Files
Mazyar 6af5cf3c4e Update security documentation to align with ISO/IEC 27001 standards
- Revised the Gap Analysis Report to provide detailed counts of implemented, partial, and not implemented controls, enhancing clarity on compliance status.
- Updated the ISO27001 Roadmap to include a status column for deliverables, improving tracking of progress towards certification.
- Adjusted the Statement of Applicability to reconcile summary counts with control rows and clarify the applicability of outsourced development.

These updates strengthen the documentation framework, ensuring it accurately reflects the current state of security controls and compliance efforts within the Tender Management System.
2026-06-13 23:59:38 +03:30

13 KiB
Raw Permalink Blame History

ISO/IEC 27001 Certification Roadmap — Tender Management System

Field Value
Document ID ISMS-003
Version 1.0
Status Active roadmap
Owner Information Security Officer (ISO)
Last Updated 2026-06-11
Target Certification ISO/IEC 27001:2022

Related: ISMS Foundation | Risk Assessment Matrix


1. Executive Summary

This roadmap defines a phased path from the current informal security practices to a certifiable ISMS for the Tender Management backend platform. The plan spans approximately 1218 months from foundation to Stage 2 certification audit, assuming dedicated part-time security ownership (0.250.5 FTE).

Current State

  • Strong technical controls in application layer (JWT, RBAC, validation, XSS, audit logging)
  • No formal ISMS documentation, policies, or certified processes
  • Risk assessment and asset inventory now documented (initial versions)

Target State

  • Documented and operating ISMS aligned with ISO/IEC 27001:2022
  • Risk treatment plans executed for High and Critical risks
  • Internal audit program and management review cycle established
  • Successful Stage 1 and Stage 2 certification audits

2. Certification Timeline Overview

Phase 0 ──► Phase 1 ──► Phase 2 ──► Phase 3 ──► Phase 4 ──► Phase 5
Foundation   Gap &       Implement    Operate      Pre-Audit    Certification
(Complete)   Policies    Controls     ISMS         Readiness    Audit
  │            │            │            │             │              │
 Jun 2026    Jul-Aug      Sep-Nov     Dec-Mar       Apr-Jun       Jul-Sep 2027
Phase Name Duration Key Deliverable
0 Foundation 2 weeks ISMS scope, asset inventory, risk matrix (this release)
1 Gap Analysis & Policies 68 weeks Policy suite, SoA draft, gap report
2 Control Implementation 1012 weeks Technical and procedural controls
3 ISMS Operation 12+ weeks Internal audits, KPIs, management review
4 Pre-Audit Readiness 46 weeks Mock audit, evidence pack, corrective actions
5 Certification Audit 48 weeks Stage 1 + Stage 2 with accredited CB

3. Phase 0 — Foundation (Complete)

Status: Complete as of 2026-06-11

Task Deliverable Status
Define ISMS scope ISMS_FOUNDATION.md §3
Create asset inventory ISMS_FOUNDATION.md §4
Initial risk assessment RISK_ASSESSMENT_MATRIX.md
Assign interim ISO role Pending management approval
Executive briefing on ISMS scope Presentation / sign-off

4. Phase 1 — Gap Analysis & Policy Framework

Target: JulAug 2026 (68 weeks)

4.1 Objectives

  • Map existing controls to ISO 27001:2022 Annex A
  • Identify gaps and produce Statement of Applicability (SoA)
  • Publish core ISMS policies

4.2 Deliverables

# Deliverable ISO 27001 Reference Owner Status
1.1 Gap analysis report Clauses 410 ISO Draft
1.2 Statement of Applicability (SoA) Annex A ISO Draft
1.3 Information Security Policy A.5.1 Executive Sponsor Draft
1.4 Access Control Policy A.5.15A.5.18 ISO Draft
1.5 Incident Response Plan A.5.24A.5.28 ISO Draft
1.6 Backup & Recovery Policy A.8.13 DevOps Draft
1.7 Acceptable Use Policy A.6.2 HR / ISO Draft
1.8 Risk Assessment Procedure Clause 6.1.2 ISO Draft
1.9 ISMS scope approval (signed) Clause 4.3 Executive Sponsor Draft — pending signature

