unleash.unleash/website/docs/using-unleash/compliance/iso27001.mdx

---
title: ISO/IEC 27001 compliance for feature flags
description: 'ISO 27001-compliant feature flags at scale with Unleash.'
---

# ISO 27001 compliance

## Overview

To achieve and maintain ISO 27001 certification, you must ensure that any system you integrate with, including feature flagging solutions, adhere to the same compliance standards. Using a non-compliant homegrown or third-party feature flagging system can compromise your certification and introduce unnecessary risks.

This guide provides an overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) features align with ISO 27001 controls, helping your organization meet its compliance requirements.
 

## How Unleash features map to ISO 27001 controls

| ISO27001 Control                         | Control Description                                                                                                               | Unleash Feature                                                                                                        |
|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------|
| 5.2 Information security roles and responsibilities | Information security roles and responsibilities should be defined and allocated according to the organization's needs.    | Unleash provides granular [role-based access control](/reference/rbac) (RBAC) and [approval workflows](/reference/change-requests) for state changes.                                              |
| 5.7 Threat intelligence                     | Information relating to information security threats should be collected and analyzed to produce threat intelligence.   | When using the hosted version of Unleash, your instance is continuously scanned and protected by [Amazon Inspector](https://aws.amazon.com/inspector/) and [Amazon GuardDuty](https://aws.amazon.com/guardduty/) to identify security threats and alert Unleash of any risk. |
| 5.15 Access control                         | Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. | In addition to RBAC, Unleash supports [single sign-on](/reference/sso) (SSO) authentication and [SCIM integration](/reference/scim) for user account provisioning.    |
| 5.16 Identity management                    | The full life cycle of identities should be managed.                                                                      | Unleash supports SSO and SCIM integration for automatic user account provisioning.                                      |
| 5.18 Access rights                          | Access rights to information and other associated assets should be provisioned, reviewed, modified, and removed in accordance with the organization's topic-specific policy and rules for access control. | Unleash supports SSO and SCIM integration for automatic user account provisioning.                                      |
| 5.33 Protection of records                  | Records should be protected from loss, destruction, falsification, unauthorized access, and unauthorized release.         | When using the hosted version of Unleash, your data records are protected with a resilient architecture leveraging AWS data redundancy and backup services. This is described in our annual SOC2 report available in the Trust Center. |
| 5.35 Independent review of information security | The organization's approach to managing information security and its implementation including people, processes, and technologies should be reviewed independently at planned intervals, or when significant changes occur. | Unleash provides annual penetration test results and a SOC 2 report, both conducted by external auditors. |
| 5.37 Documented operating procedures        | Operating procedures for information processing facilities should be documented and made available to personnel who need them. | Unleash follows 14 internal policies to ensure secure information processing as part of its SOC2 compliance.                    |
| 8.2 Privileged access rights                | The allocation and use of privileged access rights should be restricted and managed.                                     | Unleash provides RBAC, granular permission administration, custom root roles, as well as approval workflows for state changes. |
| 8.3 Information access restriction          | Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. | Unleash provides RBAC, granular permission administration, [custom root roles](/reference/rbac#custom-root-roles), as well as [approval workflows](/reference/change-requests) for state changes. |
| 8.5 Secure authentication                   | Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. | In addition to RBAC, Unleash supports SSO authentication setup and SCIM integration.                                  |
| 8.6 Capacity management                     | The use of resources should be monitored and adjusted in line with current and expected capacity requirements.           | Unleash provides both traffic monitoring and configuration statistics to help system administrators monitor and adjust resource usage. |
| 8.13 Information backup                     | Backup copies of information, software, and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. | In the hosted version of Unleash, periodic backups are automated. When self-hosting Unleash, the product provides an API to export its configuration, facilitating the backup automation. |
| 8.14 Redundancy of information processing facilities | Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.   | The hosted version of Unleash is a highly available platform with load balancing, and redundancy across multiple AWS availability zones. |
| 8.15 Logging                                | Logs that record activities, exceptions, faults, and other relevant events should be produced, stored, protected, and analyzed. | Unleash provides complete [event logs](/reference/events#event-log) and [access logs](/reference/login-history) for all API and UI interactions.                                 |
| 8.16 Monitoring activities                  | Networks, systems, and applications should be monitored for anomalous behavior, and appropriate actions taken to evaluate potential information security incidents. | The hosted version of Unleash provides network and application monitoring, intrusion detection, and diverse utilization alerts supported by an SRE team and a structured incident handling process. |