ISO/IEC 27001 Certification Roadmap — Tender Management System
| Field |
Value |
| Document ID |
ISMS-003 |
| Version |
1.0 |
| Status |
Active roadmap |
| Owner |
Information Security Officer (ISO) |
| Last Updated |
2026-06-11 |
| Target Certification |
ISO/IEC 27001:2022 |
Related: ISMS Foundation | Risk Assessment Matrix
1. Executive Summary
This roadmap defines a phased path from the current informal security practices to a certifiable ISMS for the Tender Management backend platform. The plan spans approximately 12–18 months from foundation to Stage 2 certification audit, assuming dedicated part-time security ownership (0.25–0.5 FTE).
Current State
- Strong technical controls in application layer (JWT, RBAC, validation, XSS, audit logging)
- No formal ISMS documentation, policies, or certified processes
- Risk assessment and asset inventory now documented (initial versions)
Target State
- Documented and operating ISMS aligned with ISO/IEC 27001:2022
- Risk treatment plans executed for High and Critical risks
- Internal audit program and management review cycle established
- Successful Stage 1 and Stage 2 certification audits
2. Certification Timeline Overview
| Phase |
Name |
Duration |
Key Deliverable |
| 0 |
Foundation |
2 weeks |
ISMS scope, asset inventory, risk matrix (this release) |
| 1 |
Gap Analysis & Policies |
6–8 weeks |
Policy suite, SoA draft, gap report |
| 2 |
Control Implementation |
10–12 weeks |
Technical and procedural controls |
| 3 |
ISMS Operation |
12+ weeks |
Internal audits, KPIs, management review |
| 4 |
Pre-Audit Readiness |
4–6 weeks |
Mock audit, evidence pack, corrective actions |
| 5 |
Certification Audit |
4–8 weeks |
Stage 1 + Stage 2 with accredited CB |
3. Phase 0 — Foundation (Complete)
Status: ✅ Complete as of 2026-06-11
4. Phase 1 — Gap Analysis & Policy Framework
Target: Jul–Aug 2026 (6–8 weeks)
4.1 Objectives
- Map existing controls to ISO 27001:2022 Annex A
- Identify gaps and produce Statement of Applicability (SoA)
- Publish core ISMS policies
4.2 Deliverables
| # |
Deliverable |
ISO 27001 Reference |
Owner |
Status |
| 1.1 |
Gap analysis report |
Clauses 4–10 |
ISO |
✅ Draft |
| 1.2 |
Statement of Applicability (SoA) |
Annex A |
ISO |
✅ Draft |
| 1.3 |
Information Security Policy |
A.5.1 |
Executive Sponsor |
✅ Draft |
| 1.4 |
Access Control Policy |
A.5.15–A.5.18 |
ISO |
✅ Draft |
| 1.5 |
Incident Response Plan |
A.5.24–A.5.28 |
ISO |
✅ Draft |
| 1.6 |
Backup & Recovery Policy |
A.8.13 |
DevOps |
✅ Draft |
| 1.7 |
Acceptable Use Policy |
A.6.2 |
HR / ISO |
✅ Draft |
| 1.8 |
Risk Assessment Procedure |
Clause 6.1.2 |
ISO |
✅ Draft |
| 1.9 |
ISMS scope approval (signed) |
Clause 4.3 |
Executive Sponsor |
✅ Draft — pending signature |
4.3 Annex A Gap Snapshot (Initial)
Based on codebase review and Risk Assessment Matrix:
| Annex A Theme |
Current Maturity |
Gap Priority |
| A.5 Organizational controls |
2 Yes / 25 Partial / 10 No (of 37) |
High |
| A.6 People controls |
0 Yes / 6 Partial / 2 No (of 8) |
High |
| A.7 Physical controls |
11 N/A (cloud); 3 Partial (personnel devices) |
Transfer to cloud provider |
| A.8 Technological controls |
4 Yes / 22 Partial / 7 No / 1 N/A (of 34) |
Medium |
Per-theme counts: SoA §7.1.
Controls with Status = Yes in SoA (fully evidenced):
| Control |
Evidence in Codebase |
| A.5.9, A.5.12 |
Asset inventory; information classification |
| A.8.3 Access restriction |
RBAC + company-scoped middleware |
| A.8.4 Access to source code |
Git repo with PR review |
| A.8.15 Logging |
Structured service logging, pkg/audit |
| A.8.26 Application security requirements |
Govalidator, XSS policy, Swagger |
Additional partial in-app controls (e.g. A.8.5 authentication, A.8.9 configuration, A.8.6 rate limiting) are implemented in code but not yet fully evidenced in the SoA.
