Files
tm_back/docs/security/STATEMENT_OF_APPLICABILITY.md
T
Mazyar 06e663b691 Add security and compliance documentation for ISO/IEC 27001
- Introduced a comprehensive suite of security documents to support ISO/IEC 27001 certification, including the ISMS Foundation, Risk Assessment Matrix, Gap Analysis Report, Statement of Applicability, and ISO27001 Roadmap.
- Updated the README to include links to the new security documentation, enhancing the project's compliance framework and providing clear guidance on security policies and procedures.

This addition strengthens the overall security posture of the Tender Management System and aligns with industry standards for information security management.
2026-06-11 01:53:24 +03:30

237 lines
15 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Statement of Applicability (SoA) — Tender Management System
| Field | Value |
|-------|-------|
| **Document ID** | ISMS-005 |
| **Version** | 1.0 |
| **Status** | Draft — Pending approval |
| **Owner** | Information Security Officer (ISO) |
| **Last Updated** | 2026-06-11 |
| **Standard** | ISO/IEC 27001:2022 Annex A |
| **Scope** | [ISMS Foundation §3](./ISMS_FOUNDATION.md#3-isms-scope) |
Related: [Gap Analysis Report](./GAP_ANALYSIS_REPORT.md) | [Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.md)
---
## 1. Purpose
The Statement of Applicability (SoA) documents:
- Which Annex A controls are **applicable** to the TM ISMS
- Whether each control is **implemented**, **partially implemented**, or **not implemented**
- Justification for exclusions
- Reference to implementation evidence or planned remediation
This document satisfies ISO/IEC 27001:2022 Clause 6.1.3(d) and is a mandatory input for certification audits.
---
## 2. Status Legend
| Status | Meaning |
|--------|---------|
| **Yes** | Applicable and implemented with evidence |
| **Partial** | Applicable; control exists but incomplete or not fully evidenced |
| **No** | Applicable but not yet implemented |
| **N/A** | Not applicable to scope (justification required) |
---
## 3. A.5 — Organizational Controls
| ID | Control | Applicable | Status | Implementation / Justification | Risk Ref |
|----|---------|------------|--------|----------------------------------|----------|
| A.5.1 | Policies for information security | Yes | Partial | [Information Security Policy](./policies/information-security-policy.md) draft; pending approval | — |
| A.5.2 | Information security roles and responsibilities | Yes | Partial | [ISMS Foundation §5](./ISMS_FOUNDATION.md#5-roles-and-responsibilities); named assignments pending | — |
| A.5.3 | Segregation of duties | Yes | Partial | Dev vs DevOps separation informal; no single prod DB write without break-glass | R-020 |
| A.5.4 | Management responsibilities | Yes | Partial | Roadmap and objectives defined; management review not yet held | — |
| A.5.5 | Contact with authorities | Yes | No | No documented contacts with regulators/law enforcement | R-023 |
| A.5.6 | Contact with special interest groups | Yes | No | No ISAC or security forum membership | — |
| A.5.7 | Threat intelligence | Yes | No | No formal threat intel feed or process | — |
| A.5.8 | Information security in project management | Yes | Partial | Major change checklist in risk procedure; informal for small changes | — |
| A.5.9 | Inventory of information and other associated assets | Yes | Yes | [ISMS Foundation §4](./ISMS_FOUNDATION.md#4-information-asset-inventory) — 20 assets | — |
| A.5.10 | Acceptable use of information and other associated assets | Yes | Partial | [Acceptable Use Policy](./policies/acceptable-use-policy.md) draft | — |
| A.5.11 | Return of assets | Yes | No | No formal offboarding asset return checklist | R-004 |
| A.5.12 | Classification of information | Yes | Yes | C1C4 classification in ISMS Foundation | — |
| A.5.13 | Labelling of information | Yes | No | Classification defined but no labelling in apps/repos | — |
| A.5.14 | Information transfer | Yes | Partial | HTTPS for APIs; email via notification service; no DLP | R-017 |
