Files
tm_back/docs/security/STATEMENT_OF_APPLICABILITY.md
Mazyar 6af5cf3c4e Update security documentation to align with ISO/IEC 27001 standards
- Revised the Gap Analysis Report to provide detailed counts of implemented, partial, and not implemented controls, enhancing clarity on compliance status.
- Updated the ISO27001 Roadmap to include a status column for deliverables, improving tracking of progress towards certification.
- Adjusted the Statement of Applicability to reconcile summary counts with control rows and clarify the applicability of outsourced development.

These updates strengthen the documentation framework, ensuring it accurately reflects the current state of security controls and compliance efforts within the Tender Management System.
2026-06-13 23:59:38 +03:30

16 KiB
Raw Permalink Blame History

Statement of Applicability (SoA) — Tender Management System

Field Value
Document ID ISMS-005
Version 1.0
Status Draft — Pending approval
Owner Information Security Officer (ISO)
Last Updated 2026-06-11
Standard ISO/IEC 27001:2022 Annex A
Scope ISMS Foundation §3

Related: Gap Analysis Report | Risk Assessment Matrix


1. Purpose

The Statement of Applicability (SoA) documents:

  • Which Annex A controls are applicable to the TM ISMS
  • Whether each control is implemented, partially implemented, or not implemented
  • Justification for exclusions
  • Reference to implementation evidence or planned remediation

This document satisfies ISO/IEC 27001:2022 Clause 6.1.3(d) and is a mandatory input for certification audits.


2. Status Legend

Status Meaning
Yes Applicable and implemented with evidence
Partial Applicable; control exists but incomplete or not fully evidenced
No Applicable but not yet implemented
N/A Not applicable to scope (justification required)

3. A.5 — Organizational Controls

ID Control Applicable Status Implementation / Justification Risk Ref
A.5.1 Policies for information security Yes Partial Information Security Policy draft; pending approval
A.5.2 Information security roles and responsibilities Yes Partial ISMS Foundation §5; named assignments pending
A.5.3 Segregation of duties Yes Partial Dev vs DevOps separation informal; no single prod DB write without break-glass R-020
A.5.4 Management responsibilities Yes Partial Roadmap and objectives defined; management review not yet held
A.5.5 Contact with authorities Yes No No documented contacts with regulators/law enforcement R-023
A.5.6 Contact with special interest groups Yes No No ISAC or security forum membership
A.5.7 Threat intelligence Yes No No formal threat intel feed or process
A.5.8 Information security in project management Yes Partial Major change checklist in risk procedure; informal for small changes
A.5.9 Inventory of information and other associated assets Yes Yes ISMS Foundation §4 — 20 assets
A.5.10 Acceptable use of information and other associated assets Yes Partial Acceptable Use Policy draft
A.5.11 Return of assets Yes No No formal offboarding asset return checklist R-004
A.5.12 Classification of information Yes Yes C1C4 classification in ISMS Foundation
A.5.13 Labelling of information Yes No Classification defined but no labelling in apps/repos
A.5.14 Information transfer Yes Partial HTTPS for APIs; email via notification service; no DLP R-017
A.5.15 Access control Yes Partial Access Control Policy; JWT + RBAC R-003
A.5.16 Identity management Yes Partial Unique accounts; provisioning/deprovisioning procedure in policy R-004
A.5.17 Authentication information Yes Partial bcrypt passwords; secrets in env; MFA planned R-001, R-013
A.5.18 Access rights Yes Partial Quarterly review defined; not yet executed R-004
A.5.19 Information security in supplier relationships Yes No No vendor security assessments R-017, R-018
A.5.20 Addressing information security within supplier agreements Yes No Contracts lack security clauses review R-017
A.5.21 Managing information security in the ICT supply chain Yes Partial Go modules pinned; no formal supply chain policy R-010
A.5.22 Monitoring, review and change management of supplier services Yes No No annual vendor review process R-018
A.5.23 Information security for use of cloud services Yes Partial Cloud-hosted MongoDB/Redis/MinIO; provider evidence not collected R-014
A.5.24 Information security incident management planning and preparation Yes Partial Incident Response Plan draft R-023
A.5.25 Assessment and decision on information security events Yes Partial Severity classification in IR plan; not yet tested R-023
A.5.26 Response to information security incidents Yes Partial Playbooks defined; IRT contacts not finalized R-023
A.5.27 Learning from information security incidents Yes Partial Post-incident review required in IR plan; no incidents recorded yet
A.5.28 Collection of evidence Yes Partial Evidence handling in IR plan; chain of custody untested
A.5.29 Information security during disruption Yes Partial RTO/RPO in backup policy; no full BCP document R-014
A.5.30 ICT readiness for business continuity Yes Partial Backup policy; DR test not yet performed R-014
A.5.31 Legal, statutory, regulatory and contractual requirements Yes Partial GDPR referenced; no requirements register R-007
A.5.32 Intellectual property rights Yes Partial Open-source licenses in go.mod; no IP policy
A.5.33 Protection of records Yes Partial Audit logs; retention periods not fully defined
A.5.34 Privacy and protection of PII Yes Partial PII inventory; DSR process not implemented R-007
A.5.35 Independent review of information security Yes No No internal audit or external review yet
A.5.36 Compliance with policies, rules and standards Yes No No compliance checks or audit program
A.5.37 Documented operating procedures Yes Partial ISMS procedures started; ops runbooks incomplete

