6af5cf3c4e
- Revised the Gap Analysis Report to provide detailed counts of implemented, partial, and not implemented controls, enhancing clarity on compliance status. - Updated the ISO27001 Roadmap to include a status column for deliverables, improving tracking of progress towards certification. - Adjusted the Statement of Applicability to reconcile summary counts with control rows and clarify the applicability of outsourced development. These updates strengthen the documentation framework, ensuring it accurately reflects the current state of security controls and compliance efforts within the Tender Management System.
314 lines
13 KiB
Markdown
314 lines
13 KiB
Markdown
# ISO/IEC 27001 Certification Roadmap — Tender Management System
|
||
|
||
| Field | Value |
|
||
|-------|-------|
|
||
| **Document ID** | ISMS-003 |
|
||
| **Version** | 1.0 |
|
||
| **Status** | Active roadmap |
|
||
| **Owner** | Information Security Officer (ISO) |
|
||
| **Last Updated** | 2026-06-11 |
|
||
| **Target Certification** | ISO/IEC 27001:2022 |
|
||
|
||
Related: [ISMS Foundation](./ISMS_FOUNDATION.md) | [Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.md)
|
||
|
||
---
|
||
|
||
## 1. Executive Summary
|
||
|
||
This roadmap defines a phased path from the current informal security practices to a certifiable ISMS for the Tender Management backend platform. The plan spans approximately **12–18 months** from foundation to Stage 2 certification audit, assuming dedicated part-time security ownership (0.25–0.5 FTE).
|
||
|
||
### Current State
|
||
|
||
- Strong technical controls in application layer (JWT, RBAC, validation, XSS, audit logging)
|
||
- No formal ISMS documentation, policies, or certified processes
|
||
- Risk assessment and asset inventory now documented (initial versions)
|
||
|
||
### Target State
|
||
|
||
- Documented and operating ISMS aligned with ISO/IEC 27001:2022
|
||
- Risk treatment plans executed for High and Critical risks
|
||
- Internal audit program and management review cycle established
|
||
- Successful Stage 1 and Stage 2 certification audits
|
||
|
||
---
|
||
|
||
## 2. Certification Timeline Overview
|
||
|
||
```
|
||
Phase 0 ──► Phase 1 ──► Phase 2 ──► Phase 3 ──► Phase 4 ──► Phase 5
|
||
Foundation Gap & Implement Operate Pre-Audit Certification
|
||
(Complete) Policies Controls ISMS Readiness Audit
|
||
│ │ │ │ │ │
|
||
Jun 2026 Jul-Aug Sep-Nov Dec-Mar Apr-Jun Jul-Sep 2027
|
||
```
|
||
|
||
| Phase | Name | Duration | Key Deliverable |
|
||
|-------|------|----------|-----------------|
|
||
| **0** | Foundation | 2 weeks | ISMS scope, asset inventory, risk matrix *(this release)* |
|
||
| **1** | Gap Analysis & Policies | 6–8 weeks | Policy suite, SoA draft, gap report |
|
||
| **2** | Control Implementation | 10–12 weeks | Technical and procedural controls |
|
||
| **3** | ISMS Operation | 12+ weeks | Internal audits, KPIs, management review |
|
||
| **4** | Pre-Audit Readiness | 4–6 weeks | Mock audit, evidence pack, corrective actions |
|
||
| **5** | Certification Audit | 4–8 weeks | Stage 1 + Stage 2 with accredited CB |
|
||
|
||
---
|
||
|
||
