From 23ad620b95b74c497daf214419efdf3304b44271 Mon Sep 17 00:00:00 2001 From: melindafekete Date: Thu, 12 Dec 2024 17:02:38 +0100 Subject: [PATCH 1/4] ADD ISO27K doc --- .../compliance/compliance-overview.mdx | 1 + .../using-unleash/compliance/iso27001.mdx | 34 +++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 website/docs/using-unleash/compliance/iso27001.mdx diff --git a/website/docs/using-unleash/compliance/compliance-overview.mdx b/website/docs/using-unleash/compliance/compliance-overview.mdx index 483734f6cfc4..ba5744473d48 100644 --- a/website/docs/using-unleash/compliance/compliance-overview.mdx +++ b/website/docs/using-unleash/compliance/compliance-overview.mdx @@ -12,6 +12,7 @@ Unleash is designed to help organizations meet strict compliance requirements, s For a detailed overview of how Unleash can help you with your compliance requirements, refer to our guides: - [FedRAMP](/using-unleash/compliance/fedramp) - [SOC 2 Type II](/using-unleash/compliance/soc2) +- [ISO 27001](/using-unleash/compliance/iso27001) For information regarding any other frameworks, [reach out to us](mailto:sales@getunleash.io). diff --git a/website/docs/using-unleash/compliance/iso27001.mdx b/website/docs/using-unleash/compliance/iso27001.mdx new file mode 100644 index 000000000000..94a00f48cd72 --- /dev/null +++ b/website/docs/using-unleash/compliance/iso27001.mdx @@ -0,0 +1,34 @@ +--- +title: ISO/IEC 27001 compliance for feature flags +description: 'ISO 27001-compliant feature flags at scale with Unleash.' +--- + +# ISO 27001 compliance + +## Overview + +To get ISO 27001 certified and maintain your compliance, you must ensure that any system you integrate with, including feature flagging solutions, is also ISO 27001 certified. Using a homegrown or third-party feature flagging system without ISO 27001 compliance can compromise your certification and introduce unnecessary risks. + +This guide provides an overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) features align with ISO 27001 controls, helping your organization meet its compliance requirements. + + +## How Unleash features map to ISO 27001 controls + +| ISO27001 Control | Control Description | Unleash Feature | +|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------| +| 5.2 Information security roles and responsibilities | Information security roles and responsibilities should be defined and allocated according to the organization's needs. | Unleash provides granular [role-based access control](/reference/rbac) (RBAC) and approval workflows for state changes. | +| 5.7 Threat intelligence | Information relating to information security threats should be collected and analyzed to produce threat intelligence. | When using the hosted version of Unleash, your feature flagging solution is continuously scanned and protected by Amazon Inspector and AWS GuardDuty solutions that identify security threats and alert Unleash personnel of any risk. | +| 5.15 Access control | Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. | In addition to RBAC, Unleash supports [single sign-on](/reference/sso) (SSO) authentication and [SCIM integration](/reference/scim) for user account provisioning. | +| 5.16 Identity management | The full life cycle of identities should be managed. | Unleash supports SSO and SCIM integration for automatic user account provisioning. | +| 5.18 Access rights | Access rights to information and other associated assets should be provisioned, reviewed, modified, and removed in accordance with the organization's topic-specific policy and rules for access control. | Unleash supports SSO and SCIM integration for automatic user account provisioning. | +| 5.33 Protection of records | Records should be protected from loss, destruction, falsification, unauthorized access, and unauthorized release. | When using the hosted version of Unleash, your data records are protected with a resilient architecture leveraging AWS data redundancy and backup services. This benefit is described in our annual SOC2 report available for customers in the Trust Center. | +| 5.35 Independent review of information security | The organization's approach to managing information security and its implementation including people, processes, and technologies should be reviewed independently at planned intervals, or when significant changes occur. | In addition to SOC2 reports, Unleash provides annual penetration test results available to customers in the Trust Center. Both of these certifications are performed by external auditors. | +| 5.37 Documented operating procedures | Operating procedures for information processing facilities should be documented and made available to personnel who need them. | Under the SOC2 umbrella, Unleash implements 14 internal policies for secure information processing. | +| 8.2 Privileged access rights | The allocation and use of privileged access rights should be restricted and managed. | Unleash provides RBAC, granular permission administration, custom root roles, as well as approval workflows for state changes. | +| 8.3 Information access restriction | Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. | Unleash provides RBAC, granular permission administration, custom root roles, as well