ISO27K compliance doc (#8973)

website/docs/using-unleash/compliance/compliance-overview.mdx

@@ -9,9 +9,10 @@ description: 'Secure and compliant feature flags at scale with Unleash.'
 
 Unleash is designed to help organizations meet strict compliance requirements, supporting frameworks like [FedRAMP](https://www.fedramp.gov/program-basics/), [SOC 2](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2), [ISO 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001), and more. Features such as [audit logs](/reference/events#event-log), [role-based access control](/reference/rbac) (RBAC), and [change request](/reference/change-requests) workflows enable secure feature management at scale.
 
-For a detailed overview of how Unleash can help you with your compliance requirements, refer to our guides:
+For a detailed overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) can help you with your compliance requirements, refer to our guides:
 - [FedRAMP](/using-unleash/compliance/fedramp)
 - [SOC 2 Type II](/using-unleash/compliance/soc2)
+- [ISO 27001](/using-unleash/compliance/iso27001)
 
 
 For information regarding any other frameworks, [reach out to us](mailto:sales@getunleash.io).

website/docs/using-unleash/compliance/iso27001.mdx

@@ -0,0 +1,34 @@
+---
+title: ISO/IEC 27001 compliance for feature flags
+description: 'ISO 27001-compliant feature flags at scale with Unleash.'
+---
+
+# ISO 27001 compliance
+
+## Overview
+
+To achieve and maintain ISO 27001 certification, you must ensure that any system you integrate with, including feature flagging solutions, adhere to the same compliance standards. Using a non-compliant homegrown or third-party feature flagging system can compromise your certification and introduce unnecessary risks.
+
+This guide provides an overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) features align with ISO 27001 controls, helping your organization meet its compliance requirements.
+ 
+
+## How Unleash features map to ISO 27001 controls
+
+| ISO27001 Control                         | Control Description                                                                                                               | Unleash Feature                                                                                                        |
+|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------|
+| 5.2 Information security roles and responsibilities | Information security roles and responsibilities should be defined and allocated according to the organization's needs.    | Unleash provides granular [role-based access control](/reference/rbac) (RBAC) and [approval workflows](/reference/change-requests) for state changes.                                              |
+| 5.7 Threat intelligence                     | Information relating to information security threats should be collected and analyzed to produce threat intelligence.   | When using the hosted version of Unleash, your instance is continuously scanned and protected by [Amazon Inspector](https://aws.amazon.com/inspector/) and [Amazon GuardDuty](https://aws.amazon.com/guardduty/) to identify security threats and alert Unleash of any risk. |
+| 5.15 Access control                         | Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. | In addition to RBAC, Unleash supports [single sign-on](/reference/sso) (SSO) authentication and [SCIM integration](/reference/scim) for user account provisioning.    |
+| 5.16 Identity management                    | The full life cycle of identities should be managed.                                                                      | Unleash supports SSO and SCIM integration for automatic user account provisioning.                                      |
+| 5.18 Access rights                          | Access rights to information and other associated assets should be provisioned, reviewed, modified, and removed in accordance with the organization's topic-specific policy and rules for access control. | Unleash supports SSO and SCIM integration for automatic user account provisioning.                                      |
+| 5.33 Protection of records                  | Records should be protected from loss, destruction, falsification, unauthorized access, and unauthorized release.         | When using the hosted version of Unleash, your data records are protected with a resilient architecture leveraging AWS data redundancy and backup services. This is described in our annual SOC2 report available in the Trust Center. |
+| 5.35 Independent review of information security | The organization's approach to managing information security and its implementation including people, processes, and technologies should be reviewed independently at planned intervals, or when significant changes occur. | Unleash provides annual penetration test results and a SOC 2 report, both conducted by external auditors. |
+| 5.37 Documented operating procedures        | Operating procedures for information processing facilities should be documented and made available to personnel who need them. | Unleash follows 14 internal policies to ensure secure information processing as part of its SOC2 compliance.                    |
+| 8.2 Privileged access rights                | The allocation and use of privileged access rights should be restricted and managed.                                     | Unleash provides RBAC, granular permission administration, custom root roles, as well as approval workflows for state changes. |
+| 8.3 Information access restriction          | Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. | Unleash provides RBAC, granular permission administration, [custom root roles](/reference/rbac#custom-root-roles), as well as [approval workflows](/reference/change-requests) for state changes. |
+| 8.5 Secure authentication                   | Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. | In addition to RBAC, Unleash supports SSO authentication setup and SCIM integration.                                  |
+| 8.6 Capacity management                     | The use of resources should be monitored and adjusted in line with current and expected capacity requirements.           | Unleash provides both traffic monitoring and configuration statistics to help system administrators monitor and adjust resource usage. |
+| 8.13 Information backup                     | Backup copies of information, software, and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. | In the hosted version of Unleash, periodic backups are automated. When self-hosting Unleash, the product provides an API to export its configuration, facilitating the backup automation. |
+| 8.14 Redundancy of information processing facilities | Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.   | The hosted version of Unleash is a highly available platform with load balancing, and redundancy across multiple AWS availability zones. |
+| 8.15 Logging                                | Logs that record activities, exceptions, faults, and other relevant events should be produced, stored, protected, and analyzed. | Unleash provides complete [event logs](/reference/events#event-log) and [access logs](/reference/login-history) for all API and UI interactions.                                 |
+| 8.16 Monitoring activities                  | Networks, systems, and applications should be monitored for anomalous behavior, and appropriate actions taken to evaluate potential information security incidents. | The hosted version of Unleash provides network and application monitoring, intrusion detection, and diverse utilization alerts supported by an SRE team and a structured incident handling process. |

website/docs/using-unleash/compliance/soc2.mdx

@@ -7,7 +7,7 @@ description: 'SOC2-compliant feature flags at scale with Unleash.'
 
 ## Overview
 
-To get SOC2 certified and maintain your compliance, you must ensure that any system you integrate with, including feature flagging solutions, are also SOC2 certified. Using a homegrown or third-party feature flagging system without SOC2 compliance can compromise your certification and introduce unnecessary risks.
+To get SOC2 certified and maintain your compliance, you must ensure that any system you integrate with, including feature flagging solutions, adhere to the same compliance standards. Using a homegrown or third-party feature flagging system without SOC2 compliance can compromise your certification and introduce unnecessary risks.
 
 This guide provides an overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) features align with SOC2 Type II controls, helping your organization meet its compliance requirements.
  

website/sidebars.ts

@@ -631,6 +631,11 @@ const sidebars: SidebarsConfig = {
                             label: 'SOC2 Type II',
                             id: 'using-unleash/compliance/soc2',
                         },
+                        {
+                            type: 'doc',
+                            label: 'ISO27001',
+                            id: 'using-unleash/compliance/iso27001',
+                        },
                     ],
                 },
                 {