ISO 27001 Alignment
✓ Controls Aligned
ATStatus implements security controls aligned with ISO/IEC 27001:2022 Annex A, supporting your organization's Information Security Management System (ISMS).
ISO 27001 is the international standard for information security management. Annex A contains 93 controls across 4 themes. ATStatus addresses relevant controls for application security.
Annex A Control Mapping
The following table maps ATStatus features to ISO 27001:2022 Annex A controls:
A.5 — Organizational Controls
| Control | Description | ATStatus Implementation |
|---|---|---|
| A.5.15 | Access control | Role-based access control (RBAC) with 4 hierarchical roles and 50+ granular permissions |
| A.5.16 | Identity management | User accounts with unique identifiers, email verification, password policies |
| A.5.17 | Authentication information | SHA-256 password hashing, TOTP 2FA, backup codes, session management |
| A.5.18 | Access rights | Permission-based access, step-up authentication for sensitive operations |
A.8 — Technology Controls
| Control | Description | ATStatus Implementation |
|---|---|---|
| A.8.2 | Privileged access rights | OWNER role separation, step-up auth for user management |
| A.8.3 | Information access restriction | RBAC enforced on all API routes and UI components |
| A.8.5 | Secure authentication | HMAC-signed sessions, CSRF protection, secure cookies |
| A.8.9 | Configuration management | Environment-based configuration, no hardcoded secrets |
| A.8.12 | Data leakage prevention | Input validation, parameterized queries, rate limiting |
| A.8.15 | Logging | Comprehensive audit logging with tamper detection |
| A.8.16 | Monitoring activities | System health monitoring, self-test diagnostics |
| A.8.24 | Use of cryptography | SHA-256 hashing, HMAC signatures, secure token generation |
Detailed Control Implementation
ATStatus implements comprehensive access control through:
- 4 hierarchical roles: OWNER, ADMIN, MEMBER, READ_ONLY
- 50+ granular permissions covering all operations
- Role hierarchy prevents privilege escalation
- Permission checks on both API routes and UI
Authentication credentials are protected through:
- SHA-256 password hashing with salt
- TOTP-based two-factor authentication
- Backup codes for 2FA recovery
- Session invalidation on password change
- API keys hashed before storage
Comprehensive audit logging includes:
- All administrative actions logged
- User identification (actor tracking)
- Timestamps and IP addresses
- Hash-chain for tamper detection
- Severity-based event classification
- Searchable and exportable logs
Cryptographic controls implemented:
- SHA-256 for password hashing
- HMAC-SHA256 for session tokens
- Cryptographically secure random number generation
- Hash chain for audit log integrity
Controls Outside Scope
The following ISO 27001 controls are outside the scope of ATStatus and must be addressed by your organization's ISMS:
- Physical security: A.7 (People controls) — organizational responsibility
- Network security: A.8.20-A.8.23 — infrastructure responsibility
- Supplier relationships: A.5.19-A.5.23 — organizational responsibility
- Business continuity: A.5.29-A.5.30 — organizational responsibility
- Backup: A.8.13 — infrastructure/operational responsibility
ISO 27001 certification requires a complete Information Security Management System including policies, procedures, risk assessment, and management review. ATStatus provides technical controls only.
Evidence for Auditors
When preparing for ISO 27001 audit, ATStatus provides the following evidence:
| Evidence Type | Location | Controls Supported |
|---|---|---|
| User access records | Admin → Users | A.5.15, A.5.16, A.5.18 |
| Role/permission configuration | Admin → Roles | A.5.15, A.8.2 |
| Audit logs | Admin → Audit Logs | A.8.15, A.8.16 |
| Authentication settings | User profile (2FA status) | A.5.17, A.8.5 |
| System configuration | Admin → System | A.8.9 |
| Self-test results | Admin → Self-Test | A.8.16 |