as approval workflows for state changes. | +| 8.5 Secure authentication | Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. | In addition to RBAC, Unleash supports SSO authentication setup and SCIM integration. | +| 8.6 Capacity management | The use of resources should be monitored and adjusted in line with current and expected capacity requirements. | Unleash provides both traffic monitoring and configuration statistics, in order for the system administrators to monitor and adjust the use of resources. | +| 8.13 Information backup | Backup copies of information, software, and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. | In the hosted version of Unleash, periodic backups are automated. When self-hosting Unleash, the product provides an API to export its configuration, facilitating the backup automation. | +| 8.14 Redundancy of information processing facilities | Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. | The hosted version of Unleash, is a highly available platform with load balancing, and redundancy across multiple AWS availability zones. | +| 8.15 Logging | Logs that record activities, exceptions, faults, and other relevant events should be produced, stored, protected, and analyzed. | Unleash provides complete event logs and access logs for all API and UI interactions. | +| 8.16 Monitoring activities | Networks, systems, and applications should be monitored for anomalous behavior, and appropriate actions taken to evaluate potential information security incidents. | The hosted version of Unleash provides network and application monitoring, intrusion detection, and diverse utilization alerts supported by an SRE team and a structured incident handling process. | From 5efd459672884111c08e9858208ce4e19aae6d3b Mon Sep 17 00:00:00 2001 From: melindafekete Date: Fri, 13 Dec 2024 09:35:46 +0100 Subject: [PATCH 2/4] Add iso to nav, tweak descriptions, add links --- .../using-unleash/compliance/iso27001.mdx | 20 +++++++++---------- website/sidebars.ts | 5 +++++ 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/website/docs/using-unleash/compliance/iso27001.mdx b/website/docs/using-unleash/compliance/iso27001.mdx index 94a00f48cd72..c57824662188 100644 --- a/website/docs/using-unleash/compliance/iso27001.mdx +++ b/website/docs/using-unleash/compliance/iso27001.mdx @@ -7,7 +7,7 @@ description: 'ISO 27001-compliant feature flags at scale with Unleash.' ## Overview -To get ISO 27001 certified and maintain your compliance, you must ensure that any system you integrate with, including feature flagging solutions, is also ISO 27001 certified. Using a homegrown or third-party feature flagging system without ISO 27001 compliance can compromise your certification and introduce unnecessary risks. +To achieve and maintain ISO 27001 certification, you must ensure that any system you integrate with, including feature flagging solutions, is also ISO 27001 certified. Using a non-compliant homegrown or third-party feature flagging system can compromise your certification and introduce unnecessary risks. This guide provides an overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) features align with ISO 27001 controls, helping your organization meet its compliance requirements. @@ -16,19 +16,19 @@ This guide provides an overview of how [Unleash Enterprise](https://www.getunlea | ISO27001 Control | Control Description | Unleash Feature | |--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------| -| 5.2 Information security roles and responsibilities | Information security roles and responsibilities should be defined and allocated according to the organization's needs. | Unleash provides granular [role-based access control](/reference/rbac) (RBAC) and approval workflows for state changes. | -| 5.7 Threat intelligence | Information relating to information security threats should be collected and analyzed to produce threat intelligence. | When using the hosted version of Unleash, your feature flagging solution is continuously scanned and protected by Amazon Inspector and AWS GuardDuty solutions that identify security threats and alert Unleash personnel of any risk. | +| 5.2 Information security roles and responsibilities | Information security roles and responsibilities should be defined and allocated according to the organization's needs. | Unleash provides granular [role-based access control](/reference/rbac) (RBAC) and [approval workflows](/reference/change-requests) for state changes. | +| 5.7 Threat intelligence | Information relating to information security threats should be collected and analyzed to produce threat intelligence. | When using the hosted version of Unleash, your instance is continuously scanned and protected by [Amazon Inspector](https://aws.amazon.com/inspector/) and [Amazon GuardDuty](https://aws.amazon.com/guardduty/) to identify security threats and alert Unleash of any risk. | | 5.15 Access control | Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. | In addition to RBAC, Unleash supports [single sign-on](/reference/sso) (SSO) authentication and [SCIM integration](/reference/scim) for user account provisioning. | | 5.16 Identity management | The full life cycle of identities should be managed. | Unleash supports