personnel devices) | Transfer to cloud provider | | A.8 Technological controls | 4 Yes / 22 Partial / 7 No / 1 N/A (of 34) | Medium | *Per-theme counts: [SoA §7.1](./STATEMENT_OF_APPLICABILITY.md#71-by-theme).* **Controls with Status = Yes in SoA (fully evidenced):** | Control | Evidence in Codebase | |---------|---------------------| | A.5.9, A.5.12 | Asset inventory; information classification | | A.8.3 Access restriction | RBAC + company-scoped middleware | | A.8.4 Access to source code | Git repo with PR review | | A.8.15 Logging | Structured service logging, `pkg/audit` | | A.8.26 Application security requirements | Govalidator, XSS policy, Swagger | **Additional partial in-app controls** (e.g. A.8.5 authentication, A.8.9 configuration, A.8.6 rate limiting) are implemented in code but not yet fully evidenced in the SoA. **Priority gaps to close in Phase 2:** | Control | Gap | Planned Action | |---------|-----|----------------| | A.8.24 Cryptography | No documented crypto policy; at-rest encryption TBD | Encryption policy; MongoDB/MinIO at-rest | | A.8.8 Vulnerability management | No formal scanning | CI: govulncheck, SAST, container scan | | A.8.16 Monitoring | Logs only, no SIEM | Centralized logging + alerts | | A.5.19–A.5.23 Supplier relationships | No vendor assessments | Vendor questionnaire for AI, notification | | A.5.29–A.5.30 Business continuity | No DR plan | BCP/DRP with RTO/RPO | | A.6.3 Security awareness | No training program | Annual training + onboarding module | --- ## 5. Phase 2 — Control Implementation **Target:** Sep–Nov 2026 (10–12 weeks) ### 5.1 Technical Controls | Priority | Control | Tasks | Risk IDs | Owner | |----------|---------|-------|----------|-------| | P0 | Secrets management | Migrate to vault; remove FCM keys from repo; rotate credentials | R-013 | DevOps | | P0 | Auth hardening | Rate limit all auth endpoints; MFA for admin users | R-001, R-021 | Engineering | | P0 | Vulnerability scanning | govulncheck + Dependabot in CI; monthly review | R-010 | Engineering | | P1 | Encryption at rest | Enable MongoDB and MinIO encryption | R-005, R-006 | DevOps | | P1 | Monitoring & alerting | Centralize logs; alert on auth failures, 5xx spikes | R-015 | DevOps | | P1 | RBAC audit | Automated tests for all admin route authorization | R-003 | Engineering | | P2 | WAF / CDN | DDoS protection for public API | R-012 | DevOps | | P2 | File upload security | MIME validation, size limits, malware scan | R-011 | Engineering | | P2 | Refresh token rotation | Complete token rotation implementation | R-002 | Engineering | ### 5.2 Procedural Controls | Priority | Control | Tasks | Owner | |----------|---------|-------|-------| | P0 | Incident response | IR plan, on-call rotation, tabletop exercise | ISO | | P0 | Change management | PR approval rules, prod deployment checklist | Engineering | | P1 | Access reviews | Quarterly review of admin and infra access | ISO | | P1 | Backup verification | Monthly restore test; documented RTO/RPO | DevOps | | P1 | Vendor management | Security questionnaires for AI, notification, cloud | ISO | | P2 | DSR process | GDPR data subject request workflow | DPO | --- ## 6. Phase 3 — ISMS Operation **Target:** Dec 2026 – Mar 2027 (minimum 3 months operation required) ### 6.1 Operating Activities | Activity | Frequency | Owner | ISO 27001 Reference | |----------|-----------|-------|---------------------| | Risk register review | Quarterly | ISO | 6.1.2 | | Internal audit | Semi-annual | Internal auditor | 9.2 | | Management review | Quarterly | Executive Sponsor | 9.3 | | Vulnerability scan review | Monthly | Engineering | A.8.8 | | Access review | Quarterly | ISO | A.5.18 | | Backup restore test | Monthly | DevOps | A.8.13 | | Security awareness training | Annual + onboarding | ISO | A.6.3 | | Supplier review | Annual | ISO | A.5.19 | | KPI reporting | Monthly | ISO | 9.1 | ### 6.2 Key Performance Indicators (KPIs) | KPI | Target | Measurement | |-----|--------|-------------| | Critical/High