## 3. Phase 0 — Foundation (Complete)
|
||
|
||
**Status:** ✅ Complete as of 2026-06-11
|
||
|
||
| Task | Deliverable | Status |
|
||
|------|-------------|--------|
|
||
| Define ISMS scope | [ISMS_FOUNDATION.md §3](./ISMS_FOUNDATION.md#3-isms-scope) | ✅ |
|
||
| Create asset inventory | [ISMS_FOUNDATION.md §4](./ISMS_FOUNDATION.md#4-information-asset-inventory) | ✅ |
|
||
| Initial risk assessment | [RISK_ASSESSMENT_MATRIX.md](./RISK_ASSESSMENT_MATRIX.md) | ✅ |
|
||
| Assign interim ISO role | Pending management approval | ⬜ |
|
||
| Executive briefing on ISMS scope | Presentation / sign-off | ⬜ |
|
||
|
||
---
|
||
|
||
## 4. Phase 1 — Gap Analysis & Policy Framework
|
||
|
||
**Target:** Jul–Aug 2026 (6–8 weeks)
|
||
|
||
### 4.1 Objectives
|
||
|
||
- Map existing controls to ISO 27001:2022 Annex A
|
||
- Identify gaps and produce Statement of Applicability (SoA)
|
||
- Publish core ISMS policies
|
||
|
||
### 4.2 Deliverables
|
||
|
||
| # | Deliverable | ISO 27001 Reference | Owner | Status |
|
||
|---|-------------|---------------------|-------|--------|
|
||
| 1.1 | Gap analysis report | Clauses 4–10 | ISO | ✅ Draft |
|
||
| 1.2 | Statement of Applicability (SoA) | Annex A | ISO | ✅ Draft |
|
||
| 1.3 | Information Security Policy | A.5.1 | Executive Sponsor | ✅ Draft |
|
||
| 1.4 | Access Control Policy | A.5.15–A.5.18 | ISO | ✅ Draft |
|
||
| 1.5 | Incident Response Plan | A.5.24–A.5.28 | ISO | ✅ Draft |
|
||
| 1.6 | Backup & Recovery Policy | A.8.13 | DevOps | ✅ Draft |
|
||
| 1.7 | Acceptable Use Policy | A.6.2 | HR / ISO | ✅ Draft |
|
||
| 1.8 | Risk Assessment Procedure | Clause 6.1.2 | ISO | ✅ Draft |
|
||
| 1.9 | ISMS scope approval (signed) | Clause 4.3 | Executive Sponsor | ✅ Draft — pending signature |
|
||
|
||
### 4.3 Annex A Gap Snapshot (Initial)
|
||
|
||
Based on codebase review and [Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.md):
|
||
|
||
| Annex A Theme | Current Maturity | Gap Priority |
|
||
|---------------|------------------|--------------|
|
||
| A.5 Organizational controls | 2 Yes / 25 Partial / 10 No (of 37) | High |
|
||
| A.6 People controls | 0 Yes / 6 Partial / 2 No (of 8) | High |
|
||
| A.7 Physical controls | 11 N/A (cloud); 3 Partial (personnel devices) | Transfer to cloud provider |
|
||
| A.8 Technological controls | 4 Yes / 22 Partial / 7 No / 1 N/A (of 34) | Medium |
|
||
|
||
*Per-theme counts: [SoA §7.1](./STATEMENT_OF_APPLICABILITY.md#71-by-theme).*
|
||
|
||
**Controls with Status = Yes in SoA (fully evidenced):**
|
||
|
||
| Control | Evidence in Codebase |
|
||
|---------|---------------------|
|
||
| A.5.9, A.5.12 | Asset inventory; information classification |
|
||
| A.8.3 Access restriction | RBAC + company-scoped middleware |
|
||
| A.8.4 Access to source code | Git repo with PR review |
|
||
| A.8.15 Logging | Structured service logging, `pkg/audit` |
|
||
| A.8.26 Application security requirements | Govalidator, XSS policy, Swagger |
|
||
|
||
**Additional partial in-app controls** (e.g. A.8.5 authentication, A.8.9 configuration, A.8.6 rate limiting) are implemented in code but not yet fully evidenced in the SoA.
