6af5cf3c4e
- Revised the Gap Analysis Report to provide detailed counts of implemented, partial, and not implemented controls, enhancing clarity on compliance status. - Updated the ISO27001 Roadmap to include a status column for deliverables, improving tracking of progress towards certification. - Adjusted the Statement of Applicability to reconcile summary counts with control rows and clarify the applicability of outsourced development. These updates strengthen the documentation framework, ensuring it accurately reflects the current state of security controls and compliance efforts within the Tender Management System.
16 KiB
16 KiB
Statement of Applicability (SoA) — Tender Management System
| Field | Value |
|---|---|
| Document ID | ISMS-005 |
| Version | 1.0 |
| Status | Draft — Pending approval |
| Owner | Information Security Officer (ISO) |
| Last Updated | 2026-06-11 |
| Standard | ISO/IEC 27001:2022 Annex A |
| Scope | ISMS Foundation §3 |
Related: Gap Analysis Report | Risk Assessment Matrix
1. Purpose
The Statement of Applicability (SoA) documents:
- Which Annex A controls are applicable to the TM ISMS
- Whether each control is implemented, partially implemented, or not implemented
- Justification for exclusions
- Reference to implementation evidence or planned remediation
This document satisfies ISO/IEC 27001:2022 Clause 6.1.3(d) and is a mandatory input for certification audits.
2. Status Legend
| Status | Meaning |
|---|---|
| Yes | Applicable and implemented with evidence |
| Partial | Applicable; control exists but incomplete or not fully evidenced |
| No | Applicable but not yet implemented |
| N/A | Not applicable to scope (justification required) |
3. A.5 — Organizational Controls
| ID | Control | Applicable | Status | Implementation / Justification | Risk Ref |
|---|---|---|---|---|---|
| A.5.1 | Policies for information security | Yes | Partial | Information Security Policy draft; pending approval | — |
| A.5.2 | Information security roles and responsibilities | Yes | Partial | ISMS Foundation §5; named assignments pending | — |
| A.5.3 | Segregation of duties | Yes | Partial | Dev vs DevOps separation informal; no single prod DB write without break-glass | R-020 |
| A.5.4 | Management responsibilities | Yes | Partial | Roadmap and objectives defined; management review not yet held | — |
| A.5.5 | Contact with authorities | Yes | No | No documented contacts with regulators/law enforcement | R-023 |
| A.5.6 | Contact with special interest groups | Yes | No | No ISAC or security forum membership | — |
| A.5.7 | Threat intelligence | Yes | No | No formal threat intel feed or process | — |
| A.5.8 | Information security in project management | Yes | Partial | Major change checklist in risk procedure; informal for small changes | — |
| A.5.9 | Inventory of information and other associated assets | Yes | Yes | ISMS Foundation §4 — 20 assets | — |
| A.5.10 | Acceptable use of information and other associated assets | Yes | Partial | Acceptable Use Policy draft | — |
| A.5.11 | Return of assets | Yes | No | No formal offboarding asset return checklist | R-004 |
| A.5.12 | Classification of information | Yes | Yes | C1–C4 classification in ISMS Foundation | — |
| A.5.13 | Labelling of information | Yes | No | Classification defined but no labelling in apps/repos | — |
| A.5.14 | Information transfer | Yes | Partial | HTTPS for APIs; email via notification service; no DLP | R-017 |
| A.5.15 | Access control | Yes | Partial | Access Control Policy; JWT + RBAC | R-003 |
| A.5.16 | Identity management | Yes | Partial | Unique accounts; provisioning/deprovisioning procedure in policy | R-004 |
| A.5.17 | Authentication information | Yes | Partial | bcrypt passwords; secrets in env; MFA planned | R-001, R-013 |
| A.5.18 | Access rights | Yes | Partial | Quarterly review defined; not yet executed | R-004 |
| A.5.19 | Information security in supplier relationships | Yes | No | No vendor security assessments | R-017, R-018 |
| A.5.20 | Addressing information security within supplier agreements | Yes | No | Contracts lack security clauses review | R-017 |
| A.5.21 | Managing information security in the ICT supply chain | Yes | Partial | Go modules pinned; no formal supply chain policy | R-010 |
| A.5.22 | Monitoring, review and change management of supplier services | Yes | No | No annual vendor review process | R-018 |
