This page is for Marketplace Partners building on Forge who are pursuing ISO 27001 certification.
ISO/IEC 27001:2022 is a global standard for establishing, operating, and continually improving an Information Security Management System (ISMS). It provides a proven framework to help you protect your people, data, and systems, and covers all your efforts to maintain the confidentiality, integrity, and availability (CIA) of information.
The standard’s requirements are divided into two main categories: Clause requirements, and Annex A Controls.
Clause requirements set out the governance, leadership, planning, operations, and continual improvement obligations for your ISMS.
All clause requirements are mandatory. You must implement and demonstrate conformity with every clause to achieve certification.
Forge platform does not address clause requirements. These are organizational obligations that you must fulfill independently.
Annex A provides a reference set of security controls to help you manage information security risks.
Annex A controls are risk-driven. You must assess each Annex A control, then select, justify, and implement (or formally exclude) them as part of your ISMS.
Forge platform can help with some Annex A controls. Forge primarily supports controls in:
You are still responsible for other controls. You must independently assess and implement controls in:
When pursuing ISO 27001 certification:
Start with the full standard. Review all requirements in ISO/IEC 27001:2022.
Layer in Forge platform support. Where appropriate, leverage Forge’s features to help meet relevant Annex A controls, based on your risk assessment.
See the breakdown below for Annex A controls where the Forge platform can help you meet your responsibilities.
| ISO 27001:2022 Annex A | Requirement | Shared responsibility |
|---|---|---|
| A.8.2 | The allocation and use of privileged access rights shall be restricted and managed. |
While Atlassian manages privileged access to the Forge platform, you are responsible for:
|
| A.8.5 | Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. |
While Forge establishes secure authentication technologies and processes for users to connect to the Forge platform, you are responsible for:
|
| A.8.10 | Information stored in information systems, devices or in any other storage media shall be deleted when no longer required. |
While Atlassian manages the information deletion process for data stored on behalf of your Forge applications, you are responsible for:
|
| A.8.12 | Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information. |
While Atlassian manages data leakage prevention measures for the Forge platform, you are responsible for:
|
| A.8.13 | Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. |
While Atlassian manages the data stored on behalf of your Forge applications, you are responsible for:
|
| A.8.15 | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
Atlassian generates logs to manage the confidentiality, integrity and availability of the Forge platform. These logs are sent to Atlassian's centralised logging facility and analysed for action. You are responsible for:
|
| A.8.17 | The clocks of information processing systems used by the organization shall be synchronized to approved time sources. |
While Atlassian manages clock synchronization for the Forge platform, you are responsible for:
|
| A.8.19 | Procedures and measures shall be implemented to securely manage software installation on operational systems. |
While Atlassian manages installation of software for systems that support the Forge platform, you are responsible for:
|
| A.8.22 | Groups of information services, users and information systems shall be segregated in the organization’s networks. |
While Atlassian maintains segregated networks for the Forge platform and related systems and users, you are responsible for:
|
| ISO 27001:2022 Annex A | Requirement | Shared Responsibility |
|---|---|---|
| A.8.24 | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. |
While Forge encrypts data at rest and in transit on behalf of your Forge applications, you are responsible for:
|
| A.8.26 | Information security requirements shall be identified, specified and approved when developing or acquiring applications. |
While Atlassian has implemented measures to detect and mitigate security vulnerabilities in the Forge platform, you are responsible for:
|
| A.8.30 | The organization shall direct, monitor and review the activities related to outsourced system development. | If you outsource the development of your Forge app, you must implement this requirement. Otherwise, you can descope this requirement from your Statement of Applicability. |
| ISO 27001:2022 Annex A | Requirement | Shared Responsibility |
|---|---|---|
| A.8.31 | Development, testing and production environments shall be separated and secured. |
While Atlassian maintains separate non-production and production environments for the Forge platform, you are responsible for:
|
| ISO 27001:2022 Annex A | Requirement | Shared Responsibility |
|---|---|---|
| A.8.34 | Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management. |
While Atlassian is responsible for setting the terms of engagement and planning with its own auditors and testers, you are responsible for:
|
| ISO 27001:2022 Annex A | Requirement | Shared Responsibility |
|---|---|---|
| A.8.8 | Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. |
