

COMPLIANCE
Teleport helps organizations earn and retain ISO 27001:2022 certification by establishing a unified identity layer across humans, machines, workloads, and AI agents. Cryptographic identities, Zero Trust access, and centralized audit logging map directly to Annex A controls across the Organizational, People, and Technological domains - so you can pass audits with flying colors and reduce the audit burden.

5. Organizational Controls | ||||||
|---|---|---|---|---|---|---|
Control Name | ID | Teleport Capability | ||||
Policies for Information Security | 5.1 | ✔ Enforces who can access what, when, and how, with audit trails to support policy enforcement across environments. | ||||
Information Security Roles and Responsibilities | 5.2 | ✔ Maps access policies to roles using SSO and RBAC and enforces least privilege. | ||||
Segregation of Duties | 5.3 | ✔ Uses fine-grained RBAC to restrict conflicting access and support separation of duties. | ||||
Management Responsibilities | 5.4 | ✔ Logs all access by identity and session, supporting review and accountability. | ||||
Threat Intelligence | 5.7 | ✔ Sends detailed session telemetry to SIEMs for real-time and historical threat detection and correlation. Provides identity chain observability and real-time anomaly detection. | ||||
Information Security in Project Management | 5.8 | ✔ Provides role- and context-aware access through each stage of the project lifecycle. | ||||
Inventory of Information and Other Associated Assets | 5.9 | ✔ Logs resource access to support asset inventory efforts and track interactions. | ||||
Acceptable Use of Information and Other Associated Assets | 5.10 | ✔ Uses session logs and RBAC to help enforce acceptable use policies. | ||||
Classification of Information | 5.12 | ✔ Maps system access to roles based on data sensitivity or classification. | ||||
Labelling of Information | 5.13 | ✔ Restricts access to labeled resources using role-based access controls. | ||||
Information Transfer | 5.14 | ✔ Secures communication with mTLS and short-lived certificates. | ||||
Access Control | 5.15 | ✔ Implements Zero Trust principles with RBAC, identity-bound access, and full logging. | ||||
Identity Management | 5.16 | ✔ Issues and unifies strong identities for humans, machines, and AI. Short-lived, cryptographically signed certificates authenticate human and machine identities. | ||||
Authentication Information | 5.17 | ✔ Enforces FIDO2, biometrics, and hardware MFA and eliminates static secrets. | ||||
Access Rights | 5.18 | ✔ Dynamically grants and revokes access with full audit trails. | ||||
Managing Information Security in the ICT Supply Chain | 5.21 | ✔ Authenticates and audits all third-party infrastructure access. | ||||
Information Security for Use of Cloud Services | 5.23 | ✔ Enforces access controls across AWS, GCP, Azure, Kubernetes with full logging. | ||||
Information Security Incident Management Planning and Preparation | 5.24 | ✔ Provides full session replay and command logs to support incident investigation readiness. | ||||
Assessment and Decision on Information Security Events | 5.25 | ✔ Supports incident scoping using session telemetry and keystroke data. | ||||
Response to Information Security Incidents | 5.26 | ✔ Supports live session termination and generates tamper-evident session evidence. | ||||
Learning From Information Security Incidents | 5.27 | ✔ Offers audit trails and session replays to support root cause analysis and policy updates. | ||||
Collection of Evidence | 5.28 | ✔ Captures timestamped logs and session video to support reliable forensic investigations. | ||||
Information Security During Disruption | 5.29 | ✔ Maintains secure remote access to systems during outages or operational disruptions. | ||||
ICT Readiness for Business Continuity | 5.30 | ✔ Supports continued identity-aware access during disaster recovery and continuity operations. | ||||
| Control Name | Policies for Information Security | |||||
| ID | 5.1 | |||||