Priority gaps to close in Phase 2:
| Control |
Gap |
Planned Action |
| A.8.24 Cryptography |
No documented crypto policy; at-rest encryption TBD |
Encryption policy; MongoDB/MinIO at-rest |
| A.8.8 Vulnerability management |
No formal scanning |
CI: govulncheck, SAST, container scan |
| A.8.16 Monitoring |
Logs only, no SIEM |
Centralized logging + alerts |
| A.5.19–A.5.23 Supplier relationships |
No vendor assessments |
Vendor questionnaire for AI, notification |
| A.5.29–A.5.30 Business continuity |
No DR plan |
BCP/DRP with RTO/RPO |
| A.6.3 Security awareness |
No training program |
Annual training + onboarding module |
5. Phase 2 — Control Implementation
Target: Sep–Nov 2026 (10–12 weeks)
5.1 Technical Controls
| Priority |
Control |
Tasks |
Risk IDs |
Owner |
| P0 |
Secrets management |
Migrate to vault; remove FCM keys from repo; rotate credentials |
R-013 |
DevOps |
| P0 |
Auth hardening |
Rate limit all auth endpoints; MFA for admin users |
R-001, R-021 |
Engineering |
| P0 |
Vulnerability scanning |
govulncheck + Dependabot in CI; monthly review |
R-010 |
Engineering |
| P1 |
Encryption at rest |
Enable MongoDB and MinIO encryption |
R-005, R-006 |
DevOps |
| P1 |
Monitoring & alerting |
Centralize logs; alert on auth failures, 5xx spikes |
R-015 |
DevOps |
| P1 |
RBAC audit |
Automated tests for all admin route authorization |
R-003 |
Engineering |
| P2 |
WAF / CDN |
DDoS protection for public API |
R-012 |
DevOps |
| P2 |
File upload security |
MIME validation, size limits, malware scan |
R-011 |
Engineering |
| P2 |
Refresh token rotation |
Complete token rotation implementation |
R-002 |
Engineering |
5.2 Procedural Controls
| Priority |
Control |
Tasks |
Owner |
| P0 |
Incident response |
IR plan, on-call rotation, tabletop exercise |
ISO |
| P0 |
Change management |
PR approval rules, prod deployment checklist |
Engineering |
| P1 |
Access reviews |
Quarterly review of admin and infra access |
ISO |
| P1 |
Backup verification |
Monthly restore test; documented RTO/RPO |
DevOps |
| P1 |
Vendor management |
Security questionnaires for AI, notification, cloud |
ISO |
| P2 |
DSR process |
GDPR data subject request workflow |
DPO |
6. Phase 3 — ISMS Operation
Target: Dec 2026 – Mar 2027 (minimum 3 months operation required)
6.1 Operating Activities
| Activity |
Frequency |
Owner |
ISO 27001 Reference |
| Risk register review |
Quarterly |
ISO |
6.1.2 |
| Internal audit |
Semi-annual |
Internal auditor |
9.2 |
| Management review |
Quarterly |
Executive Sponsor |
9.3 |
| Vulnerability scan review |
Monthly |
Engineering |
A.8.8 |
| Access review |
Quarterly |
ISO |
A.5.18 |
| Backup restore test |
Monthly |
DevOps |
A.8.13 |
| Security awareness training |
Annual + onboarding |
ISO |
A.6.3 |
| Supplier review |
Annual |
ISO |
A.5.19 |
| KPI reporting |
Monthly |
ISO |
9.1 |
6.2 Key Performance Indicators (KPIs)
| KPI |
Target |
Measurement |
| Critical/High open risks |
0 Critical; ≤3 High |
Risk register |
| Mean time to patch (Critical CVE) |
≤ 7 days |
Vulnerability tracker |
| Failed login rate |
Baseline + alert threshold |
SIEM |
| Backup restore success |
100% monthly test |
DevOps report |
| Security training completion |
100% staff |
HR records |
| Incident response time (P1) |
≤ 1 hour acknowledgment |
IR log |
7. Phase 4 — Pre-Audit Readiness
Target: Apr–Jun 2027 (4–6 weeks)
| Task |
Description |
| Select certification body (CB) |
Accredited ISO 27001 registrar |
| Mock Stage 1 audit |
Documentation review against Clauses 4–10 |
| Evidence pack assembly |
Policies, risk register, audit reports, training records, change logs |
| Corrective actions |
Close all findings from mock audit |
| Employee interviews prep |
Staff briefed on ISMS policies and their roles |
| SoA finalization |
All Annex A controls marked with implementation status |
7.1 Evidence Checklist
8. Phase 5 — Certification Audit
Target: Jul–Sep 2027
8.1 Stage 1 — Documentation Review
- CB reviews ISMS documentation for conformity with ISO 27001:2022
- Scope, SoA, risk assessment, and policy completeness verified
- Findings documented; corrective actions before Stage 2
8.2 Stage 2 — Implementation Audit
- CB verifies controls are implemented and operating effectively
- Interviews with key personnel
- Sampling of evidence (logs, tickets, access records)
- Nonconformities classified as Minor or Major
8.3 Post-Certification
- Surveillance audits annually
- Full recertification every 3 years
- Continuous improvement via PDCA cycle
9. Resource Estimate
| Role |
Effort |
Phase(s) |
| ISO (part-time) |
0.25–0.5 FTE ongoing |
All |
| Engineering Lead |
0.1 FTE |
2, 3 |
| DevOps Lead |
0.15 FTE |
2, 3 |
| DPO (part-time) |
0.05 FTE |
1, 2 |
| External consultant (optional) |
5–10 days |
1, 4 |
| Certification body |
Fixed fee |
5 |
| Security tooling (SIEM, scanning) |
Budget item |
2 |
Estimated total cost range: €15,000–€40,000 (highly dependent on org size, tooling, and consultant use)
10. PDCA Cycle Integration
11. Milestones & Decision Gates
| Milestone |
Target Date |
Gate Criteria |
| M0: Foundation approved |
2026-06-30 |
Executive sign-off on scope and asset inventory |
| M1: Policy suite published |
2026-08-31 |
5 core policies + risk procedure drafted; pending executive approval |
| M2: Critical risks mitigated |
2026-11-30 |
No Critical residual risks |
| M3: ISMS operational |
2027-03-31 |
1 internal audit + 1 management review complete |
| M4: Pre-audit passed |
2027-06-30 |
Mock audit with no Major findings |
| M5: ISO 27001 certified |
2027-09-30 |
Stage 2 certificate issued |
12. Document Control
| Version |
Date |
Author |
Changes |
| 1.0 |
2026-06-11 |
Engineering |
Initial certification roadmap |
Approval
| Role |
Name |
Signature |
Date |
| ISO |
Pending |
|
|
| Executive Sponsor |
Pending |
|
|