ISO 27001 compliance
Overview
To achieve and maintain ISO 27001 certification, you must ensure that any system you integrate with, including feature flagging solutions, is also ISO 27001 certified. Using a non-compliant homegrown or third-party feature flagging system can compromise your certification and introduce unnecessary risks.
This guide provides an overview of how Unleash Enterprise features align with ISO 27001 controls, helping your organization meet its compliance requirements.
How Unleash features map to ISO 27001 controls
ISO27001 Control | Control Description | Unleash Feature |
---|---|---|
5.2 Information security roles and responsibilities | Information security roles and responsibilities should be defined and allocated according to the organization's needs. | Unleash provides granular role-based access control (RBAC) and approval workflows for state changes. |
5.7 Threat intelligence | Information relating to information security threats should be collected and analyzed to produce threat intelligence. | When using the hosted version of Unleash, your instance is continuously scanned and protected by Amazon Inspector and Amazon GuardDuty to identify security threats and alert Unleash of any risk. |
5.15 Access control | Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. | In addition to RBAC, Unleash supports single sign-on (SSO) authentication and SCIM integration for user account provisioning. |
5.16 Identity management | The full life cycle of identities should be managed. | Unleash supports SSO and SCIM integration for automatic user account provisioning. |
5.18 Access rights | Access rights to information and other associated assets should be provisioned, reviewed, modified, and removed in accordance with the organization's topic-specific policy and rules for access control. | Unleash supports SSO and SCIM integration for automatic user account provisioning. |
5.33 Protection of records | Records should be protected from loss, destruction, falsification, unauthorized access, and unauthorized release. | When using the hosted version of Unleash, your data records are protected with a resilient architecture leveraging AWS data redundancy and backup services. This is described in our annual SOC2 report available in the Trust Center. |
5.35 Independent review of information security | The organization's approach to managing information security and its implementation including people, processes, and technologies should be reviewed independently at planned intervals, or when significant changes occur. | Unleash provides annual penetration test results and a SOC 2 report, both conducted by external auditors. |
5.37 Documented operating procedures | Operating procedures for information processing facilities should be documented and made available to personnel who need them. | Unleash follows 14 internal policies to ensure secure information processing as part of its SOC2 compliance. |
8.2 Privileged access rights | The allocation and use of privileged access rights should be restricted and managed. | Unleash provides RBAC, granular permission administration, custom root roles, as well as approval workflows for state changes. |
8.3 Information access restriction | Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. | Unleash provides RBAC, granular permission administration, custom root roles, as well as approval workflows for state changes. |
8.5 Secure authentication | Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. | In addition to RBAC, Unleash supports SSO authentication setup and SCIM integration. |
8.6 Capacity management | The use of resources should be monitored and adjusted in line with current and expected capacity requirements. | Unleash provides both traffic monitoring and configuration statistics to help system administrators monitor and adjust resource usage. |
8.13 Information backup | Backup copies of information, software, and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. | In the hosted version of Unleash, periodic backups are automated. When self-hosting Unleash, the product provides an API to export its configuration, facilitating the backup automation. |
8.14 Redundancy of information processing facilities | Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. | The hosted version of Unleash is a highly available platform with load balancing, and redundancy across multiple AWS availability zones. |
8.15 Logging | Logs that record activities, exceptions, faults, and other relevant events should be produced, stored, protected, and analyzed. | Unleash provides complete event logs and access logs for all API and UI interactions. |
8.16 Monitoring activities | Networks, systems, and applications should be monitored for anomalous behavior, and appropriate actions taken to evaluate potential information security incidents. | The hosted version of Unleash provides network and application monitoring, intrusion detection, and diverse utilization alerts supported by an SRE team and a structured incident handling process. |