ISO 27001 and BSI IT-Grundschutz Controls

Click on the links below to navigate the documentation by ISO 27001 control:

BSI IT-Grundschutz APP.4.4.A10

• CI/CD

BSI IT-Grundschutz APP.4.4.A14

• Use Dedicated Nodes for Additional Services

BSI IT-Grundschutz APP.4.4.A16

• Overview

BSI IT-Grundschutz APP.4.4.A18

• Network Model
• Enforce NetworkPolicies

BSI IT-Grundschutz APP.4.4.A2

• CI/CD

BSI IT-Grundschutz APP.4.4.A21

• Maintenance
• Prepare Your Application

BSI IT-Grundschutz APP.4.4.A3

• How to Delegate
• Demarcation

BSI IT-Grundschutz APP.4.4.A5

• Backup
• Backups

BSI IT-Grundschutz APP.4.4.A7

• Network Model
• Enforce NetworkPolicies

ISO 27001 A.10.1.2

• Cryptography
• Network Model

ISO 27001 A.12.1.3

• Capacity Management
• Metrics
• Enforce Resources

ISO 27001 A.12.2.1

• Intrusion Detection

ISO 27001 A.12.3.1

• Backup
• Disaster Recovery
• Backups

ISO 27001 A.12.4.1

• Log Review
• Logs

ISO 27001 A.12.4.3

• Audit Logs
• Log Review
• Logs

ISO 27001 A.12.4.4

• Provider Audit

ISO 27001 A.12.6.1

• Intrusion Detection
• Vulnerability Management
• Overview
• Maintenance
• Prepare Your Application
• Enforce No Root
• Enforce Trusted Registries

ISO 27001 A.13

• Network Security

ISO 27001 A.13.1.1

• Network Model
• Enforce NetworkPolicies

ISO 27001 A.13.1.2

• Network Model
• Enforce NetworkPolicies

ISO 27001 A.13.1.3

• Network Model
• Enforce NetworkPolicies

ISO 27001 A.14.1.1

• Architectural Decision Log

ISO 27001 A.14.2.5

• Enforce No Root

ISO 27001 A.15

• Provider Audit

ISO 27001 A.16

• Metric Alerts
• Logs

ISO 27001 A.16.1

• Metrics

ISO 27001 A.16.1.7

• Intrusion Detection

ISO 27001 A.17

• We believe in community-driven open source

ISO 27001 A.17.1.1

• Backup
• Disaster Recovery

ISO 27001 A.18.2.2

• Policy-as-Code

ISO 27001 A.18.2.3

• Policy-as-Code

ISO 27001 A.9.4.1

• How to Delegate

ISO 27001 A.9.4.4

• Enforce No Root

Other IT-Grundschutz Controls

APP.4.4.A17 Attestierung von Nodes (H)

The Kubespray layer in Compliant Kubernetes ensures that Data Plane Nodes and Control Plane Nodes are mutually authenticated via mutual TLS.

BSI IT-Grundschutz Controls outside the scope of Compliant Kubernetes

Pending official translation into English, the controls are written in German.

APP.4.4.A1 Planung der Separierung der Anwendungen (B)

Compliant Kubernetes recommends to setting up at least two separate environment: one for testing and one for production.

APP.4.4.A6 Initialisierung von Pods (S)

Application developers must make sure that initialization happens in init containers.

APP.4.4.A11 Überwachung der Container (S)

Application developers must ensure that their application has a liveliness and readiness probe, which are configured in the Deployment. This is illustrated by our user demo.

APP.4.4.A12 Absicherung der Infrastruktur-Anwendungen (S)

This requirement essentially states that the Compliant Kubernetes environments are only as secure as the infrastructure around them. Make sure you have a proper IT policy in place. Regularly review the systems where you store backups and configuration of Compliant Kubernetes.

APP.4.4.A13 Automatisierte Auditierung der Konfiguration (H)

Compliant Kubernetes administrators must regularly audit the configuration of their environments. We recommend doing this on a quarterly basis.

APP.4.4.A20 Verschlüsselte Datenhaltung bei Pods (H)

Compliant Kubernetes recommends disk encryption to be provided at the infrastructure level. If you have this requirement, check for full-disk encryption via the provider audit.