| Teleport Capability | ✔ Enforces who can access what, when, and how, with audit trails to support policy enforcement across environments. | |||||
| Control Name | Information Security Roles and Responsibilities | |||||
| ID | 5.2 | |||||
| Teleport Capability | ✔ Maps access policies to roles using SSO and RBAC and enforces least privilege. | |||||
| Control Name | Segregation of Duties | |||||
| ID | 5.3 | |||||
| Teleport Capability | ✔ Uses fine-grained RBAC to restrict conflicting access and support separation of duties. | |||||
| Control Name | Management Responsibilities | |||||
| ID | 5.4 | |||||
| Teleport Capability | ✔ Logs all access by identity and session, supporting review and accountability. | |||||
| Control Name | Threat Intelligence | |||||
| ID | 5.7 | |||||
| Teleport Capability | ✔ Sends detailed session telemetry to SIEMs for real-time and historical threat detection and correlation. Provides identity chain observability and real-time anomaly detection. | |||||
| Control Name | Information Security in Project Management | |||||
| ID | 5.8 | |||||
| Teleport Capability | ✔ Provides role- and context-aware access through each stage of the project lifecycle. | |||||
| Control Name | Inventory of Information and Other Associated Assets | |||||
| ID | 5.9 | |||||
| Teleport Capability | ✔ Logs resource access to support asset inventory efforts and track interactions. | |||||
| Control Name | Acceptable Use of Information and Other Associated Assets | |||||
| ID | 5.10 | |||||
| Teleport Capability | ✔ Uses session logs and RBAC to help enforce acceptable use policies. | |||||
| Control Name | Classification of Information | |||||
| ID | 5.12 | |||||
| Teleport Capability | ✔ Maps system access to roles based on data sensitivity or classification. | |||||
| Control Name | Labelling of Information | |||||
| ID | 5.13 | |||||
| Teleport Capability | ✔ Restricts access to labeled resources using role-based access controls. | |||||
| Control Name | Information Transfer | |||||
| ID | 5.14 | |||||
| Teleport Capability | ✔ Secures communication with mTLS and short-lived certificates. | |||||
| Control Name | Access Control | |||||
| ID | 5.15 | |||||
| Teleport Capability | ✔ Implements Zero Trust principles with RBAC, identity-bound access, and full logging. | |||||
| Control Name | Identity Management | |||||
| ID | 5.16 | |||||
| Teleport Capability | ✔ Issues and unifies strong identities for humans, machines, and AI. Short-lived, cryptographically signed certificates authenticate human and machine identities. | |||||
| Control Name | Authentication Information | |||||
| ID | 5.17 | |||||
| Teleport Capability | ✔ Enforces FIDO2, biometrics, and hardware MFA and eliminates static secrets. | |||||
| Control Name | Access Rights | |||||
| ID | 5.18 | |||||
| Teleport Capability | ✔ Dynamically grants and revokes access with full audit trails. | |||||
| Control Name | Managing Information Security in the ICT Supply Chain | |||||
| ID | 5.21 | |||||
| Teleport Capability | ✔ Authenticates and audits all third-party infrastructure access. | |||||
| Control Name | Information Security for Use of Cloud Services | |||||
| ID | 5.23 | |||||
| Teleport Capability | ✔ Enforces access controls across AWS, GCP, Azure, Kubernetes with full logging. | |||||
| Control Name | Information Security Incident Management Planning and Preparation | |||||
| ID | 5.24 | |||||
| Teleport Capability | ✔ Provides full session replay and command logs to support incident investigation readiness. | |||||
| Control Name | Assessment and Decision on Information Security Events | |||||
| ID | 5.25 | |||||
| Teleport Capability | ✔ Supports incident scoping using session telemetry and keystroke data. | |||||
| Control Name | Response to Information Security Incidents | |||||
| ID | 5.26 | |||||
| Teleport Capability | ✔ Supports live session termination and generates tamper-evident session evidence. | |||||
| Control Name | Learning From Information Security Incidents | |||||
| ID | 5.27 | |||||