4. A.6 — People Controls

ID Control Applicable Status Implementation / Justification Risk Ref
A.6.1 Screening Yes No No background check policy documented R-021
A.6.2 Terms and conditions of employment Yes Partial Acceptable Use Policy; HR terms not linked
A.6.3 Information security awareness, education and training Yes No No training program or records R-021
A.6.4 Disciplinary process Yes Partial Referenced in AUP; HR process not documented
A.6.5 Responsibilities after termination or change of employment Yes Partial Deprovisioning in Access Control Policy (24 h) R-004
A.6.6 Confidentiality or non-disclosure agreements Yes Partial Assumed for contractors; no central register
A.6.7 Remote working Yes Partial VPN/bastion requirement in Access Control Policy
A.6.8 Information security event reporting Yes Partial Reporting channels in IR plan; not communicated to staff R-023

5. A.7 — Physical Controls

ID Control Applicable Status Implementation / Justification Risk Ref
A.7.1 Physical security perimeters N/A N/A Cloud provider responsibility (A.5.23)
A.7.2 Physical entry N/A N/A Cloud provider responsibility
A.7.3 Securing offices, rooms and facilities N/A N/A No on-premise TM infrastructure
A.7.4 Physical security monitoring N/A N/A Cloud provider responsibility
A.7.5 Protecting against physical and environmental threats N/A N/A Cloud provider responsibility
A.7.6 Working in secure areas N/A N/A No secure areas for TM systems
A.7.7 Clear desk and clear screen Yes Partial AUP references screen lock; not enforced
A.7.8 Equipment siting and protection N/A N/A Cloud-hosted servers
A.7.9 Security of assets off-premises Yes Partial AUP device encryption requirement for prod access
A.7.10 Storage media N/A N/A No removable media for TM data stores
A.7.11 Supporting utilities N/A N/A Cloud provider responsibility
A.7.12 Cabling security N/A N/A Cloud provider responsibility
A.7.13 Equipment maintenance N/A N/A Cloud provider responsibility
A.7.14 Secure disposal or re-use of equipment Yes Partial AUP prohibits local PII storage; no disposal procedure

Note: A.7.7, A.7.9, A.7.14 remain applicable for personnel devices accessing TM systems.


6. A.8 — Technological Controls

ID Control Applicable Status Implementation / Justification Risk Ref
A.8.1 User endpoint devices Yes Partial AUP device requirements; no MDM
A.8.2 Privileged access rights Yes Partial Break-glass procedure; no PAM tool R-020
A.8.3 Information access restriction Yes Yes RBAC + company-scoped middleware (pkg/authorization) R-003
A.8.4 Access to source code Yes Yes Git repo with PR review; branch protection (assumed)
A.8.5 Secure authentication Yes Partial JWT, bcrypt, hCaptcha; MFA not yet enabled R-001, R-002
A.8.6 Capacity management Yes Partial Rate limit config; no capacity monitoring R-012
A.8.7 Protection against malware Yes No No malware scanning on uploads or endpoints R-011
A.8.8 Management of technical vulnerabilities Yes No No govulncheck/SAST in CI R-010
A.8.9 Configuration management Yes Partial pkg/config env priority; secrets in flat env files R-013
A.8.10 Information deletion Yes Partial Domain delete operations; no retention/deletion policy R-007
A.8.11 Data masking Yes No Passwords excluded from API responses; no masking elsewhere
A.8.12 Data leakage prevention Yes No No DLP tooling R-008
A.8.13 Information backup Yes Partial Backup & Recovery Policy; tests not yet run R-006, R-014
A.8.14 Redundancy of information processing facilities Yes Partial Depends on cloud provider HA; not documented R-014
A.8.15 Logging Yes Yes Structured service logging; pkg/audit for security events R-008, R-015
A.8.16 Monitoring activities Yes Partial Application logs only; no SIEM or alerting R-015
A.8.17 Clock synchronization Yes Partial NTP assumed on cloud hosts; not verified
A.8.18 Use of privileged utility programs Yes Partial DB admin tools restricted; no formal policy R-020
A.8.19 Installation of software on operational systems Yes Partial Container/deploy pipeline; no formal whitelist R-016
A.8.20 Networks security Yes Partial HTTPS in prod; DB not public; no documented network diagram
A.8.21 Security of network services Yes Partial TLS to external APIs; no network service inventory
A.8.22 Segregation of networks Yes Partial Dev/staging/prod separated; informal
A.8.23 Web filtering Yes No No web filtering for staff endpoints
A.8.24 Use of cryptography Yes Partial TLS in transit; at-rest encryption TBD R-005
A.8.25 Secure development life cycle Yes Partial .cursorrules, code review, Clean Architecture
A.8.26 Application security requirements Yes Yes Govalidator, XSS policy, Swagger, response standards R-009
A.8.27 Secure system architecture and engineering principles Yes Partial Clean Architecture, DI, no global state
A.8.28 Secure coding Yes Partial Coding standards documented; no SAST R-009, R-010
A.8.29 Security testing in development and acceptance Yes No Unit tests exist; no security test suite or DAST R-009
A.8.30 Outsourced development N/A N/A All TM backend development is in-house; no outsourced development of scoped applications
A.8.31 Separation of development, test and production environments Yes Partial Separate env configs; staging data may contain real data
A.8.32 Change management Yes Partial Git PR workflow; no formal change procedure R-022
A.8.33 Test information Yes Partial Staging should use anonymized data; not enforced
A.8.34 Protection of information systems during audit testing Yes No No audit testing procedure

