Files
tm_back/docs/security/policies/information-security-policy.md
T
Mazyar 06e663b691 Add security and compliance documentation for ISO/IEC 27001
- Introduced a comprehensive suite of security documents to support ISO/IEC 27001 certification, including the ISMS Foundation, Risk Assessment Matrix, Gap Analysis Report, Statement of Applicability, and ISO27001 Roadmap.
- Updated the README to include links to the new security documentation, enhancing the project's compliance framework and providing clear guidance on security policies and procedures.

This addition strengthens the overall security posture of the Tender Management System and aligns with industry standards for information security management.
2026-06-11 01:53:24 +03:30

5.7 KiB

Information Security Policy

Field Value
Document ID POL-001
Version 1.0
Status Draft — Pending approval
Owner Executive Sponsor
Maintained By Information Security Officer (ISO)
Effective Date Pending approval
Review Cycle Annual
ISO 27001 Reference A.5.1 — Policies for information security

Related: ISMS Foundation | ISO 27001 Roadmap


1. Purpose

This policy establishes the organization's commitment to protecting information assets processed by the Tender Management (TM) System. It defines principles, responsibilities, and requirements that all personnel, contractors, and third parties must follow.


2. Scope

This policy applies to:

  • All employees, contractors, and third parties with access to TM systems or data
  • The ISMS scope defined in ISMS Foundation §3: cmd/web, cmd/worker, cmd/scraper, MongoDB, Redis, MinIO, and integrated services
  • All information classified C2 (Internal) and above

3. Policy Statement

Management is committed to:

  1. Protecting the confidentiality, integrity, and availability of information assets
  2. Complying with applicable legal and regulatory requirements, including GDPR
  3. Implementing an ISMS aligned with ISO/IEC 27001:2022
  4. Managing information security risks through a documented risk assessment process
  5. Continuously improving security controls via the Plan-Do-Check-Act (PDCA) cycle

Information security is everyone's responsibility. No business objective justifies unacceptable risk to customer data or system integrity without documented risk acceptance by authorized management.


4. Information Security Objectives

# Objective Measure Target
O-1 Protect customer and company PII Data breach incidents Zero confirmed breaches per year
O-2 Maintain platform availability Uptime of production API ≥ 99.5% monthly
O-3 Respond to security incidents promptly P1 incident acknowledgment time ≤ 1 hour
O-4 Remediate critical vulnerabilities Mean time to patch (Critical CVE) ≤ 7 days
O-5 Maintain security awareness Training completion rate 100% of in-scope personnel
O-6 Progress toward ISO 27001 certification Roadmap milestone completion Per ISO27001_ROADMAP.md

Objectives are reviewed quarterly during management review.


5. Roles and Responsibilities

Role Responsibilities
Executive Sponsor Approves this policy; allocates resources; chairs management review
Information Security Officer (ISO) Operates ISMS; maintains risk register; coordinates audits and incidents
Data Protection Officer (DPO) Ensures GDPR compliance; oversees DPIAs and data subject requests
Engineering Lead Secure SDLC; code review; vulnerability remediation
DevOps Lead Infrastructure security; secrets management; backups and monitoring
All personnel Comply with policies; report incidents; complete security training

6. Core Security Principles

6.1 Confidentiality

  • Access to information is granted on a need-to-know basis
  • PII and credentials must not be disclosed to unauthorized parties
  • Secrets must never be committed to source control or included in logs

6.2 Integrity

  • Production changes require peer review and follow change management procedures
  • Data modifications must be traceable through audit logs where applicable
  • Input validation is mandatory at all API boundaries

6.3 Availability

  • Critical services (API, database, object storage) must have documented recovery procedures
  • Capacity and rate limiting must protect against abuse-related outages

6.4 Defense in Depth

Security controls are layered across application, infrastructure, and process levels. No single control is relied upon exclusively.

6.5 Least Privilege

Users, services, and processes receive the minimum access required to perform their function.


7. Supporting Policies and Procedures

This policy is supported by:

Document ID
Access Control Policy POL-002
Incident Response Plan POL-003
Backup & Recovery Policy POL-004
Acceptable Use Policy POL-005
Risk Assessment Procedure PROC-001

8. Compliance and Enforcement

  • Violations of this policy may result in disciplinary action, up to and including termination of employment or contract
  • Regulatory breaches may result in legal liability and notification to supervisory authorities
  • All personnel must acknowledge this policy upon onboarding and annually thereafter

9. Exceptions

Exceptions to this policy require:

  1. Written request with business justification
  2. Risk assessment of the exception
  3. Approval by ISO and Executive Sponsor
  4. Time-bound validity (maximum 12 months)
  5. Entry in the risk acceptance log (Risk Assessment Matrix §5)

10. Document Control

Version Date Author Changes
1.0 2026-06-11 Engineering Initial policy

Approval

Role Name Signature Date
Executive Sponsor Pending
ISO Pending

11. Distribution

This policy is available to all in-scope personnel via the docs/security/policies/ repository path and must be communicated during onboarding.