| Teleport Capability | ✔ Offers audit trails and session replays to support root cause analysis and policy updates. | |||||
| Control Name | Collection of Evidence | |||||
| ID | 5.28 | |||||
| Teleport Capability | ✔ Captures timestamped logs and session video to support reliable forensic investigations. | |||||
| Control Name | Information Security During Disruption | |||||
| ID | 5.29 | |||||
| Teleport Capability | ✔ Maintains secure remote access to systems during outages or operational disruptions. | |||||
| Control Name | ICT Readiness for Business Continuity | |||||
| ID | 5.30 | |||||
| Teleport Capability | ✔ Supports continued identity-aware access during disaster recovery and continuity operations. | |||||
6. People Controls | ||||||
|---|---|---|---|---|---|---|
Control Name | ID | Teleport Capability | ||||
Disciplinary Process | 6.4 | ✔ Provides session-level logs to support security investigations and disciplinary processes. | ||||
Remote Working | 6.7 | ✔ Enforces secure remote access using device trust policies and encrypted connections. | ||||
| Control Name | Disciplinary Process | |||||
| ID | 6.4 | |||||
| Teleport Capability | ✔ Provides session-level logs to support security investigations and disciplinary processes. | |||||
| Control Name | Remote Working | |||||
| ID | 6.7 | |||||
| Teleport Capability | ✔ Enforces secure remote access using device trust policies and encrypted connections. | |||||
8. Technological Controls | ||||||
|---|---|---|---|---|---|---|
Control Name | ID | Teleport Capability | ||||
User Endpoint Devices | 8.1 | ✔ Evaluates device posture before permitting infrastructure access based on policy-defined criteria. | ||||
Privileged Access Rights | 8.2 | ✔ Enforces JIT access, session recording, and optional multi-party approvals for sensitive actions. | ||||
Information Access Restriction | 8.3 | ✔ Restricts access to permitted systems and data using RBAC and resource labels. | ||||
Access to Source Code | 8.4 | ✔ Secures developer access to Git and CI/CD systems via proxy access, RBAC, and full session auditing. | ||||
Secure Authentication | 8.5 | ✔ Supports modern authentication: FIDO2, biometrics, hardware keys, no passwords. | ||||
Configuration Management | 8.9 | ✔ Logs and audits infrastructure-as-code actions (e.g., Terraform) with RBAC-based access enforcement. | ||||
Data Leakage Prevention | 8.12 | ✔ Limits access windows and monitors session activity to detect unauthorized behaviors. | ||||
Logging | 8.15 | ✔ Captures comprehensive logs with timestamps and identity context. | ||||
Monitoring Activities | 8.16 | ✔ Enables live session viewing and immediate session termination. | ||||
Networks Security | 8.20 | ✔ Secures infrastructure traffic using encrypted tunnels and identity-aware, policy-enforced connections. | ||||
Security of Network Services | 8.21 | ✔ Ensures networked service access is authenticated, authorized, and logged. | ||||
Segregation of Networks | 8.22 | ✔ Uses role-based access to enforce separation of environments (e.g., prod, dev). | ||||
Use of Cryptography | 8.24 | ✔ Leverages modern cryptography (e.g., X.509, mTLS) to authenticate identities and secure access channels. | ||||
Secure Development Life Cycle | 8.25 | ✔ Restricts and audits access across CI/CD pipelines and development environments. | ||||
Secure System Architecture and Engineering Principles | 8.27 | ✔ Enforces least privilege, identity-based access, and encrypted communication aligned with secure-by-design principles. | ||||
Outsourced Development | 8.30 | ✔ Issues scoped credentials and logs sessions for external development activities. | ||||
Separation of Development, Test and Production Environments | 8.31 | ✔ Segregates access between development, test, and production environments using RBAC and resource labels. | ||||
Change Management | 8.32 | ✔ Tracks access and configuration changes to support secure rollout and rollback. | ||||
Test Information | 8.33 | ✔ Protects test environments and data using identity-based and role-scoped access controls. | ||||