7. Summary Statistics

Counts derived from the control rows in §3–§6 (authoritative source for cross-document reporting).

7.1 By Theme

Theme Total Implemented (Yes) Partial Not impl. (No) N/A
A.5 Organizational 37 2 25 10 0
A.6 People 8 0 6 2 0
A.7 Physical 14 0 3 0 11
A.8 Technological 34 4 22 7 1
Total 93 6 56 19 12

7.2 Overall

Category Count % of all 93
Total Annex A controls 93 100%
Not applicable (N/A) 12 13%
Applicable 81 87%
Implemented (Yes) 6 6%
Partial 56 60%
Not implemented (No) 19 20%

Applicable = Total N/A. Yes/Partial/No counts apply only to applicable controls (6 + 56 + 19 = 81).

7.3 Applicable Controls by Status

Percentages below are of 81 applicable controls (excluding 12 N/A).

Implemented  ██░░░░░░░░░░░░░░░░░░░░   7%  (6/81)
Partial      █████████████████░░░░░  69%  (56/81)
Not impl.    █████░░░░░░░░░░░░░░░░░  23%  (19/81)

8. Priority Remediation (Applicable "No" and Critical "Partial")

Priority Control(s) Action Target Owner
P0 A.8.8 Add govulncheck + dependency scanning to CI Q2 2026 Engineering
P0 A.8.16 Deploy centralized logging and alerting Q3 2026 DevOps
P0 A.5.35, A.5.36 Establish internal audit program Q1 2027 ISO
P1 A.6.3 Launch security awareness training Q3 2026 ISO
P1 A.5.19A.5.22 Vendor security assessments Q4 2026 ISO
P1 A.8.24 Enable encryption at rest Q3 2026 DevOps
P1 A.8.5 Enable MFA for admin users Q3 2026 Engineering
P1 A.8.29 Add security testing to CI/CD Q3 2026 Engineering
P2 A.5.5 Document authority contacts (GDPR DPA) Q3 2026 DPO
P2 A.8.7 Malware scan on file uploads Q4 2026 Engineering
P2 A.8.12 Evaluate DLP for log pipeline Q4 2026 DevOps

9. Exclusion Justifications

Control(s) Justification
A.7.1A.7.6, A.7.8, A.7.10A.7.13 TM infrastructure is fully cloud-hosted; physical controls are the responsibility of the cloud/IaaS provider per shared responsibility model. Evidence collected via A.5.23.
A.8.30 All TM backend development is in-house; no outsourced development of scoped applications.

10. Document Control

Version Date Author Changes
1.0 2026-06-11 Engineering Initial SoA for 93 Annex A controls
1.1 2026-06-11 Engineering Reconciled summary counts with control rows; fixed A.8.30 applicability

Approval

Role Name Signature Date
ISO Pending
Executive Sponsor Pending

Next review: Quarterly or upon significant scope/control change


11. Cross-Reference Index

Document Purpose
GAP_ANALYSIS_REPORT.md Clause-level gap detail
RISK_ASSESSMENT_MATRIX.md Risk IDs linked in SoA
ISO27001_ROADMAP.md Remediation timeline
policies/ Policy evidence for A.5.x controls