SSO and SCIM integration for automatic user account provisioning. | | 5.18 Access rights | Access rights to information and other associated assets should be provisioned, reviewed, modified, and removed in accordance with the organization's topic-specific policy and rules for access control. | Unleash supports SSO and SCIM integration for automatic user account provisioning. | -| 5.33 Protection of records | Records should be protected from loss, destruction, falsification, unauthorized access, and unauthorized release. | When using the hosted version of Unleash, your data records are protected with a resilient architecture leveraging AWS data redundancy and backup services. This benefit is described in our annual SOC2 report available for customers in the Trust Center. | -| 5.35 Independent review of information security | The organization's approach to managing information security and its implementation including people, processes, and technologies should be reviewed independently at planned intervals, or when significant changes occur. | In addition to SOC2 reports, Unleash provides annual penetration test results available to customers in the Trust Center. Both of these certifications are performed by external auditors. | -| 5.37 Documented operating procedures | Operating procedures for information processing facilities should be documented and made available to personnel who need them. | Under the SOC2 umbrella, Unleash implements 14 internal policies for secure information processing. | +| 5.33 Protection of records | Records should be protected from loss, destruction, falsification, unauthorized access, and unauthorized release. | When using the hosted version of Unleash, your data records are protected with a resilient architecture leveraging AWS data redundancy and backup services. This is described in our annual SOC2 report available in the Trust Center. | +| 5.35 Independent review of information security | The organization's approach to managing information security and its implementation including people, processes, and technologies should be reviewed independently at planned intervals, or when significant changes occur. | Unleash provides annual penetration test results and a SOC 2 report, both conducted by external auditors. | +| 5.37 Documented operating procedures | Operating procedures for information processing facilities should be documented and made available to personnel who need them. | Unleash follows 14 internal policies to ensure secure information processing as part of its SOC2 compliance. | | 8.2 Privileged access rights | The allocation and use of privileged access rights should be restricted and managed. | Unleash provides RBAC, granular permission administration, custom root roles, as well as approval workflows for state changes. | -| 8.3 Information access restriction | Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. | Unleash provides RBAC, granular permission administration, custom root roles, as well as approval workflows for state changes. | +| 8.3 Information access restriction | Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. | Unleash provides RBAC, granular permission administration, [custom root roles](/reference/rbac#custom-root-roles), as well as [approval workflows](/reference/change-requests) for state changes. | | 8.5 Secure authentication | Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. | In addition to RBAC, Unleash supports SSO authentication setup and SCIM integration. | -| 8.6 Capacity management | The use of resources should be monitored and adjusted in line with current and expected capacity requirements. | Unleash provides both traffic monitoring and configuration statistics, in order for the system administrators to monitor and adjust the use of resources. | +| 8.6 Capacity management | The use of resources should be monitored and adjusted in line with current and expected capacity requirements. | Unleash provides both traffic monitoring and configuration statistics to help system administrators monitor and adjust resource usage. | | 8.13 Information backup | Backup copies of information, software, and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. | In the hosted version of Unleash, periodic backups are automated. When self-hosting Unleash, the product provides an API to export its configuration, facilitating the backup automation. | -| 8.14 Redundancy of information processing facilities | Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. | The hosted version of Unleash, is a highly available platform with load balancing, and redundancy across multiple AWS availability zones. | -| 8.15 Logging | Logs that record activities, exceptions, faults, and other relevant events should be produced, stored, protected, and analyzed. | Unleash provides complete event logs and access logs for all API and UI interactions. | +| 8.14 Redundancy of information processing facilities | Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. | The hosted version of Unleash is a highly available platform with load balancing, and redundancy across multiple AWS availability zones. | +| 8.15 Logging | Logs that record activities, exceptions, faults, and other relevant events should be