Files
tm_back/docs/security/GAP_ANALYSIS_REPORT.md
Mazyar 6af5cf3c4e Update security documentation to align with ISO/IEC 27001 standards
- Revised the Gap Analysis Report to provide detailed counts of implemented, partial, and not implemented controls, enhancing clarity on compliance status.
- Updated the ISO27001 Roadmap to include a status column for deliverables, improving tracking of progress towards certification.
- Adjusted the Statement of Applicability to reconcile summary counts with control rows and clarify the applicability of outsourced development.

These updates strengthen the documentation framework, ensuring it accurately reflects the current state of security controls and compliance efforts within the Tender Management System.
2026-06-13 23:59:38 +03:30

283 lines
13 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# ISO/IEC 27001 Gap Analysis Report — Tender Management System
| Field | Value |
|-------|-------|
| **Document ID** | ISMS-004 |
| **Version** | 1.0 |
| **Status** | Draft — Pending review |
| **Owner** | Information Security Officer (ISO) |
| **Last Updated** | 2026-06-11 |
| **Assessment Date** | 2026-06-11 |
| **Standard** | ISO/IEC 27001:2022 |
| **Scope** | [ISMS Foundation §3](./ISMS_FOUNDATION.md#3-isms-scope) |
Related: [Statement of Applicability](./STATEMENT_OF_APPLICABILITY.md) | [ISO 27001 Roadmap](./ISO27001_ROADMAP.md)
---
## 1. Executive Summary
This report assesses the current state of the Tender Management (TM) ISMS against **ISO/IEC 27001:2022** mandatory clauses (410) and Annex A controls. The assessment is based on documentation review, codebase analysis, and existing operational practices.
### Overall Maturity
| Area | Maturity | Summary |
|------|----------|---------|
| **Clauses 46** (Context, Leadership, Planning) | 🟡 Partial | Foundation docs exist; formal leadership approval pending |
| **Clause 7** (Support) | 🟡 Partial | Competence and awareness programs not yet formalized |
| **Clause 8** (Operation) | 🟡 Partial | Technical controls strong; operational procedures incomplete |
| **Clause 9** (Performance evaluation) | 🔴 Minimal | No internal audit program or management review yet |
| **Clause 10** (Improvement) | 🔴 Minimal | Corrective action process not formalized |
| **Annex A** (93 controls) | 🟡 Partial | 6 implemented (7% of 81 applicable), 56 partial (69%), 19 not implemented (23%), 12 N/A (13%) — per [SoA §7](./STATEMENT_OF_APPLICABILITY.md#7-summary-statistics) |
### Key Strengths
- Application-layer security controls (JWT, RBAC, validation, XSS, audit logging)
- Clean Architecture with dependency injection and structured logging
- Initial ISMS documentation suite (foundation, risk matrix, policies)
- Configurable rate limiting and environment-based secret management
### Critical Gaps (Must Address Before Certification)
1. No internal audit program or management review records (Clauses 9.2, 9.3)
2. No SIEM/centralized monitoring (A.8.16)
3. No formal vulnerability management in CI (A.8.8)
4. Secrets in repository / no vault (A.8.9, R-013)
5. No security awareness training program (A.6.3)
6. No vendor security assessments (A.5.19A.5.22)
7. Encryption at rest not confirmed (A.8.24)
8. Executive sign-off on ISMS scope and policies pending
---
## 2. Assessment Methodology
| Step | Activity |
|------|----------|
| 1 | Review ISMS scope and asset inventory |
| 2 | Map existing controls to ISO 27001:2022 clauses and Annex A |
| 3 | Interview technical leads (informal / codebase-based) |
| 4 | Classify each requirement: **Implemented**, **Partial**, **Not Implemented**, **N/A** |
| 5 | Prioritize gaps by risk linkage ([Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.md)) |
| 6 | Define remediation actions in [ISO27001_ROADMAP.md](./ISO27001_ROADMAP.md) Phase 2 |
### Maturity Scale
| Rating | Definition |
|--------|------------|
| **Implemented** | Control documented, implemented, and operating effectively |
| **Partial** | Control exists informally or is incomplete |
| **Not Implemented** | No control or documentation |
| **N/A** | Not applicable to TM scope (with justification) |
---
## 3. Clause 4 — Context of the Organization
| Ref | Requirement | Status | Evidence | Gap / Remediation |
|-----|-------------|--------|----------|-------------------|
| 4.1 | Understanding the organization and its context | **Partial** | [ISMS Foundation §2](./ISMS_FOUNDATION.md#2-organizational-context) | Formalize interested parties register |
| 4.2 | Understanding needs of interested parties | **Partial** | Business objectives in ISMS Foundation | Document customers, regulators, partners explicitly |
| 4.3 | Determining ISMS scope | **Partial** | [ISMS Foundation §3](./ISMS_FOUNDATION.md#3-isms-scope); [Scope Approval](./ISMS_SCOPE_APPROVAL.md) draft | Executive sign-off required |