4.3 Annex A Gap Snapshot (Initial)

Based on codebase review and Risk Assessment Matrix:

Annex A Theme Current Maturity Gap Priority
A.5 Organizational controls 2 Yes / 25 Partial / 10 No (of 37) High
A.6 People controls 0 Yes / 6 Partial / 2 No (of 8) High
A.7 Physical controls 11 N/A (cloud); 3 Partial (personnel devices) Transfer to cloud provider
A.8 Technological controls 4 Yes / 22 Partial / 7 No / 1 N/A (of 34) Medium

Per-theme counts: SoA §7.1.

Controls with Status = Yes in SoA (fully evidenced):

Control Evidence in Codebase
A.5.9, A.5.12 Asset inventory; information classification
A.8.3 Access restriction RBAC + company-scoped middleware
A.8.4 Access to source code Git repo with PR review
A.8.15 Logging Structured service logging, pkg/audit
A.8.26 Application security requirements Govalidator, XSS policy, Swagger

Additional partial in-app controls (e.g. A.8.5 authentication, A.8.9 configuration, A.8.6 rate limiting) are implemented in code but not yet fully evidenced in the SoA.

Priority gaps to close in Phase 2:

Control Gap Planned Action
A.8.24 Cryptography No documented crypto policy; at-rest encryption TBD Encryption policy; MongoDB/MinIO at-rest
A.8.8 Vulnerability management No formal scanning CI: govulncheck, SAST, container scan
A.8.16 Monitoring Logs only, no SIEM Centralized logging + alerts
A.5.19A.5.23 Supplier relationships No vendor assessments Vendor questionnaire for AI, notification
A.5.29A.5.30 Business continuity No DR plan BCP/DRP with RTO/RPO
A.6.3 Security awareness No training program Annual training + onboarding module

5. Phase 2 — Control Implementation

Target: SepNov 2026 (1012 weeks)

5.1 Technical Controls

Priority Control Tasks Risk IDs Owner
P0 Secrets management Migrate to vault; remove FCM keys from repo; rotate credentials R-013 DevOps
P0 Auth hardening Rate limit all auth endpoints; MFA for admin users R-001, R-021 Engineering
P0 Vulnerability scanning govulncheck + Dependabot in CI; monthly review R-010 Engineering
P1 Encryption at rest Enable MongoDB and MinIO encryption R-005, R-006 DevOps
P1 Monitoring & alerting Centralize logs; alert on auth failures, 5xx spikes R-015 DevOps
P1 RBAC audit Automated tests for all admin route authorization R-003 Engineering
P2 WAF / CDN DDoS protection for public API R-012 DevOps
P2 File upload security MIME validation, size limits, malware scan R-011 Engineering
P2 Refresh token rotation Complete token rotation implementation R-002 Engineering

5.2 Procedural Controls

Priority Control Tasks Owner
P0 Incident response IR plan, on-call rotation, tabletop exercise ISO
P0 Change management PR approval rules, prod deployment checklist Engineering
P1 Access reviews Quarterly review of admin and infra access ISO
P1 Backup verification Monthly restore test; documented RTO/RPO DevOps
P1 Vendor management Security questionnaires for AI, notification, cloud ISO
P2 DSR process GDPR data subject request workflow DPO

6. Phase 3 — ISMS Operation

Target: Dec 2026 Mar 2027 (minimum 3 months operation required)

6.1 Operating Activities

Activity Frequency Owner ISO 27001 Reference
Risk register review Quarterly ISO 6.1.2
Internal audit Semi-annual Internal auditor 9.2
Management review Quarterly Executive Sponsor 9.3
Vulnerability scan review Monthly Engineering A.8.8
Access review Quarterly ISO A.5.18
Backup restore test Monthly DevOps A.8.13
Security awareness training Annual + onboarding ISO A.6.3
Supplier review Annual ISO A.5.19
KPI reporting Monthly ISO 9.1

