Files
tm_back/docs/security/GAP_ANALYSIS_REPORT.md
T
Mazyar 06e663b691 Add security and compliance documentation for ISO/IEC 27001
- Introduced a comprehensive suite of security documents to support ISO/IEC 27001 certification, including the ISMS Foundation, Risk Assessment Matrix, Gap Analysis Report, Statement of Applicability, and ISO27001 Roadmap.
- Updated the README to include links to the new security documentation, enhancing the project's compliance framework and providing clear guidance on security policies and procedures.

This addition strengthens the overall security posture of the Tender Management System and aligns with industry standards for information security management.
2026-06-11 01:53:24 +03:30

13 KiB
Raw Blame History

ISO/IEC 27001 Gap Analysis Report — Tender Management System

Field Value
Document ID ISMS-004
Version 1.0
Status Draft — Pending review
Owner Information Security Officer (ISO)
Last Updated 2026-06-11
Assessment Date 2026-06-11
Standard ISO/IEC 27001:2022
Scope ISMS Foundation §3

Related: Statement of Applicability | ISO 27001 Roadmap


1. Executive Summary

This report assesses the current state of the Tender Management (TM) ISMS against ISO/IEC 27001:2022 mandatory clauses (410) and Annex A controls. The assessment is based on documentation review, codebase analysis, and existing operational practices.

Overall Maturity

Area Maturity Summary
Clauses 46 (Context, Leadership, Planning) 🟡 Partial Foundation docs exist; formal leadership approval pending
Clause 7 (Support) 🟡 Partial Competence and awareness programs not yet formalized
Clause 8 (Operation) 🟡 Partial Technical controls strong; operational procedures incomplete
Clause 9 (Performance evaluation) 🔴 Minimal No internal audit program or management review yet
Clause 10 (Improvement) 🔴 Minimal Corrective action process not formalized
Annex A (93 controls) 🟡 Partial ~35% implemented, ~40% partial, ~15% N/A (physical/cloud), ~10% not started

Key Strengths

  • Application-layer security controls (JWT, RBAC, validation, XSS, audit logging)
  • Clean Architecture with dependency injection and structured logging
  • Initial ISMS documentation suite (foundation, risk matrix, policies)
  • Configurable rate limiting and environment-based secret management

Critical Gaps (Must Address Before Certification)

  1. No internal audit program or management review records (Clauses 9.2, 9.3)
  2. No SIEM/centralized monitoring (A.8.16)
  3. No formal vulnerability management in CI (A.8.8)
  4. Secrets in repository / no vault (A.8.9, R-013)
  5. No security awareness training program (A.6.3)
  6. No vendor security assessments (A.5.19A.5.22)
  7. Encryption at rest not confirmed (A.8.24)
  8. Executive sign-off on ISMS scope and policies pending

2. Assessment Methodology

Step Activity
1 Review ISMS scope and asset inventory
2 Map existing controls to ISO 27001:2022 clauses and Annex A
3 Interview technical leads (informal / codebase-based)
4 Classify each requirement: Implemented, Partial, Not Implemented, N/A
5 Prioritize gaps by risk linkage (Risk Assessment Matrix)
6 Define remediation actions in ISO27001_ROADMAP.md Phase 2

Maturity Scale

Rating Definition
Implemented Control documented, implemented, and operating effectively
Partial Control exists informally or is incomplete
Not Implemented No control or documentation
N/A Not applicable to TM scope (with justification)

3. Clause 4 — Context of the Organization

Ref Requirement Status Evidence Gap / Remediation
4.1 Understanding the organization and its context Partial ISMS Foundation §2 Formalize interested parties register
4.2 Understanding needs of interested parties Partial Business objectives in ISMS Foundation Document customers, regulators, partners explicitly
4.3 Determining ISMS scope Partial ISMS Foundation §3; Scope Approval draft Executive sign-off required
4.4 Information security management system Partial ISMS doc structure defined Complete PDCA operating records

Gap actions:

  • Create interested parties register (customers, EU DPA, certification body, cloud providers)
  • Obtain signed scope approval from Executive Sponsor

4. Clause 5 — Leadership

Ref Requirement Status Evidence Gap / Remediation
5.1 Leadership and commitment Partial Roadmap exists; sponsor not yet assigned Appoint Executive Sponsor; first management review
5.2 Policy Partial Information Security Policy draft Approve and communicate policy
5.3 Organizational roles, responsibilities, authorities Partial ISMS Foundation §5 Assign named individuals to ISO, DPO roles

Gap actions:

  • Name and document ISO and DPO (can be interim)
  • Communicate approved Information Security Policy to all staff

5. Clause 6 — Planning

Ref Requirement Status Evidence Gap / Remediation
6.1.1 Actions to address risks and opportunities Partial Risk matrix with 23 risks Link opportunities (e.g. certification as market differentiator)
6.1.2 Information security risk assessment Implemented Risk Assessment Matrix, Procedure Maintain quarterly reviews
6.1.3 Information security risk treatment Partial Treatment plans in risk matrix Execute Phase 2 technical remediations
6.2 Information security objectives Partial Information Security Policy §4 Track KPIs monthly
6.3 Planning of changes Not Implemented Document change planning in change management procedure (Phase 2)

Gap actions:

  • Begin executing risk treatment plans (R-001, R-010, R-013, R-015, R-023 priority)
  • Draft change management procedure

