ISO/IEC 27001 Gap Analysis Report — Tender Management System
| Field |
Value |
| Document ID |
ISMS-004 |
| Version |
1.0 |
| Status |
Draft — Pending review |
| Owner |
Information Security Officer (ISO) |
| Last Updated |
2026-06-11 |
| Assessment Date |
2026-06-11 |
| Standard |
ISO/IEC 27001:2022 |
| Scope |
ISMS Foundation §3 |
Related: Statement of Applicability | ISO 27001 Roadmap
1. Executive Summary
This report assesses the current state of the Tender Management (TM) ISMS against ISO/IEC 27001:2022 mandatory clauses (4–10) and Annex A controls. The assessment is based on documentation review, codebase analysis, and existing operational practices.
Overall Maturity
| Area |
Maturity |
Summary |
| Clauses 4–6 (Context, Leadership, Planning) |
🟡 Partial |
Foundation docs exist; formal leadership approval pending |
| Clause 7 (Support) |
🟡 Partial |
Competence and awareness programs not yet formalized |
| Clause 8 (Operation) |
🟡 Partial |
Technical controls strong; operational procedures incomplete |
| Clause 9 (Performance evaluation) |
🔴 Minimal |
No internal audit program or management review yet |
| Clause 10 (Improvement) |
🔴 Minimal |
Corrective action process not formalized |
| Annex A (93 controls) |
🟡 Partial |
6 implemented (7% of 81 applicable), 56 partial (69%), 19 not implemented (23%), 12 N/A (13%) — per SoA §7 |
Key Strengths
- Application-layer security controls (JWT, RBAC, validation, XSS, audit logging)
- Clean Architecture with dependency injection and structured logging
- Initial ISMS documentation suite (foundation, risk matrix, policies)
- Configurable rate limiting and environment-based secret management
Critical Gaps (Must Address Before Certification)
- No internal audit program or management review records (Clauses 9.2, 9.3)
- No SIEM/centralized monitoring (A.8.16)
- No formal vulnerability management in CI (A.8.8)
- Secrets in repository / no vault (A.8.9, R-013)
- No security awareness training program (A.6.3)
- No vendor security assessments (A.5.19–A.5.22)
- Encryption at rest not confirmed (A.8.24)
- Executive sign-off on ISMS scope and policies pending
2. Assessment Methodology
| Step |
Activity |
| 1 |
Review ISMS scope and asset inventory |
| 2 |
Map existing controls to ISO 27001:2022 clauses and Annex A |
| 3 |
Interview technical leads (informal / codebase-based) |
| 4 |
Classify each requirement: Implemented, Partial, Not Implemented, N/A |
| 5 |
Prioritize gaps by risk linkage (Risk Assessment Matrix) |
| 6 |
Define remediation actions in ISO27001_ROADMAP.md Phase 2 |
Maturity Scale
| Rating |
Definition |
| Implemented |
Control documented, implemented, and operating effectively |
| Partial |
Control exists informally or is incomplete |
| Not Implemented |
No control or documentation |
| N/A |
Not applicable to TM scope (with justification) |
3. Clause 4 — Context of the Organization
| Ref |
Requirement |
Status |
Evidence |
Gap / Remediation |
| 4.1 |
Understanding the organization and its context |
Partial |
ISMS Foundation §2 |
Formalize interested parties register |
| 4.2 |
Understanding needs of interested parties |
Partial |
Business objectives in ISMS Foundation |
Document customers, regulators, partners explicitly |
| 4.3 |
Determining ISMS scope |
Partial |
ISMS Foundation §3; Scope Approval draft |
Executive sign-off required |
| 4.4 |
Information security management system |
Partial |
ISMS doc structure defined |
Complete PDCA operating records |
Gap actions:
- Create interested parties register (customers, EU DPA, certification body, cloud providers)
- Obtain signed scope approval from Executive Sponsor
4. Clause 5 — Leadership
| Ref |
Requirement |
Status |
Evidence |
Gap / Remediation |
| 5.1 |
Leadership and commitment |
Partial |
Roadmap exists; sponsor not yet assigned |
Appoint Executive Sponsor; first management review |
| 5.2 |
Policy |
Partial |
Information Security Policy draft |
Approve and communicate policy |
| 5.3 |
