mirror of
https://github.com/Unleash/unleash.git
synced 2024-12-28 00:06:53 +01:00
35 lines
6.9 KiB
Plaintext
35 lines
6.9 KiB
Plaintext
|
---
|
||
|
title: ISO/IEC 27001 compliance for feature flags
|
||
|
description: 'ISO 27001-compliant feature flags at scale with Unleash.'
|
||
|
---
|
||
|
|
||
|
# ISO 27001 compliance
|
||
|
|
||
|
## Overview
|
||
|
|
||
|
To achieve and maintain ISO 27001 certification, you must ensure that any system you integrate with, including feature flagging solutions, adhere to the same compliance standards. Using a non-compliant homegrown or third-party feature flagging system can compromise your certification and introduce unnecessary risks.
|
||
|
|
||
|
This guide provides an overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) features align with ISO 27001 controls, helping your organization meet its compliance requirements.
|
||
|
|
||
|
|
||
|
## How Unleash features map to ISO 27001 controls
|
||
|
|
||
|
| ISO27001 Control | Control Description | Unleash Feature |
|
||
|
|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------|
|
||
|
| 5.2 Information security roles and responsibilities | Information security roles and responsibilities should be defined and allocated according to the organization's needs. | Unleash provides granular [role-based access control](/reference/rbac) (RBAC) and [approval workflows](/reference/change-requests) for state changes. |
|
||
|
| 5.7 Threat intelligence | Information relating to information security threats should be collected and analyzed to produce threat intelligence. | When using the hosted version of Unleash, your instance is continuously scanned and protected by [Amazon Inspector](https://aws.amazon.com/inspector/) and [Amazon GuardDuty](https://aws.amazon.com/guardduty/) to identify security threats and alert Unleash of any risk. |
|
||
|
| 5.15 Access control | Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. | In addition to RBAC, Unleash supports [single sign-on](/reference/sso) (SSO) authentication and [SCIM integration](/reference/scim) for user account provisioning. |
|
||
|
| 5.16 Identity management | The full life cycle of identities should be managed. | Unleash supports SSO and SCIM integration for automatic user account provisioning. |
|
||
|
| 5.18 Access rights | Access rights to information and other associated assets should be provisioned, reviewed, modified, and removed in accordance with the organization's topic-specific policy and rules for access control. | Unleash supports SSO and SCIM integration for automatic user account provisioning. |
|
||
|
| 5.33 Protection of records | Records should be protected from loss, destruction, falsification, unauthorized access, and unauthorized release. | When using the hosted version of Unleash, your data records are protected with a resilient architecture leveraging AWS data redundancy and backup services. This is described in our annual SOC2 report available in the Trust Center. |
|
||
|
| 5.35 Independent review of information security | The organization's approach to managing information security and its implementation including people, processes, and technologies should be reviewed independently at planned intervals, or when significant changes occur. | Unleash provides annual penetration test results and a SOC 2 report, both conducted by external auditors. |
|
||
|
| 5.37 Documented operating procedures | Operating procedures for information processing facilities should be documented and made available to personnel who need them. | Unleash follows 14 internal policies to ensure secure information processing as part of its SOC2 compliance. |
|
||
|
| 8.2 Privileged access rights | The allocation and use of privileged access rights should be restricted and managed. | Unleash provides RBAC, granular permission administration, custom root roles, as well as approval workflows for state changes. |
|
||
|
| 8.3 Information access restriction | Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. | Unleash provides RBAC, granular permission administration, [custom root roles](/reference/rbac#custom-root-roles), as well as [approval workflows](/reference/change-requests) for state changes. |
|
||
|
| 8.5 Secure authentication | Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. | In addition to RBAC, Unleash supports SSO authentication setup and SCIM integration. |
|
||
|
| 8.6 Capacity management | The use of resources should be monitored and adjusted in line with current and expected capacity requirements. | Unleash provides both traffic monitoring and configuration statistics to help system administrators monitor and adjust resource usage. |
|
||
|
| 8.13 Information backup | Backup copies of information, software, and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. | In the hosted version of Unleash, periodic backups are automated. When self-hosting Unleash, the product provides an API to export its configuration, facilitating the backup automation. |
|
||
|
| 8.14 Redundancy of information processing facilities | Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. | The hosted version of Unleash is a highly available platform with load balancing, and redundancy across multiple AWS availability zones. |
|
||
|
| 8.15 Logging | Logs that record activities, exceptions, faults, and other relevant events should be produced, stored, protected, and analyzed. | Unleash provides complete [event logs](/reference/events#event-log) and [access logs](/reference/login-history) for all API and UI interactions. |
|
||
|
| 8.16 Monitoring activities | Networks, systems, and applications should be monitored for anomalous behavior, and appropriate actions taken to evaluate potential information security incidents. | The hosted version of Unleash provides network and application monitoring, intrusion detection, and diverse utilization alerts supported by an SRE team and a structured incident handling process. |
|