Files
tm_back/docs/security/ISMS_SCOPE_APPROVAL.md
Mazyar 06e663b691 Add security and compliance documentation for ISO/IEC 27001
- Introduced a comprehensive suite of security documents to support ISO/IEC 27001 certification, including the ISMS Foundation, Risk Assessment Matrix, Gap Analysis Report, Statement of Applicability, and ISO27001 Roadmap.
- Updated the README to include links to the new security documentation, enhancing the project's compliance framework and providing clear guidance on security policies and procedures.

This addition strengthens the overall security posture of the Tender Management System and aligns with industry standards for information security management.
2026-06-11 01:53:24 +03:30

169 lines
7.8 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# ISMS Scope Approval
| Field | Value |
|-------|-------|
| **Document ID** | ISMS-006 |
| **Version** | 1.0 |
| **Status** | Pending signature |
| **Owner** | Executive Sponsor |
| **Prepared By** | Information Security Officer (ISO) |
| **Date Prepared** | 2026-06-11 |
| **ISO 27001 Reference** | Clause 4.3 — Determining the scope of the information security management system |
Related: [ISMS Foundation](./ISMS_FOUNDATION.md) | [Gap Analysis Report](./GAP_ANALYSIS_REPORT.md)
---
## 1. Purpose
This document records formal management approval of the **Information Security Management System (ISMS) scope** for the Tender Management platform, as required by ISO/IEC 27001:2022 Clause 4.3.
---
## 2. Organization
| Field | Value |
|-------|-------|
| **Organization** | _[Company legal name]_ |
| **Product / Service** | Tender Management System (TM) |
| **Repository** | `tm_back` (Go backend API) |
| **Business Unit** | Engineering / Product |
---
## 3. Approved ISMS Scope
### 3.1 Scope Statement
> The ISMS covers the design, development, deployment, and operation of the **Tender Management backend platform**, including all information assets processed, stored, or transmitted by the web API (`cmd/web`), background worker (`cmd/worker`), and TED scraper (`cmd/scraper`), together with supporting **MongoDB**, **Redis**, and **MinIO** infrastructure in development, staging, and production environments.
### 3.2 In Scope
| Category | Items |
|----------|-------|
| **Applications** | `cmd/web`, `cmd/worker`, `cmd/scraper` |
| **Domain services** | User, customer, company, tender, feedback, notification, inquiry, contact, CMS, kanban, dashboard, document scraper, tender approval |
| **Shared packages** | Authorization (JWT), security (XSS/CSP), audit logging, file store, MinIO client, configuration |
| **Data stores** | MongoDB (`tm` database), Redis, MinIO (`files`, `documents` buckets) |
| **External integrations** | Notification service, hCaptcha, AI summarizer/translation, GoRules, TED data sources, FCM push |
| **Environments** | Development, staging, production, CI/CD pipelines |
| **Personnel** | Developers, DevOps, QA, product owners with access to TM infrastructure or production data |
| **Locations** | Cloud-hosted infrastructure (provider TBD / per deployment); remote work for engineering staff |
### 3.3 Explicitly Out of Scope
| Item | Rationale | Interface Control |
|------|-----------|-----------------|
| Mobile application codebase | Separate repository and release cycle | API contract (`/api/v1`); JWT authentication |
| Admin panel frontend | Separate repository | API contract (`/admin/v1`); admin JWT + RBAC |
| TED / EU publication infrastructure | Third-party public data source | XML ingestion validation in scraper |
| Customer on-premise deployments | SaaS delivery model | N/A — revisit if product offering changes |
| End-user devices (phones, laptops) | Covered by Acceptable Use Policy, not ISMS technical scope | AUP acknowledgment |
| Physical data center facilities | Cloud shared responsibility model | Provider compliance evidence (A.5.23) |
### 3.4 Boundaries and Interfaces
```
┌─────────────────────────────────────────────────────────────┐
│ APPROVED ISMS SCOPE │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ cmd/web │ │cmd/worker│ │cmd/scraper│ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
│ └─────────────┼─────────────┘ │
│ ▼ │
│ ┌─────────────────────────────┐ │
│ │ MongoDB │ Redis │ MinIO │ │
│ └─────────────────────────────┘ │
└──────────────┬──────────────────────────────────────────────┘
│ API boundaries (out of scope beyond interface)
┌──────────┼──────────┬─────────────┬──────────────┐
▼ ▼ ▼ ▼ ▼
Mobile Admin Notification AI Service TED (public)
App Panel Service XML feed
(OOS) (OOS) (interface) (interface) (OOS)
```
**OOS** = Out of Scope (interface governed by contracts and vendor assessment)
---
## 4. Interested Parties (Summary)
| Party | Interest | ISMS Response |
|-------|----------|---------------|
| Company customers | PII protection, service availability | Access control, encryption, backup |
| EU data subjects | GDPR rights | DPO oversight, DSR process |
| Engineering team | Secure development environment | Policies, training, tooling |
| Executive management | Certification, risk management | This approval, management review |
| Cloud / SaaS providers | Shared security responsibility | A.5.23 cloud controls |
| Certification body | Conformity evidence | Audit program |
---
## 5. Applicable Requirements
| Requirement | Applicability |
|-------------|---------------|
| ISO/IEC 27001:2022 | Full ISMS certification target |
| GDPR (EU 2016/679) | Customer and company PII processing |
| TED data terms of use | Public procurement data ingestion |
| Customer contracts | Per agreement (security addenda as applicable) |
---
## 6. Asset Summary Reference
Full inventory: [ISMS Foundation §4](./ISMS_FOUNDATION.md#4-information-asset-inventory) — **20 assets** registered (A-001 through A-020).
Key data categories in scope:
- Customer PII (C3)
- Company business data (C3)
- Authentication credentials (C4)
- Tender/procurement data (C2)
- Application logs and audit records (C2C3)
---
## 7. Scope Change Process
Changes to this scope require:
1. Written justification (new service, architecture change, new data type)
2. Risk assessment per [Risk Assessment Procedure](./procedures/risk-assessment-procedure.md)
3. Update to [ISMS Foundation](./ISMS_FOUNDATION.md), [SoA](./STATEMENT_OF_APPLICABILITY.md), and this document
4. Re-approval by Executive Sponsor
5. Notification to certification body if already certified
---
## 8. Approval
By signing below, management confirms:
1. The scope defined in Section 3 accurately reflects the boundaries of the TM ISMS
2. Resources will be made available to implement and maintain the ISMS per [ISO27001_ROADMAP.md](./ISO27001_ROADMAP.md)
3. Information security objectives in the [Information Security Policy](./policies/information-security-policy.md) are endorsed
4. An Information Security Officer will be designated (named or interim)
---
### Signatures
| Role | Name | Signature | Date |
|------|------|-----------|------|
| **Executive Sponsor** | _________________________ | _________________________ | __________ |
| **Information Security Officer** | _________________________ | _________________________ | __________ |
| **Engineering Lead** | _________________________ | _________________________ | __________ |
| **DevOps Lead** | _________________________ | _________________________ | __________ |
---
## 9. Document Control
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2026-06-11 | Engineering | Initial scope approval document |
**Next review:** 2027-06-11 (annual) or upon material architecture change