ISO 27001 ISMS Overview
Last updated: April 2026
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). This page describes FeatureSignals' ISMS — its scope, governing policy, risk assessment methodology, Annex A controls implementation, and certification roadmap.
Certification Status: Implementation Phase
FeatureSignals is implementing ISO 27001:2022 controls. The ISMS is operational with internal audits ongoing. Formal certification audit is on the product roadmap. All controls documented below are implemented and operational.
ISMS Scope
The FeatureSignals ISMS covers:
- Product: FeatureSignals feature flag management platform (server, dashboard, SDKs, API)
- Infrastructure: Production, staging, and CI/CD environments hosted on Hetzner (Falkenstein, Germany)
- Data: Customer data, evaluation context, audit logs, configuration, secrets
- People: Engineering team with access to production systems and customer data
- Processes: Development, deployment, incident response, access management, change management
Information Security Policy
The FeatureSignals Information Security Policy establishes the principles that govern our ISMS:
Confidentiality
Information is accessible only to those authorized. Enforced through RBAC, encryption, and access controls.
Integrity
Information is accurate, complete, and protected from unauthorized modification. Enforced through audit trails with SHA-256 chain hashing.
Availability
Information is accessible when needed by authorized users. Enforced through high-availability design, backups, and DR planning.
Accountability
All actions are attributable to identified actors. Enforced through comprehensive audit logging and access reviews.
Risk Assessment Methodology
FeatureSignals follows the ISO 27005 risk assessment methodology, integrated with ISO 27001 requirements:
- Asset identification: All information assets are catalogued (data, systems, processes, people)
- Threat identification: Threats are identified using STRIDE methodology and industry threat intelligence
- Vulnerability assessment: Automated scanning (govulncheck, npm audit) plus manual security review
- Risk evaluation: Risks rated by likelihood × impact on a 5×5 matrix; risks above threshold require treatment
- Risk treatment: Apply controls (avoid, mitigate, transfer, or accept with justification)
- Residual risk acceptance: Documented sign-off by security lead for any accepted risks
Risk assessments are reviewed quarterly and updated when significant changes occur (new features, infrastructure changes, new threats).
Annex A Controls Implementation
ISO 27001:2022 Annex A defines 93 controls across 4 themes. FeatureSignals has implemented controls across all themes:
A.5 — Organizational Controls (37 controls)
| Key Controls | Implementation Status |
|---|---|
| A.5.1 Policies for information security | ISMS policy documented, reviewed annually, communicated to team |
| A.5.7 Threat intelligence | Vulnerability scanning, dependency monitoring, security advisories |
| A.5.15 Access control | RBAC, least privilege, quarterly access reviews |
| A.5.17–18 Authentication | JWT, API keys, MFA (TOTP), SSO (SAML/OIDC) |
| A.5.19 Supplier security | Sub-processor vetting, DPAs, vendor security assessments |
| A.5.24–27 Incident management | 5-phase incident lifecycle, defined SLAs, post-mortems |
| A.5.29–30 ICT readiness | Business continuity plan, DR runbook, quarterly testing |
A.6 — People Controls (8 controls)
| Key Controls | Implementation Status |
|---|---|
| A.6.1 Screening | Background verification for all team members with production access |
| A.6.3 Awareness training | Security awareness training at onboarding and annually |
| A.6.5 Responsibilities after termination | Immediate access revocation, credential rotation on departure |
A.7 — Physical Controls (14 controls)
Physical security is provided by Hetzner's ISO 27001-certified data centers (Falkenstein, Germany):
- 24/7 security personnel and video surveillance
- Biometric access controls and mantrap entries
- Redundant power (UPS + diesel generators)
- Fire detection and suppression systems
- Climate control with N+1 redundancy
A.8 — Technological Controls (34 controls)
| Key Controls | Implementation Status |
|---|---|
| A.8.3 Information access restriction | RBAC, org-scoped queries, 404 for cross-org access |
| A.8.5 Secure authentication | JWT (1h TTL), API keys (SHA-256), MFA, SSO |
| A.8.8 Vulnerability management | govulncheck in CI, weekly full scans, responsible disclosure |
| A.8.12–15 Secure development | Git-based workflow, PR reviews, 80%+ test coverage, staging env |
| A.8.20–22 Network security | WAF, rate limiting, IP allowlisting, security headers |
| A.8.24 Cryptography | TLS 1.3, AES-256 at rest, bcrypt, SHA-256 integrity |
| A.8.25 Secure lifecycle | Containerized deployment, immutable tags, canary deployments |
Internal Audit & Management Review
The ISMS is maintained through a cycle of continuous improvement:
- Internal audits: Conducted quarterly against ISO 27001:2022 requirements
- Management review: Bi-annual review of ISMS performance, audit findings, and improvement opportunities
- Corrective actions: Tracked in issue tracker with owners and deadlines
- Continuous improvement: Lessons learned from incidents, audits, and reviews feed back into control design
Statement of Applicability (SoA)
The Statement of Applicability documents which Annex A controls are applicable, implemented, and the justification for any exclusions. The SoA is available to Enterprise customers under NDA. Contact compliance@featuresignals.com to request a copy.