|
||
|
||
**Priority gaps to close in Phase 2:**
|
||
|
||
| Control | Gap | Planned Action |
|
||
|---------|-----|----------------|
|
||
| A.8.24 Cryptography | No documented crypto policy; at-rest encryption TBD | Encryption policy; MongoDB/MinIO at-rest |
|
||
| A.8.8 Vulnerability management | No formal scanning | CI: govulncheck, SAST, container scan |
|
||
| A.8.16 Monitoring | Logs only, no SIEM | Centralized logging + alerts |
|
||
| A.5.19–A.5.23 Supplier relationships | No vendor assessments | Vendor questionnaire for AI, notification |
|
||
| A.5.29–A.5.30 Business continuity | No DR plan | BCP/DRP with RTO/RPO |
|
||
| A.6.3 Security awareness | No training program | Annual training + onboarding module |
|
||
|
||
---
|
||
|
||
## 5. Phase 2 — Control Implementation
|
||
|
||
**Target:** Sep–Nov 2026 (10–12 weeks)
|
||
|
||
### 5.1 Technical Controls
|
||
|
||
| Priority | Control | Tasks | Risk IDs | Owner |
|
||
|----------|---------|-------|----------|-------|
|
||
| P0 | Secrets management | Migrate to vault; remove FCM keys from repo; rotate credentials | R-013 | DevOps |
|
||
| P0 | Auth hardening | Rate limit all auth endpoints; MFA for admin users | R-001, R-021 | Engineering |
|
||
| P0 | Vulnerability scanning | govulncheck + Dependabot in CI; monthly review | R-010 | Engineering |
|
||
| P1 | Encryption at rest | Enable MongoDB and MinIO encryption | R-005, R-006 | DevOps |
|
||
| P1 | Monitoring & alerting | Centralize logs; alert on auth failures, 5xx spikes | R-015 | DevOps |
|
||
| P1 | RBAC audit | Automated tests for all admin route authorization | R-003 | Engineering |
|
||
| P2 | WAF / CDN | DDoS protection for public API | R-012 | DevOps |
|
||
| P2 | File upload security | MIME validation, size limits, malware scan | R-011 | Engineering |
|
||
| P2 | Refresh token rotation | Complete token rotation implementation | R-002 | Engineering |
|
||
|
||
### 5.2 Procedural Controls
|
||
|
||
| Priority | Control | Tasks | Owner |
|
||
|----------|---------|-------|-------|
|
||
| P0 | Incident response | IR plan, on-call rotation, tabletop exercise | ISO |
|
||
| P0 | Change management | PR approval rules, prod deployment checklist | Engineering |
|
||
| P1 | Access reviews | Quarterly review of admin and infra access | ISO |
|
||
| P1 | Backup verification | Monthly restore test; documented RTO/RPO | DevOps |
|
||
| P1 | Vendor management | Security questionnaires for AI, notification, cloud | ISO |
|
||
| P2 | DSR process | GDPR data subject request workflow | DPO |
|
||
|
||
---
|
||
|
||
## 6. Phase 3 — ISMS Operation
|
||
|
||
**Target:** Dec 2026 – Mar 2027 (minimum 3 months operation required)
|
||
|
||
### 6.1 Operating Activities
|
||
|
||
| Activity | Frequency | Owner | ISO 27001 Reference |
|
||
|----------|-----------|-------|---------------------|
|
||
| Risk register review | Quarterly | ISO | 6.1.2 |
|
||
| Internal audit | Semi-annual | Internal auditor | 9.2 |
|
||
| Management review | Quarterly | Executive Sponsor | 9.3 |
|
||
| Vulnerability scan review | Monthly | Engineering | A.8.8 |
|
||
| Access review | Quarterly | ISO | A.5.18 |
|
||
| Backup restore test | Monthly | DevOps | A.8.13 |
|
||
| Security awareness training | Annual + onboarding | ISO | A.6.3 |
|
||
| Supplier review | Annual | ISO | A.5.19 |
|
||
| KPI reporting | Monthly | ISO | 9.1 |
|
||
|
||
### 6.2 Key Performance Indicators (KPIs)
|
||
|
||
| KPI | Target | Measurement |
|
||
|-----|--------|-------------|
|
||
| Critical/High open risks | 0 Critical; ≤3 High | Risk register |
|
||
| Mean time to patch (Critical CVE) | ≤ 7 days | Vulnerability tracker |
|
||
| Failed login rate | Baseline + alert threshold | SIEM |
|
||
| Backup restore success | 100% monthly test | DevOps report |
|
||
| Security training completion | 100% staff | HR records |
|
||
| Incident response time (P1) | ≤ 1 hour acknowledgment | IR log |
|
||
|
||
---
|
||
|
||
## 7. Phase 4 — Pre-Audit Readiness
|
||
|
||
**Target:** Apr–Jun 2027 (4–6 weeks)
|
||
|
||
| Task | Description |
|
||
|------|-------------|