6.2 Key Performance Indicators (KPIs)

KPI Target Measurement
Critical/High open risks 0 Critical; ≤3 High Risk register
Mean time to patch (Critical CVE) ≤ 7 days Vulnerability tracker
Failed login rate Baseline + alert threshold SIEM
Backup restore success 100% monthly test DevOps report
Security training completion 100% staff HR records
Incident response time (P1) ≤ 1 hour acknowledgment IR log

7. Phase 4 — Pre-Audit Readiness

Target: AprJun 2027 (46 weeks)

Task Description
Select certification body (CB) Accredited ISO 27001 registrar
Mock Stage 1 audit Documentation review against Clauses 410
Evidence pack assembly Policies, risk register, audit reports, training records, change logs
Corrective actions Close all findings from mock audit
Employee interviews prep Staff briefed on ISMS policies and their roles
SoA finalization All Annex A controls marked with implementation status

7.1 Evidence Checklist

  • Signed Information Security Policy
  • Approved ISMS scope document
  • Risk assessment and treatment plan (current version)
  • Statement of Applicability
  • Internal audit reports (≥1 cycle)
  • Management review minutes (≥1 cycle)
  • Incident response plan and test record
  • Access review records
  • Vulnerability scan reports
  • Backup/restore test records
  • Training completion records
  • Vendor assessment records
  • Change management records (sample)

8. Phase 5 — Certification Audit

Target: JulSep 2027

8.1 Stage 1 — Documentation Review

  • CB reviews ISMS documentation for conformity with ISO 27001:2022
  • Scope, SoA, risk assessment, and policy completeness verified
  • Findings documented; corrective actions before Stage 2

8.2 Stage 2 — Implementation Audit

  • CB verifies controls are implemented and operating effectively
  • Interviews with key personnel
  • Sampling of evidence (logs, tickets, access records)
  • Nonconformities classified as Minor or Major

8.3 Post-Certification

  • Surveillance audits annually
  • Full recertification every 3 years
  • Continuous improvement via PDCA cycle

9. Resource Estimate

Role Effort Phase(s)
ISO (part-time) 0.250.5 FTE ongoing All
Engineering Lead 0.1 FTE 2, 3
DevOps Lead 0.15 FTE 2, 3
DPO (part-time) 0.05 FTE 1, 2
External consultant (optional) 510 days 1, 4
Certification body Fixed fee 5
Security tooling (SIEM, scanning) Budget item 2

Estimated total cost range: €15,000–€40,000 (highly dependent on org size, tooling, and consultant use)


10. PDCA Cycle Integration

    ┌─────────────┐
    │    PLAN     │  Scope, risk assessment, policies, SoA
    └──────┬──────┘
           ▼
    ┌─────────────┐
    │     DO      │  Implement controls, training, procedures
    └──────┬──────┘
           ▼
    ┌─────────────┐
    │    CHECK    │  Internal audit, KPIs, management review
    └──────┬──────┘
           ▼
    ┌─────────────┐
    │     ACT     │  Corrective actions, risk updates, improve
    └──────┬──────┘
           └──────────► (back to PLAN)

11. Milestones & Decision Gates

Milestone Target Date Gate Criteria
M0: Foundation approved 2026-06-30 Executive sign-off on scope and asset inventory
M1: Policy suite published 2026-08-31 5 core policies + risk procedure drafted; pending executive approval
M2: Critical risks mitigated 2026-11-30 No Critical residual risks
M3: ISMS operational 2027-03-31 1 internal audit + 1 management review complete
M4: Pre-audit passed 2027-06-30 Mock audit with no Major findings
M5: ISO 27001 certified 2027-09-30 Stage 2 certificate issued

12. Document Control

Version Date Author Changes
1.0 2026-06-11 Engineering Initial certification roadmap

Approval

Role Name Signature Date
ISO Pending
Executive Sponsor Pending