6. Clause 7 — Support

Ref Requirement Status Evidence Gap / Remediation
7.1 Resources Partial Roadmap resource estimate Allocate part-time ISO capacity
7.2 Competence Not Implemented Define security competency requirements per role
7.3 Awareness Not Implemented Acceptable Use Policy draft Launch onboarding + annual training
7.4 Communication Partial Docs in docs/security/ Define internal/external comms plan for ISMS
7.5 Documented information Partial ISMS doc suite Document control procedure; version approval workflow

Gap actions:

  • Security awareness program (A.6.3) — target Q3 2026
  • Document control: naming, approval, retention standards

7. Clause 8 — Operation

Ref Requirement Status Evidence Gap / Remediation
8.1 Operational planning and control Partial DevOps practices informal Formalize change and deploy procedures
8.2 Information security risk assessment Implemented Quarterly procedure defined Execute first scheduled review Sep 2026
8.3 Information security risk treatment Partial Phase 2 roadmap Implement prioritized controls

Gap actions:

  • Operational procedures for backup, incident response (drafted — need testing records)
  • Change management procedure (Phase 2)

8. Clause 9 — Performance Evaluation

Ref Requirement Status Evidence Gap / Remediation
9.1 Monitoring, measurement, analysis, evaluation Partial KPIs defined in roadmap Implement SIEM; monthly KPI reporting
9.2 Internal audit Not Implemented Schedule first internal audit Q1 2027
9.3 Management review Not Implemented First review within 90 days of scope approval

Gap actions:

  • Critical: Establish internal audit program before Stage 2 audit
  • Schedule first management review meeting
  • Implement monitoring (A.8.16) for measurable KPIs

9. Clause 10 — Improvement

Ref Requirement Status Evidence Gap / Remediation
10.1 Continual improvement Partial PDCA in roadmap Track improvement actions from audits/incidents
10.2 Nonconformity and corrective action Not Implemented Define CAPA (Corrective and Preventive Action) procedure

Gap actions:

  • CAPA procedure linked to incident response and audit findings
  • Nonconformity register template

10. Annex A Summary by Theme

Full control-level detail: Statement of Applicability

Theme Total Controls Implemented Partial Not Impl. N/A
A.5 Organizational 37 8 22 5 2
A.6 People 8 1 4 3 0
A.7 Physical 14 0 0 0 14
A.8 Technological 34 12 16 6 0
Total 93 21 42 14 16

Percentages approximate; "Partial" indicates control exists but lacks full documentation, testing, or operating evidence.

A.5 — Top Organizational Gaps

Control Title Status Priority
A.5.19A.5.22 Supplier relationships Not Implemented High
A.5.29A.5.30 Business continuity Partial High
A.5.35 Independent review Not Implemented Medium
A.5.7 Threat intelligence Not Implemented Medium
A.5.32 Intellectual property Partial Low

A.6 — Top People Gaps

Control Title Status Priority
A.6.3 Security awareness training Not Implemented High
A.6.1 Screening Not Implemented Medium
A.6.6 NDAs Partial Medium
A.6.8 Event reporting Partial Medium

A.7 — Physical Controls

All 14 controls marked N/A — infrastructure hosted in cloud/data center; physical security transferred to cloud provider per shared responsibility model. Provider compliance evidence required (A.5.23).

A.8 — Top Technological Gaps

Control Title Status Priority
A.8.8 Vulnerability management Not Implemented Critical
A.8.16 Monitoring activities Partial Critical
A.8.24 Cryptography Partial High
A.8.2 Privileged access rights Partial High
A.8.32 Change management Partial High
A.8.29 Security testing Not Implemented High
A.8.12 Data leakage prevention Not Implemented Medium

A.8 — Implemented Technical Controls (Evidence)

Control Implementation
A.8.3 RBAC + company-scoped middleware (pkg/authorization)
A.8.5 JWT auth, bcrypt passwords, hCaptcha
A.8.9 Env-based config with OS override (pkg/config)
A.8.15 Structured logging + pkg/audit
A.8.26 Govalidator, XSS policy, Swagger
A.8.28 Secure coding standards (.cursorrules, code review)
A.8.6 Rate limit configuration
A.8.4 Git-based source control with PR workflow

11. Gap Remediation Roadmap

Aligned with ISO27001_ROADMAP.md:

Priority Gap Remediation Phase Target
P0 No incident response testing Tabletop exercise 2 Q2 2026
P0 Secrets in repo Vault + secret scanning 2 Q2 2026
P0 No vulnerability scanning govulncheck in CI 2 Q2 2026
P0 No management review First review meeting 1 Q3 2026
P1 No SIEM Centralized logging + alerts 2 Q3 2026
P1 No encryption at rest MongoDB/MinIO encryption 2 Q3 2026
P1 No vendor assessments Vendor questionnaire 2 Q4 2026
P1 No security training Awareness program 2 Q3 2026
P1 No internal audit Audit program + first audit 3 Q1 2027
P2 No CAPA procedure Document CAPA process 2 Q3 2026
P2 No penetration test External pentest 4 Q2 2027

12. Conclusion

The TM platform has a solid technical security foundation but lacks the operational and governance evidence required for ISO 27001 certification. Phase 1 documentation (foundation, risk assessment, policies, SoA, gap analysis) addresses Clauses 4.3, 6.1.2, and 5.2 at a draft level.

Recommendation: Proceed to Phase 2 control implementation while pursuing executive approval of scope and policies. Target first internal audit no later than Q1 2027 to allow 3+ months of operating evidence before Stage 2 audit.


13. Document Control

Version Date Author Changes
1.0 2026-06-11 Engineering Initial gap analysis

Review

Role Name Signature Date
ISO Pending
Executive Sponsor Pending