| A.5.23 | Information security for use of cloud services | Yes | Partial | Cloud-hosted MongoDB/Redis/MinIO; provider evidence not collected | R-014 |
| A.5.24 | Information security incident management planning and preparation | Yes | Partial | Incident Response Plan draft | R-023 |
| A.5.25 | Assessment and decision on information security events | Yes | Partial | Severity classification in IR plan; not yet tested | R-023 |
| A.5.26 | Response to information security incidents | Yes | Partial | Playbooks defined; IRT contacts not finalized | R-023 |
| A.5.27 | Learning from information security incidents | Yes | Partial | Post-incident review required in IR plan; no incidents recorded yet | — |
| A.5.28 | Collection of evidence | Yes | Partial | Evidence handling in IR plan; chain of custody untested | — |
| A.5.29 | Information security during disruption | Yes | Partial | RTO/RPO in backup policy; no full BCP document | R-014 |
| A.5.30 | ICT readiness for business continuity | Yes | Partial | Backup policy; DR test not yet performed | R-014 |
| A.5.31 | Legal, statutory, regulatory and contractual requirements | Yes | Partial | GDPR referenced; no requirements register | R-007 |
| A.5.32 | Intellectual property rights | Yes | Partial | Open-source licenses in go.mod; no IP policy | — |
| A.5.33 | Protection of records | Yes | Partial | Audit logs; retention periods not fully defined | — |
| A.5.34 | Privacy and protection of PII | Yes | Partial | PII inventory; DSR process not implemented | R-007 |
| A.5.35 | Independent review of information security | Yes | No | No internal audit or external review yet | — |
| A.5.36 | Compliance with policies, rules and standards | Yes | No | No compliance checks or audit program | — |
| A.5.37 | Documented operating procedures | Yes | Partial | ISMS procedures started; ops runbooks incomplete | — |
4. A.6 — People Controls
| ID | Control | Applicable | Status | Implementation / Justification | Risk Ref |
|---|---|---|---|---|---|
| A.6.1 | Screening | Yes | No | No background check policy documented | R-021 |
| A.6.2 | Terms and conditions of employment | Yes | Partial | Acceptable Use Policy; HR terms not linked | — |
| A.6.3 | Information security awareness, education and training | Yes | No | No training program or records | R-021 |
| A.6.4 | Disciplinary process | Yes | Partial | Referenced in AUP; HR process not documented | — |
| A.6.5 | Responsibilities after termination or change of employment | Yes | Partial | Deprovisioning in Access Control Policy (24 h) | R-004 |
| A.6.6 | Confidentiality or non-disclosure agreements | Yes | Partial | Assumed for contractors; no central register | — |
| A.6.7 | Remote working | Yes | Partial | VPN/bastion requirement in Access Control Policy | — |
| A.6.8 | Information security event reporting | Yes | Partial | Reporting channels in IR plan; not communicated to staff | R-023 |
5. A.7 — Physical Controls
| ID | Control | Applicable | Status | Implementation / Justification | Risk Ref |
|---|---|---|---|---|---|
| A.7.1 | Physical security perimeters | N/A | N/A | Cloud provider responsibility (A.5.23) | — |
| A.7.2 | Physical entry | N/A | N/A | Cloud provider responsibility | — |
| A.7.3 | Securing offices, rooms and facilities | N/A | N/A | No on-premise TM infrastructure | — |
| A.7.4 | Physical security monitoring | N/A | N/A | Cloud provider responsibility | — |
| A.7.5 | Protecting against physical and environmental threats | N/A | N/A | Cloud provider responsibility | — |
| A.7.6 | Working in secure areas | N/A | N/A | No secure areas for TM systems | — |
| A.7.7 | Clear desk and clear screen | Yes | Partial | AUP references screen lock; not enforced | — |
| A.7.8 | Equipment siting and protection | N/A | N/A | Cloud-hosted servers | — |
| A.7.9 | Security of assets off-premises | Yes | Partial | AUP device encryption requirement for prod access | — |
| A.7.10 | Storage media | N/A | N/A | No removable media for TM data stores | — |
| A.7.11 | Supporting utilities | N/A | N/A | Cloud provider responsibility | — |
| A.7.12 | Cabling security | N/A | N/A | Cloud provider responsibility | — |
| A.7.13 | Equipment maintenance | N/A | N/A | Cloud provider responsibility | — |
| A.7.14 | Secure disposal or re-use of equipment | Yes | Partial | AUP prohibits local PII storage; no disposal procedure | — |
Note: A.7.7, A.7.9, A.7.14 remain applicable for personnel devices accessing TM systems.
