Files
tm_back/docs/security/ISMS_SCOPE_APPROVAL.md
Mazyar 06e663b691 Add security and compliance documentation for ISO/IEC 27001
- Introduced a comprehensive suite of security documents to support ISO/IEC 27001 certification, including the ISMS Foundation, Risk Assessment Matrix, Gap Analysis Report, Statement of Applicability, and ISO27001 Roadmap.
- Updated the README to include links to the new security documentation, enhancing the project's compliance framework and providing clear guidance on security policies and procedures.

This addition strengthens the overall security posture of the Tender Management System and aligns with industry standards for information security management.
2026-06-11 01:53:24 +03:30

7.8 KiB
Raw Permalink Blame History

ISMS Scope Approval

Field Value
Document ID ISMS-006
Version 1.0
Status Pending signature
Owner Executive Sponsor
Prepared By Information Security Officer (ISO)
Date Prepared 2026-06-11
ISO 27001 Reference Clause 4.3 — Determining the scope of the information security management system

Related: ISMS Foundation | Gap Analysis Report


1. Purpose

This document records formal management approval of the Information Security Management System (ISMS) scope for the Tender Management platform, as required by ISO/IEC 27001:2022 Clause 4.3.


2. Organization

Field Value
Organization [Company legal name]
Product / Service Tender Management System (TM)
Repository tm_back (Go backend API)
Business Unit Engineering / Product

3. Approved ISMS Scope

3.1 Scope Statement

The ISMS covers the design, development, deployment, and operation of the Tender Management backend platform, including all information assets processed, stored, or transmitted by the web API (cmd/web), background worker (cmd/worker), and TED scraper (cmd/scraper), together with supporting MongoDB, Redis, and MinIO infrastructure in development, staging, and production environments.

3.2 In Scope

Category Items
Applications cmd/web, cmd/worker, cmd/scraper
Domain services User, customer, company, tender, feedback, notification, inquiry, contact, CMS, kanban, dashboard, document scraper, tender approval
Shared packages Authorization (JWT), security (XSS/CSP), audit logging, file store, MinIO client, configuration
Data stores MongoDB (tm database), Redis, MinIO (files, documents buckets)
External integrations Notification service, hCaptcha, AI summarizer/translation, GoRules, TED data sources, FCM push
Environments Development, staging, production, CI/CD pipelines
Personnel Developers, DevOps, QA, product owners with access to TM infrastructure or production data
Locations Cloud-hosted infrastructure (provider TBD / per deployment); remote work for engineering staff

3.3 Explicitly Out of Scope

Item Rationale Interface Control
Mobile application codebase Separate repository and release cycle API contract (/api/v1); JWT authentication
Admin panel frontend Separate repository API contract (/admin/v1); admin JWT + RBAC
TED / EU publication infrastructure Third-party public data source XML ingestion validation in scraper
Customer on-premise deployments SaaS delivery model N/A — revisit if product offering changes
End-user devices (phones, laptops) Covered by Acceptable Use Policy, not ISMS technical scope AUP acknowledgment
Physical data center facilities Cloud shared responsibility model Provider compliance evidence (A.5.23)

3.4 Boundaries and Interfaces

┌─────────────────────────────────────────────────────────────┐
│                    APPROVED ISMS SCOPE                       │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐                   │
│  │ cmd/web  │  │cmd/worker│  │cmd/scraper│                   │
│  └────┬─────┘  └────┬─────┘  └────┬─────┘                   │
│       └─────────────┼─────────────┘                          │
│                     ▼                                        │
│       ┌─────────────────────────────┐                        │
│       │ MongoDB │ Redis │ MinIO     │                        │
│       └─────────────────────────────┘                        │
└──────────────┬──────────────────────────────────────────────┘
               │ API boundaries (out of scope beyond interface)
    ┌──────────┼──────────┬─────────────┬──────────────┐
    ▼          ▼          ▼             ▼              ▼
 Mobile     Admin      Notification   AI Service    TED (public)
 App        Panel      Service                     XML feed
 (OOS)      (OOS)      (interface)    (interface)   (OOS)

OOS = Out of Scope (interface governed by contracts and vendor assessment)


4. Interested Parties (Summary)

Party Interest ISMS Response
Company customers PII protection, service availability Access control, encryption, backup
EU data subjects GDPR rights DPO oversight, DSR process
Engineering team Secure development environment Policies, training, tooling
Executive management Certification, risk management This approval, management review
Cloud / SaaS providers Shared security responsibility A.5.23 cloud controls
Certification body Conformity evidence Audit program

5. Applicable Requirements

Requirement Applicability
ISO/IEC 27001:2022 Full ISMS certification target
GDPR (EU 2016/679) Customer and company PII processing
TED data terms of use Public procurement data ingestion
Customer contracts Per agreement (security addenda as applicable)

6. Asset Summary Reference

Full inventory: ISMS Foundation §420 assets registered (A-001 through A-020).

Key data categories in scope:

  • Customer PII (C3)
  • Company business data (C3)
  • Authentication credentials (C4)
  • Tender/procurement data (C2)
  • Application logs and audit records (C2C3)

7. Scope Change Process

Changes to this scope require:

  1. Written justification (new service, architecture change, new data type)
  2. Risk assessment per Risk Assessment Procedure
  3. Update to ISMS Foundation, SoA, and this document
  4. Re-approval by Executive Sponsor
  5. Notification to certification body if already certified

8. Approval

By signing below, management confirms:

  1. The scope defined in Section 3 accurately reflects the boundaries of the TM ISMS
  2. Resources will be made available to implement and maintain the ISMS per ISO27001_ROADMAP.md
  3. Information security objectives in the Information Security Policy are endorsed
  4. An Information Security Officer will be designated (named or interim)

Signatures

Role Name Signature Date
Executive Sponsor _________________________ _________________________ __________
Information Security Officer _________________________ _________________________ __________
Engineering Lead _________________________ _________________________ __________
DevOps Lead _________________________ _________________________ __________

9. Document Control

Version Date Author Changes
1.0 2026-06-11 Engineering Initial scope approval document

Next review: 2027-06-11 (annual) or upon material architecture change