Organizational roles, responsibilities, authorities |
Partial |
ISMS Foundation §5 |
Assign named individuals to ISO, DPO roles |
Gap actions:
- Name and document ISO and DPO (can be interim)
- Communicate approved Information Security Policy to all staff
5. Clause 6 — Planning
| Ref |
Requirement |
Status |
Evidence |
Gap / Remediation |
| 6.1.1 |
Actions to address risks and opportunities |
Partial |
Risk matrix with 23 risks |
Link opportunities (e.g. certification as market differentiator) |
| 6.1.2 |
Information security risk assessment |
Implemented |
Risk Assessment Matrix, Procedure |
Maintain quarterly reviews |
| 6.1.3 |
Information security risk treatment |
Partial |
Treatment plans in risk matrix |
Execute Phase 2 technical remediations |
| 6.2 |
Information security objectives |
Partial |
Information Security Policy §4 |
Track KPIs monthly |
| 6.3 |
Planning of changes |
Not Implemented |
— |
Document change planning in change management procedure (Phase 2) |
Gap actions:
- Begin executing risk treatment plans (R-001, R-010, R-013, R-015, R-023 priority)
- Draft change management procedure
6. Clause 7 — Support
| Ref |
Requirement |
Status |
Evidence |
Gap / Remediation |
| 7.1 |
Resources |
Partial |
Roadmap resource estimate |
Allocate part-time ISO capacity |
| 7.2 |
Competence |
Not Implemented |
— |
Define security competency requirements per role |
| 7.3 |
Awareness |
Not Implemented |
Acceptable Use Policy draft |
Launch onboarding + annual training |
| 7.4 |
Communication |
Partial |
Docs in docs/security/ |
Define internal/external comms plan for ISMS |
| 7.5 |
Documented information |
Partial |
ISMS doc suite |
Document control procedure; version approval workflow |
Gap actions:
- Security awareness program (A.6.3) — target Q3 2026
- Document control: naming, approval, retention standards
7. Clause 8 — Operation
| Ref |
Requirement |
Status |
Evidence |
Gap / Remediation |
| 8.1 |
Operational planning and control |
Partial |
DevOps practices informal |
Formalize change and deploy procedures |
| 8.2 |
Information security risk assessment |
Implemented |
Quarterly procedure defined |
Execute first scheduled review Sep 2026 |
| 8.3 |
Information security risk treatment |
Partial |
Phase 2 roadmap |
Implement prioritized controls |
Gap actions:
- Operational procedures for backup, incident response (drafted — need testing records)
- Change management procedure (Phase 2)
8. Clause 9 — Performance Evaluation
| Ref |
Requirement |
Status |
Evidence |
Gap / Remediation |
| 9.1 |
Monitoring, measurement, analysis, evaluation |
Partial |
KPIs defined in roadmap |
Implement SIEM; monthly KPI reporting |
| 9.2 |
Internal audit |
Not Implemented |
— |
Schedule first internal audit Q1 2027 |
| 9.3 |
Management review |
Not Implemented |
— |
First review within 90 days of scope approval |
Gap actions:
- Critical: Establish internal audit program before Stage 2 audit
- Schedule first management review meeting
- Implement monitoring (A.8.16) for measurable KPIs
9. Clause 10 — Improvement
| Ref |
Requirement |
Status |
Evidence |
Gap / Remediation |
| 10.1 |
Continual improvement |
Partial |
PDCA in roadmap |
Track improvement actions from audits/incidents |
| 10.2 |
Nonconformity and corrective action |
Not Implemented |
— |
Define CAPA (Corrective and Preventive Action) procedure |
Gap actions:
- CAPA procedure linked to incident response and audit findings
- Nonconformity register template
10. Annex A Summary by Theme
Full control-level detail: Statement of Applicability
| Theme |
Total Controls |
Implemented |
Partial |
Not Impl. |
N/A |
| A.5 Organizational |
37 |
2 |
25 |
10 |
0 |
| A.6 People |
8 |
0 |
6 |
2 |
0 |
| A.7 Physical |
14 |
0 |
3 |
0 |
11 |
| A.8 Technological |
34 |
4 |
22 |
7 |
1 |
| Total |
93 |
6 |
56 |
19 |
12 |
Counts match Statement of Applicability §7.1. "Partial" indicates the control exists but lacks full documentation, testing, or operating evidence.