6. A.8 — Technological Controls
| ID | Control | Applicable | Status | Implementation / Justification | Risk Ref |
|---|---|---|---|---|---|
| A.8.1 | User endpoint devices | Yes | Partial | AUP device requirements; no MDM | — |
| A.8.2 | Privileged access rights | Yes | Partial | Break-glass procedure; no PAM tool | R-020 |
| A.8.3 | Information access restriction | Yes | Yes | RBAC + company-scoped middleware (pkg/authorization) |
R-003 |
| A.8.4 | Access to source code | Yes | Yes | Git repo with PR review; branch protection (assumed) | — |
| A.8.5 | Secure authentication | Yes | Partial | JWT, bcrypt, hCaptcha; MFA not yet enabled | R-001, R-002 |
| A.8.6 | Capacity management | Yes | Partial | Rate limit config; no capacity monitoring | R-012 |
| A.8.7 | Protection against malware | Yes | No | No malware scanning on uploads or endpoints | R-011 |
| A.8.8 | Management of technical vulnerabilities | Yes | No | No govulncheck/SAST in CI | R-010 |
| A.8.9 | Configuration management | Yes | Partial | pkg/config env priority; secrets in flat env files |
R-013 |
| A.8.10 | Information deletion | Yes | Partial | Domain delete operations; no retention/deletion policy | R-007 |
| A.8.11 | Data masking | Yes | No | Passwords excluded from API responses; no masking elsewhere | — |
| A.8.12 | Data leakage prevention | Yes | No | No DLP tooling | R-008 |
| A.8.13 | Information backup | Yes | Partial | Backup & Recovery Policy; tests not yet run | R-006, R-014 |
| A.8.14 | Redundancy of information processing facilities | Yes | Partial | Depends on cloud provider HA; not documented | R-014 |
| A.8.15 | Logging | Yes | Yes | Structured service logging; pkg/audit for security events |
R-008, R-015 |
| A.8.16 | Monitoring activities | Yes | Partial | Application logs only; no SIEM or alerting | R-015 |
| A.8.17 | Clock synchronization | Yes | Partial | NTP assumed on cloud hosts; not verified | — |
| A.8.18 | Use of privileged utility programs | Yes | Partial | DB admin tools restricted; no formal policy | R-020 |
| A.8.19 | Installation of software on operational systems | Yes | Partial | Container/deploy pipeline; no formal whitelist | R-016 |
| A.8.20 | Networks security | Yes | Partial | HTTPS in prod; DB not public; no documented network diagram | — |
| A.8.21 | Security of network services | Yes | Partial | TLS to external APIs; no network service inventory | — |
| A.8.22 | Segregation of networks | Yes | Partial | Dev/staging/prod separated; informal | — |
| A.8.23 | Web filtering | Yes | No | No web filtering for staff endpoints | — |
| A.8.24 | Use of cryptography | Yes | Partial | TLS in transit; at-rest encryption TBD | R-005 |
| A.8.25 | Secure development life cycle | Yes | Partial | .cursorrules, code review, Clean Architecture |
— |
| A.8.26 | Application security requirements | Yes | Yes | Govalidator, XSS policy, Swagger, response standards | R-009 |
| A.8.27 | Secure system architecture and engineering principles | Yes | Partial | Clean Architecture, DI, no global state | — |
| A.8.28 | Secure coding | Yes | Partial | Coding standards documented; no SAST | R-009, R-010 |
| A.8.29 | Security testing in development and acceptance | Yes | No | Unit tests exist; no security test suite or DAST | R-009 |
| A.8.30 | Outsourced development | N/A | N/A | All TM backend development is in-house; no outsourced development of scoped applications | — |
| A.8.31 | Separation of development, test and production environments | Yes | Partial | Separate env configs; staging data may contain real data | — |
| A.8.32 | Change management | Yes | Partial | Git PR workflow; no formal change procedure | R-022 |
| A.8.33 | Test information | Yes | Partial | Staging should use anonymized data; not enforced | — |
| A.8.34 | Protection of information systems during audit testing | Yes | No | No audit testing procedure | — |
7. Summary Statistics
Counts derived from the control rows in §3–§6 (authoritative source for cross-document reporting).