produced, stored, protected, and analyzed. | Unleash provides complete [event logs](/reference/events#event-log) and [access logs](/reference/login-history) for all API and UI interactions. | | 8.16 Monitoring activities | Networks, systems, and applications should be monitored for anomalous behavior, and appropriate actions taken to evaluate potential information security incidents. | The hosted version of Unleash provides network and application monitoring, intrusion detection, and diverse utilization alerts supported by an SRE team and a structured incident handling process. | diff --git a/website/sidebars.ts b/website/sidebars.ts index b9b2c9d4cff3..b8eb46385e71 100644 --- a/website/sidebars.ts +++ b/website/sidebars.ts @@ -631,6 +631,11 @@ const sidebars: SidebarsConfig = { label: 'SOC2 Type II', id: 'using-unleash/compliance/soc2', }, + { + type: 'doc', + label: 'ISO27001', + id: 'using-unleash/compliance/iso27001', + }, ], }, { From 44411fafc4d69b94287190ae0a98c759945b720b Mon Sep 17 00:00:00 2001 From: Melinda Fekete Date: Fri, 13 Dec 2024 12:40:45 +0100 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: Michael Ferranti --- website/docs/using-unleash/compliance/compliance-overview.mdx | 2 +- website/docs/using-unleash/compliance/iso27001.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/website/docs/using-unleash/compliance/compliance-overview.mdx b/website/docs/using-unleash/compliance/compliance-overview.mdx index ba5744473d48..77c4e0bfd6ac 100644 --- a/website/docs/using-unleash/compliance/compliance-overview.mdx +++ b/website/docs/using-unleash/compliance/compliance-overview.mdx @@ -9,7 +9,7 @@ description: 'Secure and compliant feature flags at scale with Unleash.' Unleash is designed to help organizations meet strict compliance requirements, supporting frameworks like [FedRAMP](https://www.fedramp.gov/program-basics/), [SOC 2](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2), [ISO 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001), and more. Features such as [audit logs](/reference/events#event-log), [role-based access control](/reference/rbac) (RBAC), and [change request](/reference/change-requests) workflows enable secure feature management at scale. -For a detailed overview of how Unleash can help you with your compliance requirements, refer to our guides: +For a detailed overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) can help you with your compliance requirements, refer to our guides: - [FedRAMP](/using-unleash/compliance/fedramp) - [SOC 2 Type II](/using-unleash/compliance/soc2) - [ISO 27001](/using-unleash/compliance/iso27001) diff --git a/website/docs/using-unleash/compliance/iso27001.mdx b/website/docs/using-unleash/compliance/iso27001.mdx index c57824662188..abf17ce0160e 100644 --- a/website/docs/using-unleash/compliance/iso27001.mdx +++ b/website/docs/using-unleash/compliance/iso27001.mdx @@ -7,7 +7,7 @@ description: 'ISO 27001-compliant feature flags at scale with Unleash.' ## Overview -To achieve and maintain ISO 27001 certification, you must ensure that any system you integrate with, including feature flagging solutions, is also ISO 27001 certified. Using a non-compliant homegrown or third-party feature flagging system can compromise your certification and introduce unnecessary risks. +To achieve and maintain ISO 27001 certification, you must ensure that any system you integrate with, including feature flagging solutions, adhere to the same compliance standards. Using a non-compliant homegrown or third-party feature flagging system can compromise your certification and introduce unnecessary risks. This guide provides an overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) features align with ISO 27001 controls, helping your organization meet its compliance requirements. From e38fdf75fb49d2cb8c2d376b6c7e4573adc76e85 Mon Sep 17 00:00:00 2001 From: melindafekete Date: Fri, 13 Dec 2024 12:47:39 +0100 Subject: [PATCH 4/4] Update overview SOC2 --- website/docs/using-unleash/compliance/soc2.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/using-unleash/compliance/soc2.mdx b/website/docs/using-unleash/compliance/soc2.mdx index d715672f5364..b48a4453fcbb 100644 --- a/website/docs/using-unleash/compliance/soc2.mdx +++ b/website/docs/using-unleash/compliance/soc2.mdx @@ -7,7 +7,7 @@ description: 'SOC2-compliant feature flags at scale with Unleash.' ## Overview -To get SOC2 certified and maintain your compliance, you must ensure that any system you integrate with, including feature flagging solutions, are also SOC2 certified. Using a homegrown or third-party feature flagging system without SOC2 compliance can compromise your certification and introduce unnecessary risks. +To get SOC2 certified and maintain your compliance, you must ensure that any system you integrate with, including feature flagging solutions, adhere to the same compliance standards. Using a homegrown or third-party feature flagging system without SOC2 compliance can compromise your certification and introduce unnecessary risks. This guide provides an overview of how [Unleash Enterprise](https://www.getunleash.io/pricing) features align with SOC2 Type II controls, helping your organization meet its compliance requirements.