|
||
| Select certification body (CB) | Accredited ISO 27001 registrar |
|
||
| Mock Stage 1 audit | Documentation review against Clauses 4–10 |
|
||
| Evidence pack assembly | Policies, risk register, audit reports, training records, change logs |
|
||
| Corrective actions | Close all findings from mock audit |
|
||
| Employee interviews prep | Staff briefed on ISMS policies and their roles |
|
||
| SoA finalization | All Annex A controls marked with implementation status |
|
||
|
||
### 7.1 Evidence Checklist
|
||
|
||
- [ ] Signed Information Security Policy
|
||
- [ ] Approved ISMS scope document
|
||
- [ ] Risk assessment and treatment plan (current version)
|
||
- [ ] Statement of Applicability
|
||
- [ ] Internal audit reports (≥1 cycle)
|
||
- [ ] Management review minutes (≥1 cycle)
|
||
- [ ] Incident response plan and test record
|
||
- [ ] Access review records
|
||
- [ ] Vulnerability scan reports
|
||
- [ ] Backup/restore test records
|
||
- [ ] Training completion records
|
||
- [ ] Vendor assessment records
|
||
- [ ] Change management records (sample)
|
||
|
||
---
|
||
|
||
## 8. Phase 5 — Certification Audit
|
||
|
||
**Target:** Jul–Sep 2027
|
||
|
||
### 8.1 Stage 1 — Documentation Review
|
||
|
||
- CB reviews ISMS documentation for conformity with ISO 27001:2022
|
||
- Scope, SoA, risk assessment, and policy completeness verified
|
||
- Findings documented; corrective actions before Stage 2
|
||
|
||
### 8.2 Stage 2 — Implementation Audit
|
||
|
||
- CB verifies controls are implemented and operating effectively
|
||
- Interviews with key personnel
|
||
- Sampling of evidence (logs, tickets, access records)
|
||
- Nonconformities classified as Minor or Major
|
||
|
||
### 8.3 Post-Certification
|
||
|
||
- Surveillance audits annually
|
||
- Full recertification every 3 years
|
||
- Continuous improvement via PDCA cycle
|
||
|
||
---
|
||
|
||
## 9. Resource Estimate
|
||
|
||
| Role | Effort | Phase(s) |
|
||
|------|--------|----------|
|
||
| ISO (part-time) | 0.25–0.5 FTE ongoing | All |
|
||
| Engineering Lead | 0.1 FTE | 2, 3 |
|
||
| DevOps Lead | 0.15 FTE | 2, 3 |
|
||
| DPO (part-time) | 0.05 FTE | 1, 2 |
|
||
| External consultant (optional) | 5–10 days | 1, 4 |
|
||
| Certification body | Fixed fee | 5 |
|
||
| Security tooling (SIEM, scanning) | Budget item | 2 |
|
||
|
||
**Estimated total cost range:** €15,000–€40,000 (highly dependent on org size, tooling, and consultant use)
|
||
|
||
---
|
||
|
||
## 10. PDCA Cycle Integration
|
||
|
||
```
|
||
┌─────────────┐
|
||
│ PLAN │ Scope, risk assessment, policies, SoA
|
||
└──────┬──────┘
|
||
▼
|
||
┌─────────────┐
|
||
│ DO │ Implement controls, training, procedures
|
||
└──────┬──────┘
|
||
▼
|
||
┌─────────────┐
|
||
│ CHECK │ Internal audit, KPIs, management review
|
||
└──────┬──────┘
|
||
▼
|
||
┌─────────────┐
|
||
│ ACT │ Corrective actions, risk updates, improve
|
||
└──────┬──────┘
|
||
└──────────► (back to PLAN)
|
||
```
|
||
|
||
---
|
||
|
||
## 11. Milestones & Decision Gates
|
||
|
||
| Milestone | Target Date | Gate Criteria |
|
||
|-----------|-------------|---------------|
|
||
| M0: Foundation approved | 2026-06-30 | Executive sign-off on scope and asset inventory |
|
||
| M1: Policy suite published | 2026-08-31 | 5 core policies + risk procedure drafted; pending executive approval |
|
||
| M2: Critical risks mitigated | 2026-11-30 | No Critical residual risks |
|
||
| M3: ISMS operational | 2027-03-31 | 1 internal audit + 1 management review complete |
|
||
| M4: Pre-audit passed | 2027-06-30 | Mock audit with no Major findings |
|
||
| M5: ISO 27001 certified | 2027-09-30 | Stage 2 certificate issued |
|
||
|
||
---
|
||
|
||
## 12. Document Control
|
||
|
||
| Version | Date | Author | Changes |
|
||
|---------|------|--------|---------|
|
||
| 1.0 | 2026-06-11 | Engineering | Initial certification roadmap |
|
||
|
||
**Approval**
|
||
|
||
| Role | Name | Signature | Date |
|
||
|------|------|-----------|------|
|
||
| ISO | _Pending_ | | |
|
||
| Executive Sponsor | _Pending_ | | |
|