ISO 27001 compliance
Overview
To get ISO 27001 certified and maintain your compliance, you must ensure that any system you integrate with, including feature flagging solutions, is also ISO 27001 certified. Using a homegrown or third-party feature flagging system without ISO 27001 compliance can compromise your certification and introduce unnecessary risks.
This guide provides an overview of how Unleash Enterprise features align with ISO 27001 controls, helping your organization meet its compliance requirements.
How Unleash features map to ISO 27001 controls
| ISO27001 Control | Control Description | Unleash Feature |
|---|---|---|
| 5.2 Information security roles and responsibilities | Information security roles and responsibilities should be defined and allocated according to the organization's needs. | Unleash provides granular role-based access control (RBAC) and approval workflows for state changes. |
| 5.7 Threat intelligence | Information relating to information security threats should be collected and analyzed to produce threat intelligence. | When using the hosted version of Unleash, your feature flagging solution is continuously scanned and protected by Amazon Inspector and AWS GuardDuty solutions that identify security threats and alert Unleash personnel of any risk. |
| 5.15 Access control | Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. | In addition to RBAC, Unleash supports single sign-on (SSO) authentication and SCIM integration for user account provisioning. |
| 5.16 Identity management | The full life cycle of identities should be managed. | Unleash supports SSO and SCIM integration for automatic user account provisioning. |
| 5.18 Access rights | Access rights to information and other associated assets should be provisioned, reviewed, modified, and removed in accordance with the organization's topic-specific policy and rules for access control. | Unleash supports SSO and SCIM integration for automatic user account provisioning. |
| 5.33 Protection of records | Records should be protected from loss, destruction, falsification, unauthorized access, and unauthorized release. | When using the hosted version of Unleash, your data records are protected with a resilient architecture leveraging AWS data redundancy and backup services. This benefit is described in our annual SOC2 report available for customers in the Trust Center. |
| 5.35 Independent review of information security | The organization's approach to managing information security and its implementation including people, processes, and technologies should be reviewed independently at planned intervals, or when significant changes occur. | In addition to SOC2 reports, Unleash provides annual penetration test results available to customers in the Trust Center. Both of these certifications are performed by external auditors. |
| 5.37 Documented operating procedures | Operating procedures for information processing facilities should be documented and made available to personnel who need them. | Under the SOC2 umbrella, Unleash implements 14 internal policies for secure information processing. |
| 8.2 Privileged access rights | The allocation and use of privileged access rights should be restricted and managed. | Unleash provides RBAC, granular permission administration, custom root roles, as well as approval workflows for state changes. |
| 8.3 Information access restriction | Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. | Unleash provides RBAC, granular permission administration, custom root roles, as well as approval workflows for state changes. |
| 8.5 Secure authentication | Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. | In addition to RBAC, Unleash supports SSO authentication setup and SCIM integration. |
| 8.6 Capacity management | The use of resources should be monitored and adjusted in line with current and expected capacity requirements. | Unleash provides both traffic monitoring and configuration statistics, in order for the system administrators to monitor and adjust the use of resources. |
| 8.13 Information backup | Backup copies of information, software, and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. | In the hosted version of Unleash, periodic backups are automated. When self-hosting Unleash, the product provides an API to export its configuration, facilitating the backup automation. |
| 8.14 Redundancy of information processing facilities | Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. | The hosted version of Unleash, is a highly available platform with load balancing, and redundancy across multiple AWS availability zones. |
| 8.15 Logging | Logs that record activities, exceptions, faults, and other relevant events should be produced, stored, protected, and analyzed. | Unleash provides complete event logs and access logs for all API and UI interactions. |
| 8.16 Monitoring activities | Networks, systems, and applications should be monitored for anomalous behavior, and appropriate actions taken to evaluate potential information security incidents. | The hosted version of Unleash provides network and application monitoring, intrusion detection, and diverse utilization alerts supported by an SRE team and a structured incident handling process. |