A.5 — Top Organizational Gaps
| Control |
Title |
Status |
Priority |
| A.5.19–A.5.22 |
Supplier relationships |
Not Implemented |
High |
| A.5.29–A.5.30 |
Business continuity |
Partial |
High |
| A.5.35 |
Independent review |
Not Implemented |
Medium |
| A.5.7 |
Threat intelligence |
Not Implemented |
Medium |
| A.5.32 |
Intellectual property |
Partial |
Low |
A.6 — Top People Gaps
| Control |
Title |
Status |
Priority |
| A.6.3 |
Security awareness training |
Not Implemented |
High |
| A.6.1 |
Screening |
Not Implemented |
Medium |
| A.6.6 |
NDAs |
Partial |
Medium |
| A.6.8 |
Event reporting |
Partial |
Medium |
A.7 — Physical Controls
11 N/A — cloud-hosted infrastructure; physical security transferred to cloud provider per shared responsibility model (A.7.1–A.7.6, A.7.8, A.7.10–A.7.13). Provider compliance evidence required (A.5.23).
3 Partial — A.7.7, A.7.9, A.7.14 remain applicable for personnel devices accessing TM systems (screen lock, off-premises asset security, equipment disposal).
A.8 — Top Technological Gaps
| Control |
Title |
Status |
Priority |
| A.8.8 |
Vulnerability management |
Not Implemented |
Critical |
| A.8.16 |
Monitoring activities |
Partial |
Critical |
| A.8.24 |
Cryptography |
Partial |
High |
| A.8.2 |
Privileged access rights |
Partial |
High |
| A.8.32 |
Change management |
Partial |
High |
| A.8.29 |
Security testing |
Not Implemented |
High |
| A.8.12 |
Data leakage prevention |
Not Implemented |
Medium |
A.8 — Fully Implemented Technical Controls (Status = Yes)
| Control |
Implementation |
| A.8.3 |
RBAC + company-scoped middleware (pkg/authorization) |
| A.8.4 |
Git-based source control with PR workflow |
| A.8.15 |
Structured logging + pkg/audit |
| A.8.26 |
Govalidator, XSS policy, Swagger |
Additional controls (e.g. A.8.5 authentication, A.8.9 configuration, A.8.28 secure coding) are Partial in the SoA — implemented in code but lacking full operating evidence or completeness (MFA, vault, SAST).
11. Gap Remediation Roadmap
Aligned with ISO27001_ROADMAP.md:
| Priority |
Gap |
Remediation |
Phase |
Target |
| P0 |
No incident response testing |
Tabletop exercise |
2 |
Q2 2026 |
| P0 |
Secrets in repo |
Vault + secret scanning |
2 |
Q2 2026 |
| P0 |
No vulnerability scanning |
govulncheck in CI |
2 |
Q2 2026 |
| P0 |
No management review |
First review meeting |
1 |
Q3 2026 |
| P1 |
No SIEM |
Centralized logging + alerts |
2 |
Q3 2026 |
| P1 |
No encryption at rest |
MongoDB/MinIO encryption |
2 |
Q3 2026 |
| P1 |
No vendor assessments |
Vendor questionnaire |
2 |
Q4 2026 |
| P1 |
No security training |
Awareness program |
2 |
Q3 2026 |
| P1 |
No internal audit |
Audit program + first audit |
3 |
Q1 2027 |
| P2 |
No CAPA procedure |
Document CAPA process |
2 |
Q3 2026 |
| P2 |
No penetration test |
External pentest |
4 |
Q2 2027 |
12. Conclusion
The TM platform has a solid technical security foundation but lacks the operational and governance evidence required for ISO 27001 certification. Phase 1 documentation (foundation, risk assessment, policies, SoA, gap analysis) addresses Clauses 4.3, 6.1.2, and 5.2 at a draft level.
Recommendation: Proceed to Phase 2 control implementation while pursuing executive approval of scope and policies. Target first internal audit no later than Q1 2027 to allow 3+ months of operating evidence before Stage 2 audit.
13. Document Control
| Version |
Date |
Author |
Changes |
| 1.0 |
2026-06-11 |
Engineering |
Initial gap analysis |
| 1.1 |
2026-06-11 |
Engineering |
Annex A theme table and executive summary aligned with SoA §7 |
Review
| Role |
Name |
Signature |
Date |
| ISO |
Pending |
|
|
| Executive Sponsor |
Pending |
|
|