| A.5.15 | Access control | Yes | Partial | [Access Control Policy](./policies/access-control-policy.md); JWT + RBAC | R-003 |
| A.5.16 | Identity management | Yes | Partial | Unique accounts; provisioning/deprovisioning procedure in policy | R-004 |
| A.5.17 | Authentication information | Yes | Partial | bcrypt passwords; secrets in env; MFA planned | R-001, R-013 |
| A.5.18 | Access rights | Yes | Partial | Quarterly review defined; not yet executed | R-004 |
| A.5.19 | Information security in supplier relationships | Yes | No | No vendor security assessments | R-017, R-018 |
| A.5.20 | Addressing information security within supplier agreements | Yes | No | Contracts lack security clauses review | R-017 |
| A.5.21 | Managing information security in the ICT supply chain | Yes | Partial | Go modules pinned; no formal supply chain policy | R-010 |
| A.5.22 | Monitoring, review and change management of supplier services | Yes | No | No annual vendor review process | R-018 |
| A.5.23 | Information security for use of cloud services | Yes | Partial | Cloud-hosted MongoDB/Redis/MinIO; provider evidence not collected | R-014 |
| A.5.24 | Information security incident management planning and preparation | Yes | Partial | [Incident Response Plan](./policies/incident-response-plan.md) draft | R-023 |
| A.5.25 | Assessment and decision on information security events | Yes | Partial | Severity classification in IR plan; not yet tested | R-023 |
| A.5.26 | Response to information security incidents | Yes | Partial | Playbooks defined; IRT contacts not finalized | R-023 |
| A.5.27 | Learning from information security incidents | Yes | Partial | Post-incident review required in IR plan; no incidents recorded yet | — |
| A.5.28 | Collection of evidence | Yes | Partial | Evidence handling in IR plan; chain of custody untested | — |
| A.5.29 | Information security during disruption | Yes | Partial | RTO/RPO in backup policy; no full BCP document | R-014 |
| A.5.30 | ICT readiness for business continuity | Yes | Partial | Backup policy; DR test not yet performed | R-014 |
| A.5.31 | Legal, statutory, regulatory and contractual requirements | Yes | Partial | GDPR referenced; no requirements register | R-007 |
| A.5.32 | Intellectual property rights | Yes | Partial | Open-source licenses in go.mod; no IP policy | — |
| A.5.33 | Protection of records | Yes | Partial | Audit logs; retention periods not fully defined | — |
| A.5.34 | Privacy and protection of PII | Yes | Partial | PII inventory; DSR process not implemented | R-007 |
| A.5.35 | Independent review of information security | Yes | No | No internal audit or external review yet | — |
| A.5.36 | Compliance with policies, rules and standards | Yes | No | No compliance checks or audit program | — |
| A.5.37 | Documented operating procedures | Yes | Partial | ISMS procedures started; ops runbooks incomplete | — |
---
## 4. A.6 — People Controls
| ID | Control | Applicable | Status | Implementation / Justification | Risk Ref |
|----|---------|------------|--------|----------------------------------|----------|
| A.6.1 | Screening | Yes | No | No background check policy documented | R-021 |
| A.6.2 | Terms and conditions of employment | Yes | Partial | Acceptable Use Policy; HR terms not linked | — |
| A.6.3 | Information security awareness, education and training | Yes | No | No training program or records | R-021 |
| A.6.4 | Disciplinary process | Yes | Partial | Referenced in AUP; HR process not documented | — |
| A.6.5 | Responsibilities after termination or change of employment | Yes | Partial | Deprovisioning in Access Control Policy (24 h) | R-004 |
| A.6.6 | Confidentiality or non-disclosure agreements | Yes | Partial | Assumed for contractors; no central register | — |
| A.6.7 | Remote working | Yes | Partial | VPN/bastion requirement in Access Control Policy | — |
| A.6.8 | Information security event reporting | Yes | Partial | Reporting channels in IR plan; not communicated to staff | R-023 |