Protection of Information Systems During Audit Testing | 8.34 | ✔ Provides scoped, auditable access to systems under review during audit testing. | ||||
| Control Name | User Endpoint Devices | |||||
| ID | 8.1 | |||||
| Teleport Capability | ✔ Evaluates device posture before permitting infrastructure access based on policy-defined criteria. | |||||
| Control Name | Privileged Access Rights | |||||
| ID | 8.2 | |||||
| Teleport Capability | ✔ Enforces JIT access, session recording, and optional multi-party approvals for sensitive actions. | |||||
| Control Name | Information Access Restriction | |||||
| ID | 8.3 | |||||
| Teleport Capability | ✔ Restricts access to permitted systems and data using RBAC and resource labels. | |||||
| Control Name | Access to Source Code | |||||
| ID | 8.4 | |||||
| Teleport Capability | ✔ Secures developer access to Git and CI/CD systems via proxy access, RBAC, and full session auditing. | |||||
| Control Name | Secure Authentication | |||||
| ID | 8.5 | |||||
| Teleport Capability | ✔ Supports modern authentication: FIDO2, biometrics, hardware keys, no passwords. | |||||
| Control Name | Configuration Management | |||||
| ID | 8.9 | |||||
| Teleport Capability | ✔ Logs and audits infrastructure-as-code actions (e.g., Terraform) with RBAC-based access enforcement. | |||||
| Control Name | Data Leakage Prevention | |||||
| ID | 8.12 | |||||
| Teleport Capability | ✔ Limits access windows and monitors session activity to detect unauthorized behaviors. | |||||
| Control Name | Logging | |||||
| ID | 8.15 | |||||
| Teleport Capability | ✔ Captures comprehensive logs with timestamps and identity context. | |||||
| Control Name | Monitoring Activities | |||||
| ID | 8.16 | |||||
| Teleport Capability | ✔ Enables live session viewing and immediate session termination. | |||||
| Control Name | Networks Security | |||||
| ID | 8.20 | |||||
| Teleport Capability | ✔ Secures infrastructure traffic using encrypted tunnels and identity-aware, policy-enforced connections. | |||||
| Control Name | Security of Network Services | |||||
| ID | 8.21 | |||||
| Teleport Capability | ✔ Ensures networked service access is authenticated, authorized, and logged. | |||||
| Control Name | Segregation of Networks | |||||
| ID | 8.22 | |||||
| Teleport Capability | ✔ Uses role-based access to enforce separation of environments (e.g., prod, dev). | |||||
| Control Name | Use of Cryptography | |||||
| ID | 8.24 | |||||
| Teleport Capability | ✔ Leverages modern cryptography (e.g., X.509, mTLS) to authenticate identities and secure access channels. | |||||
| Control Name | Secure Development Life Cycle | |||||
| ID | 8.25 | |||||
| Teleport Capability | ✔ Restricts and audits access across CI/CD pipelines and development environments. | |||||
| Control Name | Secure System Architecture and Engineering Principles | |||||
| ID | 8.27 | |||||
| Teleport Capability | ✔ Enforces least privilege, identity-based access, and encrypted communication aligned with secure-by-design principles. | |||||
| Control Name | Outsourced Development | |||||
| ID | 8.30 | |||||
| Teleport Capability | ✔ Issues scoped credentials and logs sessions for external development activities. | |||||
| Control Name | Separation of Development, Test and Production Environments | |||||
| ID | 8.31 | |||||
| Teleport Capability | ✔ Segregates access between development, test, and production environments using RBAC and resource labels. | |||||
| Control Name | Change Management | |||||
| ID | 8.32 | |||||
| Teleport Capability | ✔ Tracks access and configuration changes to support secure rollout and rollback. | |||||
| Control Name | Test Information | |||||
| ID | 8.33 | |||||
| Teleport Capability | ✔ Protects test environments and data using identity-based and role-scoped access controls. | |||||
| Control Name | Protection of Information Systems During Audit Testing | |||||
| ID | 8.34 | |||||
| Teleport Capability | ✔ Provides scoped, auditable access to systems under review during audit testing. | |||||

Blog Post
Webinar
Webinar