Compliance

Streamlining ISO 27001 Compliance

What is ISO 27001 compliance?

ISO 27001 compliance refers to adherence to the ISO/IEC 27001 standard, which outlines best practices for managing information security within an organization. It provides a framework for implementing, maintaining, and continually improving an Information Security Management System (ISMS) to protect sensitive data, manage risks, and meet legal or regulatory requirements. Compliance helps build trust and demonstrate a commitment to robust security practices.

Need ISO 27001 Help?

Get in touch

Teleport Features for ISO 27001 Controls

Access Controls
Control Name	ID	Teleport Capability
Account Management	A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6	Teleport integrates with SSO providers such as GitHub, Okta, Google, etc. Teleport supports role-based access control (RBAC) for SSH and Kubernetes Teleport certificate-based SSH and Kubernetes authentication and audit logging comply with these requirements without additional configuration. Audit events are emitted when a user is created, updated, deleted, locked, or unlocked.
Access Enforcement	A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3	Teleport supports robust role-based access controls (RBAC). RBAC can be used to: Control which SSH nodes a user can or cannot access. Control cluster-level configuration (session recording, configuration, etc.). Control which UNIX logins a user is allowed to use when logging into a server. Control which user groups have access to Kubernetes resources.
Unsuccessful Logon Attempts	A.9.4.2	Teleport supports two types of users: local and SSO-based accounts (GitHub, Google Apps, Okta, etc). For local accounts, by default, Teleport locks accounts for 30 minutes after 5 failed login attempts. For SSO-based accounts, the number of invalid login attempts and lockout time period is controlled by the SSO provider.
System Use Notifications	A.9.4.2	Teleport integrates with Linux Pluggable Authentication Modules (PAM). PAM modules can be used to display a custom message on login using a message of the day (MOTD) module within the Session management primitive.
Remote Access	A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2	Teleport administrators create users with configurable roles that can be used to allow or deny access to system resources. Admins can terminate active sessions with session locking. Teleport terminates sessions on expiry or inactivity.
Use of External Information Systems	A.11.2.6, A.13.1.1, A.13.2.1	Teleport supports connecting multiple independent clusters using a feature called Trusted Clusters. When allowing access from one cluster to another, roles are mapped according to a pre-defined relationship of the scope of access.

Audit & Accountability
Audit & Accountability	A.12.4.1 A.12.1.3 A.12.4.1, A.12.4.3	Teleport contains an Audit Log that records cluster-wide events such as: Failed login attempts The command that was executed (SSH “exec” commands) Ports that were forwarded File transfers that were initiated Filesystem changes Network activity that happened during an interactive user session Recorded interactive user sessions Events typically include information such as the type, time of occurrence, user or node on which they occurred, and a human-readable audit message. Teleport supports sending audit events to external managed services such as S3 and DynamoDB where storage concerns are handled by the cloud provider.

Audit & Accountability

Control Name

Teleport Capability

Audit & Accountability

A.12.4.1 A.12.1.3 A.12.4.1, A.12.4.3

Teleport contains an Audit Log that records cluster-wide events such as:

Failed login attempts
The command that was executed (SSH “exec” commands)
Ports that were forwarded
File transfers that were initiated
Filesystem changes
Network activity that happened during an interactive user session
Recorded interactive user sessions

Events typically include information such as the type, time of occurrence, user or node on which they occurred, and a human-readable audit message.

Teleport supports sending audit events to external managed services such as S3 and DynamoDB where storage concerns are handled by the cloud provider.

Identification and Authentication
Control Name	ID	Teleport Capability
User Identification and Authentication	A.9.2.1	Teleport integrates with SSO providers such as GitHub, Okta, Google, etc. Teleport can act as its own SSO provider Teleport can enforce the use of multi-factor authentication (MFA), including requiring per-session MFA Teleport supports PIV-compatible hardware keys
Identifier Management	A.9.2.1	Teleport maintains several unique identifiers: The local users are required to be unique (unique username) Teleport roles have unique names and tied to organization roles via SSO Teleport identifiers for devices are unique randomly generated IDs (UUID)
Identification and Authentication (Non-Organizational Users)	A.9.2.1	Teleport supports PIV-compatible hardware keys

System and Communications Protection
Control Name	ID	Teleport Capability
Network Disconnection	A.13.1.1	Teleport requires valid X.509 or SSH certificates issued by a Teleport Certificate Authority (CA) to establish a network connection for device-to-device network connection between Teleport components.
Cryptographic Key Establishment and Management	A.10.1.2	Teleport initializes cryptographic keys that act as a Certificate Authority (CA) to further issue X.509 and SSH certificates. SSH and X.509 user certificates that are issued are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically (a manual force rotation can also be performed).
Use of Cryptography	A.10.1.1, A.14.1.2, A.14.1.3, A.18.1.5	Teleport Enterprise builds against a FIPS 140-2 compliant library (BoringCrypto). In addition, when Teleport Enterprise is in FedRAMP/FIPS 140-2 mode, Teleport will only start and use FIPS 140-2 compliant cryptography.
Public Key Infrastructure Certificates	A.10.1.2	Teleport initializes cryptographic keys that act as a Certificate Authority (CA) to further issue X.509 and SSH certificates. SSH and X.509 user certificates that are issued are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically (a manual force rotation can also be performed).

Additional Resources

Blog Post

Securing Infrastructure in Healthcare: Reducing Breaches and Building Resiliency

Read Now

Webinar

2024 Secure Infrastructure Access Report: Key Insights and Trends

Webinar Registration

Webinar

Hardening Infrastructure Security Against SSO Identity Provider Compromise

Watch On Demand

Try Teleport today

In the cloud, self-hosted, or open source.
View developer docs

Get Started

The Teleport Access Platform

Featured Resource

Integrations

Featured Resource

Use Cases

Featured Resource

Industries

Featured Resource

Compliance

Featured Resource

Strategic Partners

Featured AWS Webinar

Read

Experience

Discover

Featured Blog Post

Company

Explore

Featured Event

Streamlining ISO 27001 Compliance

What is ISO 27001 compliance?

Need ISO 27001 Help?

Teleport Features for ISO 27001 Controls

Additional Resources

Securing Infrastructure in Healthcare: Reducing Breaches and Building Resiliency

2024 Secure Infrastructure Access Report: Key Insights and Trends

Hardening Infrastructure Security Against SSO Identity Provider Compromise

Try Teleport today