7.1 By Theme
| Theme | Total | Implemented (Yes) | Partial | Not impl. (No) | N/A |
|---|---|---|---|---|---|
| A.5 Organizational | 37 | 2 | 25 | 10 | 0 |
| A.6 People | 8 | 0 | 6 | 2 | 0 |
| A.7 Physical | 14 | 0 | 3 | 0 | 11 |
| A.8 Technological | 34 | 4 | 22 | 7 | 1 |
| Total | 93 | 6 | 56 | 19 | 12 |
7.2 Overall
| Category | Count | % of all 93 |
|---|---|---|
| Total Annex A controls | 93 | 100% |
| Not applicable (N/A) | 12 | 13% |
| Applicable | 81 | 87% |
| Implemented (Yes) | 6 | 6% |
| Partial | 56 | 60% |
| Not implemented (No) | 19 | 20% |
Applicable = Total − N/A. Yes/Partial/No counts apply only to applicable controls (6 + 56 + 19 = 81).
7.3 Applicable Controls by Status
Percentages below are of 81 applicable controls (excluding 12 N/A).
Implemented ██░░░░░░░░░░░░░░░░░░░░ 7% (6/81)
Partial █████████████████░░░░░ 69% (56/81)
Not impl. █████░░░░░░░░░░░░░░░░░ 23% (19/81)
8. Priority Remediation (Applicable "No" and Critical "Partial")
| Priority | Control(s) | Action | Target | Owner |
|---|---|---|---|---|
| P0 | A.8.8 | Add govulncheck + dependency scanning to CI | Q2 2026 | Engineering |
| P0 | A.8.16 | Deploy centralized logging and alerting | Q3 2026 | DevOps |
| P0 | A.5.35, A.5.36 | Establish internal audit program | Q1 2027 | ISO |
| P1 | A.6.3 | Launch security awareness training | Q3 2026 | ISO |
| P1 | A.5.19–A.5.22 | Vendor security assessments | Q4 2026 | ISO |
| P1 | A.8.24 | Enable encryption at rest | Q3 2026 | DevOps |
| P1 | A.8.5 | Enable MFA for admin users | Q3 2026 | Engineering |
| P1 | A.8.29 | Add security testing to CI/CD | Q3 2026 | Engineering |
| P2 | A.5.5 | Document authority contacts (GDPR DPA) | Q3 2026 | DPO |
| P2 | A.8.7 | Malware scan on file uploads | Q4 2026 | Engineering |
| P2 | A.8.12 | Evaluate DLP for log pipeline | Q4 2026 | DevOps |
9. Exclusion Justifications
| Control(s) | Justification |
|---|---|
| A.7.1–A.7.6, A.7.8, A.7.10–A.7.13 | TM infrastructure is fully cloud-hosted; physical controls are the responsibility of the cloud/IaaS provider per shared responsibility model. Evidence collected via A.5.23. |
| A.8.30 | All TM backend development is in-house; no outsourced development of scoped applications. |
10. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-06-11 | Engineering | Initial SoA for 93 Annex A controls |
| 1.1 | 2026-06-11 | Engineering | Reconciled summary counts with control rows; fixed A.8.30 applicability |
Approval
| Role | Name | Signature | Date |
|---|---|---|---|
| ISO | Pending | ||
| Executive Sponsor | Pending |
Next review: Quarterly or upon significant scope/control change
11. Cross-Reference Index
| Document | Purpose |
|---|---|
| GAP_ANALYSIS_REPORT.md | Clause-level gap detail |
| RISK_ASSESSMENT_MATRIX.md | Risk IDs linked in SoA |
| ISO27001_ROADMAP.md | Remediation timeline |
| policies/ | Policy evidence for A.5.x controls |