| 4.4 | Information security management system | **Partial** | ISMS doc structure defined | Complete PDCA operating records |
**Gap actions:**
- Create interested parties register (customers, EU DPA, certification body, cloud providers)
- Obtain signed scope approval from Executive Sponsor
---
## 4. Clause 5 — Leadership
| Ref | Requirement | Status | Evidence | Gap / Remediation |
|-----|-------------|--------|----------|-------------------|
| 5.1 | Leadership and commitment | **Partial** | Roadmap exists; sponsor not yet assigned | Appoint Executive Sponsor; first management review |
| 5.2 | Policy | **Partial** | [Information Security Policy](./policies/information-security-policy.md) draft | Approve and communicate policy |
| 5.3 | Organizational roles, responsibilities, authorities | **Partial** | [ISMS Foundation §5](./ISMS_FOUNDATION.md#5-roles-and-responsibilities) | Assign named individuals to ISO, DPO roles |
**Gap actions:**
- Name and document ISO and DPO (can be interim)
- Communicate approved Information Security Policy to all staff
---
## 5. Clause 6 — Planning
| Ref | Requirement | Status | Evidence | Gap / Remediation |
|-----|-------------|--------|----------|-------------------|
| 6.1.1 | Actions to address risks and opportunities | **Partial** | Risk matrix with 23 risks | Link opportunities (e.g. certification as market differentiator) |
| 6.1.2 | Information security risk assessment | **Implemented** | [Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.md), [Procedure](./procedures/risk-assessment-procedure.md) | Maintain quarterly reviews |
| 6.1.3 | Information security risk treatment | **Partial** | Treatment plans in risk matrix | Execute Phase 2 technical remediations |
| 6.2 | Information security objectives | **Partial** | [Information Security Policy §4](./policies/information-security-policy.md#4-information-security-objectives) | Track KPIs monthly |
| 6.3 | Planning of changes | **Not Implemented** | — | Document change planning in change management procedure (Phase 2) |
**Gap actions:**
- Begin executing risk treatment plans (R-001, R-010, R-013, R-015, R-023 priority)
- Draft change management procedure
---
## 6. Clause 7 — Support
| Ref | Requirement | Status | Evidence | Gap / Remediation |
|-----|-------------|--------|----------|-------------------|
| 7.1 | Resources | **Partial** | Roadmap resource estimate | Allocate part-time ISO capacity |
| 7.2 | Competence | **Not Implemented** | — | Define security competency requirements per role |
| 7.3 | Awareness | **Not Implemented** | Acceptable Use Policy draft | Launch onboarding + annual training |
| 7.4 | Communication | **Partial** | Docs in `docs/security/` | Define internal/external comms plan for ISMS |
| 7.5 | Documented information | **Partial** | ISMS doc suite | Document control procedure; version approval workflow |
**Gap actions:**
- Security awareness program (A.6.3) — target Q3 2026
- Document control: naming, approval, retention standards
---
## 7. Clause 8 — Operation
| Ref | Requirement | Status | Evidence | Gap / Remediation |
|-----|-------------|--------|----------|-------------------|
| 8.1 | Operational planning and control | **Partial** | DevOps practices informal | Formalize change and deploy procedures |
| 8.2 | Information security risk assessment | **Implemented** | Quarterly procedure defined | Execute first scheduled review Sep 2026 |
| 8.3 | Information security risk treatment | **Partial** | Phase 2 roadmap | Implement prioritized controls |
**Gap actions:**
- Operational procedures for backup, incident response (drafted — need testing records)
- Change management procedure (Phase 2)
---
## 8. Clause 9 — Performance Evaluation
| Ref | Requirement | Status | Evidence | Gap / Remediation |
|-----|-------------|--------|----------|-------------------|
| 9.1 | Monitoring, measurement, analysis, evaluation | **Partial** | KPIs defined in roadmap | Implement SIEM; monthly KPI reporting |
| 9.2 | Internal audit | **Not Implemented** | — | Schedule first internal audit Q1 2027 |
| 9.3 | Management review | **Not Implemented** | — | First review within 90 days of scope approval |
**Gap actions:**
- **Critical:** Establish internal audit program before Stage 2 audit
- Schedule first management review meeting
- Implement monitoring (A.8.16) for measurable KPIs
---
## 9. Clause 10 — Improvement
| Ref | Requirement | Status | Evidence | Gap / Remediation |
|-----|-------------|--------|----------|-------------------|
| 10.1 | Continual improvement | **Partial** | PDCA in roadmap | Track improvement actions from audits/incidents |
| 10.2 | Nonconformity and corrective action | **Not Implemented** | — | Define CAPA (Corrective and Preventive Action) procedure |
