From b211c9c33f8073e4e0968a1dfcab2becc619b1bc Mon Sep 17 00:00:00 2001 From: Melinda Fekete Date: Fri, 13 Dec 2024 13:04:42 +0100 Subject: [PATCH] ISO27K compliance doc (#8973) --- .../compliance/compliance-overview.mdx | 3 +- .../using-unleash/compliance/iso27001.mdx | 34 +++++++++++++++++++ .../docs/using-unleash/compliance/soc2.mdx | 2 +- website/sidebars.ts | 5 +++ 4 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 website/docs/using-unleash/compliance/iso27001.mdx diff --git a/website/docs/using-unleash/compliance/compliance-overview.mdx b/website/docs/using-unleash/compliance/compliance-overview.mdx index 483734f6cf..77c4e0bfd6 100644 --- a/website/docs/using-unleash/compliance/compliance-overview.mdx +++ b/website/docs/using-unleash/compliance/compliance-overview.mdx @@ -9,9 +9,10 @@ description: 'Secure and compliant feature flags at scale with Unleash.' Unleash is designed to help organizations meet strict compliance requirements, supporting frameworks like [FedRAMP](https://www.fedramp.gov/program-basics/), [SOC 2](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2), [ISO 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001), and more. Features such as [audit logs](/reference/events#event-log), [role-based access control](/reference/rbac) (RBAC), and [change request](/reference/change-requests) workflows enable secure feature management at scale. -For a detailed overview of how Unleash can help you with your compliance requirements, refer to our guides: +For a detailed overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) can help you with your compliance requirements, refer to our guides: - [FedRAMP](/using-unleash/compliance/fedramp) - [SOC 2 Type II](/using-unleash/compliance/soc2) +- [ISO 27001](/using-unleash/compliance/iso27001) For information regarding any other frameworks, [reach out to us](mailto:sales@getunleash.io). diff --git a/website/docs/using-unleash/compliance/iso27001.mdx b/website/docs/using-unleash/compliance/iso27001.mdx new file mode 100644 index 0000000000..abf17ce016 --- /dev/null +++ b/website/docs/using-unleash/compliance/iso27001.mdx @@ -0,0 +1,34 @@ +--- +title: ISO/IEC 27001 compliance for feature flags +description: 'ISO 27001-compliant feature flags at scale with Unleash.' +--- + +# ISO 27001 compliance + +## Overview + +To achieve and maintain ISO 27001 certification, you must ensure that any system you integrate with, including feature flagging solutions, adhere to the same compliance standards. Using a non-compliant homegrown or third-party feature flagging system can compromise your certification and introduce unnecessary risks. + +This guide provides an overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) features align with ISO 27001 controls, helping your organization meet its compliance requirements. + + +## How Unleash features map to ISO 27001 controls + +| ISO27001 Control | Control Description | Unleash Feature | +|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------| +| 5.2 Information security roles and responsibilities | Information security roles and responsibilities should be defined and allocated according to the organization's needs. | Unleash provides granular [role-based access control](/reference/rbac) (RBAC) and [approval workflows](/reference/change-requests) for state changes. | +| 5.7 Threat intelligence | Information relating to information security threats should be collected and analyzed to produce threat intelligence. | When using the hosted version of Unleash, your instance is continuously scanned and protected by [Amazon Inspector](https://aws.amazon.com/inspector/) and [Amazon GuardDuty](https://aws.amazon.com/guardduty/) to identify security threats and alert Unleash of any risk. | +| 5.15 Access control | Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. | In addition to RBAC, Unleash supports [single sign-on](/reference/sso) (SSO) authentication and [SCIM integration](/reference/scim) for user account provisioning. | +| 5.16 Identity management | The full life cycle of identities should be managed. | Unleash supports SSO and SCIM integration for automatic user account provisioning. | +| 5.18 Access rights | Access rights to information and other associated assets should be provisioned, reviewed, modified, and removed in accordance with the organization's topic-specific policy and rules for access control. | Unleash supports SSO and SCIM integration for automatic user account provisioning. | +| 5.33 Protection of records | Records should be protected from loss, destruction, falsification, unauthorized access, and unauthorized release. | When using the hosted version