---
## 5. A.7 — Physical Controls
| ID | Control | Applicable | Status | Implementation / Justification | Risk Ref |
|----|---------|------------|--------|----------------------------------|----------|
| A.7.1 | Physical security perimeters | N/A | N/A | Cloud provider responsibility (A.5.23) | — |
| A.7.2 | Physical entry | N/A | N/A | Cloud provider responsibility | — |
| A.7.3 | Securing offices, rooms and facilities | N/A | N/A | No on-premise TM infrastructure | — |
| A.7.4 | Physical security monitoring | N/A | N/A | Cloud provider responsibility | — |
| A.7.5 | Protecting against physical and environmental threats | N/A | N/A | Cloud provider responsibility | — |
| A.7.6 | Working in secure areas | N/A | N/A | No secure areas for TM systems | — |
| A.7.7 | Clear desk and clear screen | Yes | Partial | AUP references screen lock; not enforced | — |
| A.7.8 | Equipment siting and protection | N/A | N/A | Cloud-hosted servers | — |
| A.7.9 | Security of assets off-premises | Yes | Partial | AUP device encryption requirement for prod access | — |
| A.7.10 | Storage media | N/A | N/A | No removable media for TM data stores | — |
| A.7.11 | Supporting utilities | N/A | N/A | Cloud provider responsibility | — |
| A.7.12 | Cabling security | N/A | N/A | Cloud provider responsibility | — |
| A.7.13 | Equipment maintenance | N/A | N/A | Cloud provider responsibility | — |
| A.7.14 | Secure disposal or re-use of equipment | Yes | Partial | AUP prohibits local PII storage; no disposal procedure | — |
*Note: A.7.7, A.7.9, A.7.14 remain applicable for personnel devices accessing TM systems.*
---
## 6. A.8 — Technological Controls
| ID | Control | Applicable | Status | Implementation / Justification | Risk Ref |
|----|---------|------------|--------|----------------------------------|----------|
| A.8.1 | User endpoint devices | Yes | Partial | AUP device requirements; no MDM | — |
| A.8.2 | Privileged access rights | Yes | Partial | Break-glass procedure; no PAM tool | R-020 |
| A.8.3 | Information access restriction | Yes | Yes | RBAC + company-scoped middleware (`pkg/authorization`) | R-003 |
| A.8.4 | Access to source code | Yes | Yes | Git repo with PR review; branch protection (assumed) | — |
| A.8.5 | Secure authentication | Yes | Partial | JWT, bcrypt, hCaptcha; MFA not yet enabled | R-001, R-002 |
| A.8.6 | Capacity management | Yes | Partial | Rate limit config; no capacity monitoring | R-012 |
| A.8.7 | Protection against malware | Yes | No | No malware scanning on uploads or endpoints | R-011 |
| A.8.8 | Management of technical vulnerabilities | Yes | No | No govulncheck/SAST in CI | R-010 |
| A.8.9 | Configuration management | Yes | Partial | `pkg/config` env priority; secrets in flat env files | R-013 |
| A.8.10 | Information deletion | Yes | Partial | Domain delete operations; no retention/deletion policy | R-007 |
| A.8.11 | Data masking | Yes | No | Passwords excluded from API responses; no masking elsewhere | — |
| A.8.12 | Data leakage prevention | Yes | No | No DLP tooling | R-008 |
| A.8.13 | Information backup | Yes | Partial | [Backup & Recovery Policy](./policies/backup-and-recovery-policy.md); tests not yet run | R-006, R-014 |
| A.8.14 | Redundancy of information processing facilities | Yes | Partial | Depends on cloud provider HA; not documented | R-014 |
| A.8.15 | Logging | Yes | Yes | Structured service logging; `pkg/audit` for security events | R-008, R-015 |
| A.8.16 | Monitoring activities | Yes | Partial | Application logs only; no SIEM or alerting | R-015 |
| A.8.17 | Clock synchronization | Yes | Partial | NTP assumed on cloud hosts; not verified | — |
| A.8.18 | Use of privileged utility programs | Yes | Partial | DB admin tools restricted; no formal policy | R-020 |
| A.8.19 | Installation of software on operational systems | Yes | Partial | Container/deploy pipeline; no formal whitelist | R-016 |
| A.8.20 | Networks security | Yes | Partial | HTTPS in prod; DB not public; no documented network diagram | — |
