# ISMS Scope Approval | Field | Value | |-------|-------| | **Document ID** | ISMS-006 | | **Version** | 1.0 | | **Status** | Pending signature | | **Owner** | Executive Sponsor | | **Prepared By** | Information Security Officer (ISO) | | **Date Prepared** | 2026-06-11 | | **ISO 27001 Reference** | Clause 4.3 — Determining the scope of the information security management system | Related: [ISMS Foundation](./ISMS_FOUNDATION.md) | [Gap Analysis Report](./GAP_ANALYSIS_REPORT.md) --- ## 1. Purpose This document records formal management approval of the **Information Security Management System (ISMS) scope** for the Tender Management platform, as required by ISO/IEC 27001:2022 Clause 4.3. --- ## 2. Organization | Field | Value | |-------|-------| | **Organization** | _[Company legal name]_ | | **Product / Service** | Tender Management System (TM) | | **Repository** | `tm_back` (Go backend API) | | **Business Unit** | Engineering / Product | --- ## 3. Approved ISMS Scope ### 3.1 Scope Statement > The ISMS covers the design, development, deployment, and operation of the **Tender Management backend platform**, including all information assets processed, stored, or transmitted by the web API (`cmd/web`), background worker (`cmd/worker`), and TED scraper (`cmd/scraper`), together with supporting **MongoDB**, **Redis**, and **MinIO** infrastructure in development, staging, and production environments. ### 3.2 In Scope | Category | Items | |----------|-------| | **Applications** | `cmd/web`, `cmd/worker`, `cmd/scraper` | | **Domain services** | User, customer, company, tender, feedback, notification, inquiry, contact, CMS, kanban, dashboard, document scraper, tender approval | | **Shared packages** | Authorization (JWT), security (XSS/CSP), audit logging, file store, MinIO client, configuration | | **Data stores** | MongoDB (`tm` database), Redis, MinIO (`files`, `documents` buckets) | | **External integrations** | Notification service, hCaptcha, AI summarizer/translation, GoRules, TED data sources, FCM push | | **Environments** | Development, staging, production, CI/CD pipelines | | **Personnel** | Developers, DevOps, QA, product owners with access to TM infrastructure or production data | | **Locations** | Cloud-hosted infrastructure (provider TBD / per deployment); remote work for engineering staff | ### 3.3 Explicitly Out of Scope | Item | Rationale | Interface Control | |------|-----------|-----------------| | Mobile application codebase | Separate repository and release cycle | API contract (`/api/v1`); JWT authentication | | Admin panel frontend | Separate repository | API contract (`/admin/v1`); admin JWT + RBAC | | TED / EU publication infrastructure | Third-party public data source | XML ingestion validation in scraper | | Customer on-premise deployments | SaaS delivery model | N/A — revisit if product offering changes | | End-user devices (phones, laptops) | Covered by Acceptable Use Policy, not ISMS technical scope | AUP acknowledgment | | Physical data center facilities | Cloud shared responsibility model | Provider compliance evidence (A.5.23) | ### 3.4 Boundaries and Interfaces ``` ┌─────────────────────────────────────────────────────────────┐ │ APPROVED ISMS SCOPE │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ cmd/web │ │cmd/worker│ │cmd/scraper│ │ │ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ │ └─────────────┼─────────────┘ │ │ ▼ │ │ ┌─────────────────────────────┐ │ │ │ MongoDB │ Redis │ MinIO │ │ │ └─────────────────────────────┘ │ └──────────────┬──────────────────────────────────────────────┘ │ API boundaries (out of scope beyond interface) ┌──────────┼──────────┬─────────────┬──────────────┐ ▼ ▼ ▼ ▼ ▼ Mobile Admin Notification AI Service TED (public) App Panel Service XML feed (OOS) (OOS) (interface) (interface) (OOS) ``` **OOS** = Out of Scope (interface governed by contracts and vendor assessment) --- ## 4. Interested Parties (Summary) | Party | Interest | ISMS Response | |-------|----------|---------------| | Company customers | PII protection, service availability | Access control, encryption, backup | | EU data subjects | GDPR rights | DPO oversight, DSR process | | Engineering team | Secure development environment | Policies, training, tooling | | Executive management | Certification, risk management | This approval, management review | | Cloud / SaaS providers | Shared security responsibility | A.5.23 cloud controls | | Certification body | Conformity evidence | Audit program | --- ## 5. Applicable Requirements | Requirement | Applicability | |-------------|---------------| | ISO/IEC 27001:2022 | Full ISMS certification target | | GDPR (EU 2016/679) | Customer and company PII processing | | TED data terms of use | Public procurement data ingestion | | Customer contracts | Per agreement (security addenda as applicable) | --- ## 6. Asset Summary Reference Full inventory: [ISMS Foundation §4](./ISMS_FOUNDATION.md#4-information-asset-inventory) — **20 assets** registered (A-001 through A-020). Key data categories in scope: - Customer PII (C3) - Company business data (C3) - Authentication credentials (C4) - Tender/procurement data (C2) - Application logs and audit records (C2–C3) --- ## 7. Scope Change Process Changes to this scope require: 1. Written justification (new service, architecture change, new data type) 2. Risk assessment per [Risk Assessment Procedure](./procedures/risk-assessment-procedure.md) 3. Update to [ISMS Foundation](./ISMS_FOUNDATION.md), [SoA](./STATEMENT_OF_APPLICABILITY.md), and this document 4. Re-approval by Executive Sponsor 5. Notification to certification body if already certified --- ## 8. Approval By signing below, management confirms: 1. The scope defined in Section 3 accurately reflects the boundaries of the TM ISMS 2. Resources will be made available to implement and maintain the ISMS per [ISO27001_ROADMAP.md](./ISO27001_ROADMAP.md) 3. Information security objectives in the [Information Security Policy](./policies/information-security-policy.md) are endorsed 4. An Information Security Officer will be designated (named or interim) --- ### Signatures | Role | Name | Signature | Date | |------|------|-----------|------| | **Executive Sponsor** | _________________________ | _________________________ | __________ | | **Information Security Officer** | _________________________ | _________________________ | __________ | | **Engineering Lead** | _________________________ | _________________________ | __________ | | **DevOps Lead** | _________________________ | _________________________ | __________ | --- ## 9. Document Control | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | 2026-06-11 | Engineering | Initial scope approval document | **Next review:** 2027-06-11 (annual) or upon material architecture change