of Unleash, your data records are protected with a resilient architecture leveraging AWS data redundancy and backup services. This is described in our annual SOC2 report available in the Trust Center. | +| 5.35 Independent review of information security | The organization's approach to managing information security and its implementation including people, processes, and technologies should be reviewed independently at planned intervals, or when significant changes occur. | Unleash provides annual penetration test results and a SOC 2 report, both conducted by external auditors. | +| 5.37 Documented operating procedures | Operating procedures for information processing facilities should be documented and made available to personnel who need them. | Unleash follows 14 internal policies to ensure secure information processing as part of its SOC2 compliance. | +| 8.2 Privileged access rights | The allocation and use of privileged access rights should be restricted and managed. | Unleash provides RBAC, granular permission administration, custom root roles, as well as approval workflows for state changes. | +| 8.3 Information access restriction | Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. | Unleash provides RBAC, granular permission administration, [custom root roles](/reference/rbac#custom-root-roles), as well as [approval workflows](/reference/change-requests) for state changes. | +| 8.5 Secure authentication | Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. | In addition to RBAC, Unleash supports SSO authentication setup and SCIM integration. | +| 8.6 Capacity management | The use of resources should be monitored and adjusted in line with current and expected capacity requirements. | Unleash provides both traffic monitoring and configuration statistics to help system administrators monitor and adjust resource usage. | +| 8.13 Information backup | Backup copies of information, software, and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. | In the hosted version of Unleash, periodic backups are automated. When self-hosting Unleash, the product provides an API to export its configuration, facilitating the backup automation. | +| 8.14 Redundancy of information processing facilities | Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. | The hosted version of Unleash is a highly available platform with load balancing, and redundancy across multiple AWS availability zones. | +| 8.15 Logging | Logs that record activities, exceptions, faults, and other relevant events should be produced, stored, protected, and analyzed. | Unleash provides complete [event logs](/reference/events#event-log) and [access logs](/reference/login-history) for all API and UI interactions. | +| 8.16 Monitoring activities | Networks, systems, and applications should be monitored for anomalous behavior, and appropriate actions taken to evaluate potential information security incidents. | The hosted version of Unleash provides network and application monitoring, intrusion detection, and diverse utilization alerts supported by an SRE team and a structured incident handling process. | diff --git a/website/docs/using-unleash/compliance/soc2.mdx b/website/docs/using-unleash/compliance/soc2.mdx index d715672f53..b48a4453fc 100644 --- a/website/docs/using-unleash/compliance/soc2.mdx +++ b/website/docs/using-unleash/compliance/soc2.mdx @@ -7,7 +7,7 @@ description: 'SOC2-compliant feature flags at scale with Unleash.' ## Overview -To get SOC2 certified and maintain your compliance, you must ensure that any system you integrate with, including feature flagging solutions, are also SOC2 certified. Using a homegrown or third-party feature flagging system without SOC2 compliance can compromise your certification and introduce unnecessary risks. +To get SOC2 certified and maintain your compliance, you must ensure that any system you integrate with, including feature flagging solutions, adhere to the same compliance standards. Using a homegrown or third-party feature flagging system without SOC2 compliance can compromise your certification and introduce unnecessary risks. This guide provides an overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) features align with SOC2 Type II controls, helping your organization meet its compliance requirements. diff --git a/website/sidebars.ts b/website/sidebars.ts index b9b2c9d4cf..b8eb46385e 100644 --- a/website/sidebars.ts +++ b/website/sidebars.ts @@ -631,6 +631,11 @@ const sidebars: SidebarsConfig = { label: 'SOC2 Type II', id: 'using-unleash/compliance/soc2', }, + { + type: 'doc', + label: 'ISO27001', + id: 'using-unleash/compliance/iso27001', + }, ], }, {