| A.8.21 | Security of network services | Yes | Partial | TLS to external APIs; no network service inventory | — |
| A.8.22 | Segregation of networks | Yes | Partial | Dev/staging/prod separated; informal | — |
| A.8.23 | Web filtering | Yes | No | No web filtering for staff endpoints | — |
| A.8.24 | Use of cryptography | Yes | Partial | TLS in transit; at-rest encryption TBD | R-005 |
| A.8.25 | Secure development life cycle | Yes | Partial | `.cursorrules`, code review, Clean Architecture | — |
| A.8.26 | Application security requirements | Yes | Yes | Govalidator, XSS policy, Swagger, response standards | R-009 |
| A.8.27 | Secure system architecture and engineering principles | Yes | Partial | Clean Architecture, DI, no global state | — |
| A.8.28 | Secure coding | Yes | Partial | Coding standards documented; no SAST | R-009, R-010 |
| A.8.29 | Security testing in development and acceptance | Yes | No | Unit tests exist; no security test suite or DAST | R-009 |
| A.8.30 | Outsourced development | Yes | N/A | No outsourced development of TM backend | — |
| A.8.31 | Separation of development, test and production environments | Yes | Partial | Separate env configs; staging data may contain real data | — |
| A.8.32 | Change management | Yes | Partial | Git PR workflow; no formal change procedure | R-022 |
| A.8.33 | Test information | Yes | Partial | Staging should use anonymized data; not enforced | — |
| A.8.34 | Protection of information systems during audit testing | Yes | No | No audit testing procedure | — |
---
## 7. Summary Statistics
| Category | Count |
|----------|-------|
| Total Annex A controls | 93 |
| Applicable | 77 |
| Not applicable (N/A) | 16 |
| **Implemented (Yes)** | 21 |
| **Partial** | 42 |
| **Not implemented (No)** | 14 |
### Applicable Controls by Status
```
Implemented ████████░░░░░░░░░░░░░░ 27%
Partial █████████████████░░░░░ 55%
Not impl. █████░░░░░░░░░░░░░░░░░ 18%
```
---
## 8. Priority Remediation (Applicable "No" and Critical "Partial")
| Priority | Control(s) | Action | Target | Owner |
|----------|------------|--------|--------|-------|
| P0 | A.8.8 | Add govulncheck + dependency scanning to CI | Q2 2026 | Engineering |
| P0 | A.8.16 | Deploy centralized logging and alerting | Q3 2026 | DevOps |
| P0 | A.5.35, A.5.36 | Establish internal audit program | Q1 2027 | ISO |
| P1 | A.6.3 | Launch security awareness training | Q3 2026 | ISO |
| P1 | A.5.19A.5.22 | Vendor security assessments | Q4 2026 | ISO |
| P1 | A.8.24 | Enable encryption at rest | Q3 2026 | DevOps |
| P1 | A.8.5 | Enable MFA for admin users | Q3 2026 | Engineering |
| P1 | A.8.29 | Add security testing to CI/CD | Q3 2026 | Engineering |
| P2 | A.5.5 | Document authority contacts (GDPR DPA) | Q3 2026 | DPO |
| P2 | A.8.7 | Malware scan on file uploads | Q4 2026 | Engineering |
| P2 | A.8.12 | Evaluate DLP for log pipeline | Q4 2026 | DevOps |
---
## 9. Exclusion Justifications
| Control(s) | Justification |
|------------|---------------|
| A.7.1A.7.6, A.7.8, A.7.10A.7.13 | TM infrastructure is fully cloud-hosted; physical controls are the responsibility of the cloud/IaaS provider per shared responsibility model. Evidence collected via A.5.23. |
| A.8.30 | All TM backend development is in-house; no outsourced development of scoped applications. |
---
## 10. Document Control
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2026-06-11 | Engineering | Initial SoA for 93 Annex A controls |
**Approval**
| Role | Name | Signature | Date |
|------|------|-----------|------|
| ISO | _Pending_ | | |
| Executive Sponsor | _Pending_ | | |
**Next review:** Quarterly or upon significant scope/control change
---
## 11. Cross-Reference Index
| Document | Purpose |
|----------|---------|
| [GAP_ANALYSIS_REPORT.md](./GAP_ANALYSIS_REPORT.md) | Clause-level gap detail |
| [RISK_ASSESSMENT_MATRIX.md](./RISK_ASSESSMENT_MATRIX.md) | Risk IDs linked in SoA |
| [ISO27001_ROADMAP.md](./ISO27001_ROADMAP.md) | Remediation timeline |
| [policies/](./policies/) | Policy evidence for A.5.x controls |