While Atlassian has implemented measures to detect and mitigate security vulnerabilities in the Forge platform, you are responsible for:
|
| ISO 27001:2022 Annex A | Requirement | Shared Responsibility |
|---|---|---|
| A.8.10 | Information stored in information systems, devices or in any other storage media shall be deleted when no longer required. |
While Atlassian manages the information deletion process for data stored on behalf of your Forge applications, you are responsible for:
|
| A.8.12 | Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information. |
While Atlassian manages data leakage prevention measures for the Forge platform, you are responsible for:
|
| A.8.13 | Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. |
While Atlassian manages the data stored on behalf of your Forge applications, you are responsible for:
|
| A.8.15 | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. |
Atlassian generates logs to manage the confidentiality, integrity and availability of the Forge platform. These logs are sent to Atlassian's centralised logging facility and analysed for action. You are responsible for:
|
The following table is a breakdown of the Annex A control requirements that you are fully responsible for assessing and implementing:
| ISO 27001:2022 Req. IDs | Requirement descriptions |
|---|---|
| A.5.1 | Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. |
| A.5.2 | Information security roles and responsibilities shall be defined and allocated according to the organization needs. |
| A.5.3 | Conflicting duties and conflicting areas of responsibility shall be segregated. |
| A.5.4 | Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization. |
| A.5.5 | The organization shall establish and maintain contact with relevant authorities. |
| A.5.6 | The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations. |
| A.5.7 | Information relating to information security threats shall be collected and analyzed to produce threat intelligence. |
| A.5.8 | Information security shall be integrated into project management. |
| A.5.9 | An inventory of information and other associated assets, including owners, shall be developed and maintained. |
| A.5.10 | Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented. |
| A.5.11 | Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement. |
| A.5.12 | Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. |
| A.5.13 | An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
| A.5.14 | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties. |
| A.5.15 | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements. |
| A.5.16 | The full life cycle of identities shall be managed. |
| A.5.17 | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on the appropriate handling of authentication information. |
| A.5.18 | Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. |
| A.5.19 | Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services. |
| A.5.20 | Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship. |
| A.5.21 | Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain. |
| A.5.22 | The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. |
| A.5.23 | Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements. |
| A.5.24 | The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. |
| A.5.25 | The organization shall assess information security events and decide if they are to be categorized as information security incidents. |
| A.5.26 | Information security incidents shall be responded to in accordance with the documented procedures. |
| A.5.27 | Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls. |
| A.5.28 | The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. |
| A.5.29 | The organization shall plan how to maintain information security at an appropriate level during disruption. |
| A.5.30 | ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| A.5.31 | Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date. |
| A.5.32 | The organization shall implement appropriate procedures to protect intellectual property rights. |
| A.5.33 | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
| A.5.34 | The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements. |
| A.5.35 | The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur. |
| A.5.36 | Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed. |
| A.5.37 | Operating procedures for information processing facilities shall be documented and made available to personnel who need them. |
| A.6.1 | Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. |
| A.6.2 | The employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security. |
| A.6.3 | Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function. |
| A.6.4 | A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation |
| A.6.5 | Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties. |
| A.6.6 | Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties. |
| A.6.7 | Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises. |
| A.6.8 | The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner. |
| A.7.7 | Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced. |
| A.7.9 | Off-site assets shall be protected. |
| A.8.1 | Information stored on, processed by or accessible via user endpoint devices shall be protected. |
| A.8.3 | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. |
| A.8.4 | Read and write access to source code, development tools and software libraries shall be appropriately managed. |
Learn more about ISO/IEC 27001:2022
Rate this page: