ISO 27001:2013 Gap Register

Africa Watch — Savvy Ventures Limited · Last reviewed: · Scope: Africa Watch SaaS platform (africaiswatching.org)

Scope note: Africa Watch is cloud-hosted on Oracle Cloud Infrastructure (OCI). Physical security controls (A.11) are inherited from Oracle and not separately assessed. Supplier due diligence for OCI is documented in the Supplier Risk Register.

0

Implemented

0

In Progress

0

Gap / Not Started

0

Not Applicable

Overall readiness

Annex A Domain	Status	Evidence / Gaps	Owner	Target
A.5 — Information Security Policies Formal IS policy documentation and review cycle	Implemented	Security controls documented in controls-doc Incident response procedures published Information Security Policy document published (/admin/policies) Acceptable Use Policy published (/admin/policies) Annual review cycle established; next review 2027-Q2	Security Lead	—
A.6 — Organisation of Information Security Roles, responsibilities, segregation of duties, remote working	Implemented	Security Lead role defined with ownership of controls Supplier risk ownership assigned per supplier Admin access restricted to named accounts Remote working policy: TLS enforced, VPN not required (zero-trust model)	Security Lead	—
A.7 — Human Resource Security Pre-employment screening, security awareness, termination	Implemented	Admin account offboarding procedure defined in incident response HR Security Policy covering pre-employment checks, NDA requirement, onboarding, annual training, and offboarding published (/admin/policies) Account revocation within 1 hour of departure documented Annual ISO 27001 awareness training schedule established	Operations	—
A.8 — Asset Management Asset inventory, classification, media handling	Implemented	Supplier register covers critical third-party assets (9 suppliers) Key data stores identified: africa-watch.db, Stripe customer data, Brevo contact data Information Asset Register with classification labels (Confidential / Internal / Public) published (/admin/asset-register) Data retention schedule documented (user data +90d, logs 30d, backups 7d) Media handling procedures documented in Asset Register	Operations	—
A.9 — Access Control User access, privilege management, authentication	Implemented	JWT-based authentication with 15-min access tokens TOTP MFA enforced on all admin accounts Role-based access: admin / pro / free tiers enforced server-side Account lockout after repeated failed logins (rate limiter: 10/15 min) Session revocation endpoint implemented Unique credentials per service (no shared passwords)	Platform Engineering	—
A.10 — Cryptography Encryption policy, key management	Implemented	TLS 1.2+ enforced; HSTS preload header set (max-age=31536000) Passwords hashed with bcrypt (cost factor 12) JWT signed with HS256; secret rotated on breach Secrets managed via environment variables (not in code) Database file on encrypted OCI block storage	Platform Engineering	—
A.11 — Physical & Environmental Security Secure areas, equipment security	N/A	Fully cloud-hosted on Oracle Cloud Infrastructure. Physical security (data centre access, CCTV, environmental controls) is Oracle's responsibility under the shared responsibility model. Oracle holds ISO 27001 certification for its data centres. Evidence: Oracle Compliance documentation referenced in Supplier Risk Register.	Oracle (inherited)	—
A.12 — Operations Security Change management, malware, logging, vulnerability management, backups	In Progress	Request logging: all HTTP requests logged with IP, method, status, latency Error ring buffer (last 100 errors) available via /admin observability Automated daily backup cron (02:00 UTC) with 7-day retention on OCI npm audit –audit-level=high gates every deployment (CI/CD) Semgrep SAST scan runs on every push to master Dependency updates reviewed on PR Change Management Process documented (/admin/policies) Backup restoration not tested on a regular schedule (CTL-017 installed, not yet verified) No centralised SIEM; logs are in-process only (lost on restart) Anti-malware / EDR not deployed on developer workstations formally	Platform Engineering	2026-Q4
A.13 — Communications Security Network controls, information transfer	Implemented	CORS allowlist restricts browser origins to africaiswatching.org + localhost CSP nonce-based policy blocks unauthorised script execution X-Frame-Options: DENY prevents clickjacking Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy restricts geolocation, camera, microphone All API endpoints served over TLS only	Platform Engineering	—
A.14 — System Acquisition, Development & Maintenance Secure development, change control, test data	In Progress	Semgrep SAST (OWASP Top 10, Node.js, JWT, secrets) in CI TruffleHog secrets scan on every push Route authentication tests (29/29) run in CI on every push npm audit security gate blocks deployment on high CVEs Input sanitisation helpers (sanitizeLocation, sanitizeQuery, sanitizePromptInput) in production XSS prevention via escapeHtml() on all user-supplied output SDLC policy documented (/admin/policies) No separation of production / staging environments No penetration test conducted (recommend annually)	Platform Engineering	2026-Q4
A.15 — Supplier Relationships Supplier security policy, monitoring, contracts	Implemented	Supplier Risk Register covering 9 critical suppliers Risk ratings (Low/Medium/High) assigned with justification Contingency plans documented per supplier Annual review schedule established DPA / processing agreements in place with Stripe, Brevo	Operations	—
A.16 — Information Security Incident Management Incident reporting, response, evidence collection	Implemented	Incident Response runbook published with severity classification (P0–P3) Runbooks for: auth breach, data exposure, LLM injection, platform outage, feed contamination On-call escalation contacts defined Post-incident review process documented Tabletop exercises conducted against all 5 scenarios Exercise history logged with outcome and action items	Security Lead	—
A.17 — Business Continuity Management IS continuity planning, redundancy	Implemented	Daily automated backups to OCI Object Storage with 7-day retention PM2 process manager auto-restarts application on crash Platform Outage tabletop scenario exercised BCP with RTO=4h / RPO=24h documented (/admin/policies) Restore procedure documented step-by-step Quarterly backup restoration drill schedule established; drill log maintained in policy page	Platform Engineering	—
A.18 — Compliance Legal / regulatory compliance, privacy, IS reviews	In Progress	Stripe handles PCI-DSS scope (no card data stored by Africa Watch) Passwords not stored in plaintext (bcrypt) Rate limiting and brute-force protection implemented Privacy Policy published at /privacy DPIA for LLM processing documented (/admin/policies) SAR procedure defined in Data Protection policy (/admin/policies) No formal internal IS audit schedule Cookie consent banner not implemented (if analytics added)	Security Lead	2026-Q4

Priority Remediation Actions

#	Action	Annex A Ref	Effort	Target	Status
1	~~Draft and sign top-level Information Security Policy~~	A.5	Low (1–2 days)	2026-Q3	Done
2	~~Define RTO/RPO and test backup restoration procedure~~	A.17, A.12	Low (half day)	2026-Q3	Done
3	~~Draft Privacy Policy and GDPR data processing notice~~	A.18	Medium (legal review)	2026-Q3	Done
4	~~Create information asset register with data classification~~	A.8	Medium (1–2 days)	2026-Q3	Done
5	~~Conduct DPIA for LLM processing of political event data~~	A.18	Medium	2026-Q4	Done
6	Set up external log shipping (retain logs across restarts)	A.12	Medium (OCI logging)	2026-Q4	Open
7	Commission annual penetration test	A.14	High (external cost)	2026-Q4	Open
8	Implement secondary region / failover infrastructure	A.17	High	2027-Q1	Open