**Gap actions:**
- CAPA procedure linked to incident response and audit findings
- Nonconformity register template
---
## 10. Annex A Summary by Theme
Full control-level detail: [Statement of Applicability](./STATEMENT_OF_APPLICABILITY.md)
| Theme | Total Controls | Implemented | Partial | Not Impl. | N/A |
|-------|----------------|-------------|---------|-----------|-----|
| **A.5** Organizational | 37 | 2 | 25 | 10 | 0 |
| **A.6** People | 8 | 0 | 6 | 2 | 0 |
| **A.7** Physical | 14 | 0 | 3 | 0 | 11 |
| **A.8** Technological | 34 | 4 | 22 | 7 | 1 |
| **Total** | **93** | **6** | **56** | **19** | **12** |
*Counts match [Statement of Applicability §7.1](./STATEMENT_OF_APPLICABILITY.md#71-by-theme). "Partial" indicates the control exists but lacks full documentation, testing, or operating evidence.*
### A.5 — Top Organizational Gaps
| Control | Title | Status | Priority |
|---------|-------|--------|----------|
| A.5.19A.5.22 | Supplier relationships | Not Implemented | High |
| A.5.29A.5.30 | Business continuity | Partial | High |
| A.5.35 | Independent review | Not Implemented | Medium |
| A.5.7 | Threat intelligence | Not Implemented | Medium |
| A.5.32 | Intellectual property | Partial | Low |
### A.6 — Top People Gaps
| Control | Title | Status | Priority |
|---------|-------|--------|----------|
| A.6.3 | Security awareness training | Not Implemented | High |
| A.6.1 | Screening | Not Implemented | Medium |
| A.6.6 | NDAs | Partial | Medium |
| A.6.8 | Event reporting | Partial | Medium |
### A.7 — Physical Controls
**11 N/A** — cloud-hosted infrastructure; physical security transferred to cloud provider per shared responsibility model (A.7.1A.7.6, A.7.8, A.7.10A.7.13). Provider compliance evidence required (A.5.23).
**3 Partial** — A.7.7, A.7.9, A.7.14 remain applicable for personnel devices accessing TM systems (screen lock, off-premises asset security, equipment disposal).
### A.8 — Top Technological Gaps
| Control | Title | Status | Priority |
|---------|-------|--------|----------|
| A.8.8 | Vulnerability management | Not Implemented | Critical |
| A.8.16 | Monitoring activities | Partial | Critical |
| A.8.24 | Cryptography | Partial | High |
| A.8.2 | Privileged access rights | Partial | High |
| A.8.32 | Change management | Partial | High |
| A.8.29 | Security testing | Not Implemented | High |
| A.8.12 | Data leakage prevention | Not Implemented | Medium |
### A.8 — Fully Implemented Technical Controls (Status = Yes)
| Control | Implementation |
|---------|----------------|
| A.8.3 | RBAC + company-scoped middleware (`pkg/authorization`) |
| A.8.4 | Git-based source control with PR workflow |
| A.8.15 | Structured logging + `pkg/audit` |
| A.8.26 | Govalidator, XSS policy, Swagger |
Additional controls (e.g. A.8.5 authentication, A.8.9 configuration, A.8.28 secure coding) are **Partial** in the SoA — implemented in code but lacking full operating evidence or completeness (MFA, vault, SAST).
---
## 11. Gap Remediation Roadmap
Aligned with [ISO27001_ROADMAP.md](./ISO27001_ROADMAP.md):
| Priority | Gap | Remediation | Phase | Target |
|----------|-----|-------------|-------|--------|
| P0 | No incident response testing | Tabletop exercise | 2 | Q2 2026 |
| P0 | Secrets in repo | Vault + secret scanning | 2 | Q2 2026 |
| P0 | No vulnerability scanning | govulncheck in CI | 2 | Q2 2026 |
| P0 | No management review | First review meeting | 1 | Q3 2026 |
| P1 | No SIEM | Centralized logging + alerts | 2 | Q3 2026 |
| P1 | No encryption at rest | MongoDB/MinIO encryption | 2 | Q3 2026 |
| P1 | No vendor assessments | Vendor questionnaire | 2 | Q4 2026 |
| P1 | No security training | Awareness program | 2 | Q3 2026 |
| P1 | No internal audit | Audit program + first audit | 3 | Q1 2027 |
| P2 | No CAPA procedure | Document CAPA process | 2 | Q3 2026 |
| P2 | No penetration test | External pentest | 4 | Q2 2027 |
---
## 12. Conclusion
The TM platform has a **solid technical security foundation** but lacks the **operational and governance evidence** required for ISO 27001 certification. Phase 1 documentation (foundation, risk assessment, policies, SoA, gap analysis) addresses Clauses 4.3, 6.1.2, and 5.2 at a draft level.
**Recommendation:** Proceed to Phase 2 control implementation while pursuing executive approval of scope and policies. Target first internal audit no later than **Q1 2027** to allow 3+ months of operating evidence before Stage 2 audit.
---
## 13. Document Control
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2026-06-11 | Engineering | Initial gap analysis |
| 1.1 | 2026-06-11 | Engineering | Annex A theme table and executive summary aligned with SoA §7 |
**Review**
| Role | Name | Signature | Date |
|------|------|-----------|------|
| ISO | _Pending_ | | |
| Executive Sponsor | _Pending_ | | |