open risks | 0 Critical; ≤3 High | Risk register | | Mean time to patch (Critical CVE) | ≤ 7 days | Vulnerability tracker | | Failed login rate | Baseline + alert threshold | SIEM | | Backup restore success | 100% monthly test | DevOps report | | Security training completion | 100% staff | HR records | | Incident response time (P1) | ≤ 1 hour acknowledgment | IR log | --- ## 7. Phase 4 — Pre-Audit Readiness **Target:** Apr–Jun 2027 (4–6 weeks) | Task | Description | |------|-------------| | Select certification body (CB) | Accredited ISO 27001 registrar | | Mock Stage 1 audit | Documentation review against Clauses 4–10 | | Evidence pack assembly | Policies, risk register, audit reports, training records, change logs | | Corrective actions | Close all findings from mock audit | | Employee interviews prep | Staff briefed on ISMS policies and their roles | | SoA finalization | All Annex A controls marked with implementation status | ### 7.1 Evidence Checklist - [ ] Signed Information Security Policy - [ ] Approved ISMS scope document - [ ] Risk assessment and treatment plan (current version) - [ ] Statement of Applicability - [ ] Internal audit reports (≥1 cycle) - [ ] Management review minutes (≥1 cycle) - [ ] Incident response plan and test record - [ ] Access review records - [ ] Vulnerability scan reports - [ ] Backup/restore test records - [ ] Training completion records - [ ] Vendor assessment records - [ ] Change management records (sample) --- ## 8. Phase 5 — Certification Audit **Target:** Jul–Sep 2027 ### 8.1 Stage 1 — Documentation Review - CB reviews ISMS documentation for conformity with ISO 27001:2022 - Scope, SoA, risk assessment, and policy completeness verified - Findings documented; corrective actions before Stage 2 ### 8.2 Stage 2 — Implementation Audit - CB verifies controls are implemented and operating effectively - Interviews with key personnel - Sampling of evidence (logs, tickets, access records) - Nonconformities classified as Minor or Major ### 8.3 Post-Certification - Surveillance audits annually - Full recertification every 3 years - Continuous improvement via PDCA cycle --- ## 9. Resource Estimate | Role | Effort | Phase(s) | |------|--------|----------| | ISO (part-time) | 0.25–0.5 FTE ongoing | All | | Engineering Lead | 0.1 FTE | 2, 3 | | DevOps Lead | 0.15 FTE | 2, 3 | | DPO (part-time) | 0.05 FTE | 1, 2 | | External consultant (optional) | 5–10 days | 1, 4 | | Certification body | Fixed fee | 5 | | Security tooling (SIEM, scanning) | Budget item | 2 | **Estimated total cost range:** €15,000–€40,000 (highly dependent on org size, tooling, and consultant use) --- ## 10. PDCA Cycle Integration ``` ┌─────────────┐ │ PLAN │ Scope, risk assessment, policies, SoA └──────┬──────┘ ▼ ┌─────────────┐ │ DO │ Implement controls, training, procedures └──────┬──────┘ ▼ ┌─────────────┐ │ CHECK │ Internal audit, KPIs, management review └──────┬──────┘ ▼ ┌─────────────┐ │ ACT │ Corrective actions, risk updates, improve └──────┬──────┘ └──────────► (back to PLAN) ``` --- ## 11. Milestones & Decision Gates | Milestone | Target Date | Gate Criteria | |-----------|-------------|---------------| | M0: Foundation approved | 2026-06-30 | Executive sign-off on scope and asset inventory | | M1: Policy suite published | 2026-08-31 | 5 core policies + risk procedure drafted; pending executive approval | | M2: Critical risks mitigated | 2026-11-30 | No Critical residual risks | | M3: ISMS operational | 2027-03-31 | 1 internal audit + 1 management review complete | | M4: Pre-audit passed | 2027-06-30 | Mock audit with no Major findings | | M5: ISO 27001 certified | 2027-09-30 | Stage 2 certificate issued | --- ## 12. Document Control | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | 2026-06-11 | Engineering | Initial certification roadmap | **Approval** | Role | Name | Signature | Date | |------|------|-----------|------| | ISO | _Pending_ | | | | Executive Sponsor | _Pending_ | | |