ISO 27001:2022 Compliance

This document maps IDPFlare's security controls to ISO/IEC 27001:2022 (Annex A) requirements. It provides a gap analysis and implementation guidance for deployers.

Disclaimer: This document is for informational purposes only. It does not constitute a certification or guarantee of compliance. You are responsible for validating your deployment's compliance with applicable standards and working with qualified auditors.

Control Mapping Summary

Annex A Control IDPFlare Status Notes
8.2 Access Control ✓ Built-in Authentication, MFA, RBAC, session management
8.3 Data Protection ⚠ Partial Audit logging built-in; backup/monitoring required
8.4 Interfaces ✓ Built-in HTTPS, SSRF protection
8.5 System Protection ✓ Built-in RS256, AES-GCM, HTTPS
8.6 Data Privacy ✓ Built-in GDPR features available
8.7 Incident Mgmt ✗ Gap Logging built-in; procedures required
8.8 Continuity ⚠ Partial Redundancy inherited; backup required

Organizational (People) Controls - Annex A.5

These controls are organizational and not implemented in software.

Control IDPFlare Status Deployer Action Required
5.1 Policies for Information Security N/A (Organizational) Create and maintain security policy
5.2 Roles and Responsibilities N/A (Organizational) Define who manages IDPFlare configuration
5.3 Organizational Structure Partial Include Cloudflare and IDPFlare vendor
5.4 Project Management N/A Apply to your deployment project

People Controls - Annex A.6

These controls are organizational and not implemented in software.

Control IDPFlare Status Deployer Action Required
6.1 Screening N/A Screen personnel with access
6.2 Terms and Conditions of Employment N/A Include in employment contracts
6.3 Remote Working N/A Create remote work security policy
6.4 Reporting Events N/A Establish reporting channels
6.5 Learning and Training N/A Train staff on IDPFlare security features

Physical Controls - Annex A.7

These controls are inherited from Cloudflare's data centers.

Control IDPFlare Status Notes
7.1 Physical Security Perimeters ✓ Inherited Inherited from Cloudflare
7.2 Physical Entry ✓ Inherited Inherited from Cloudflare
7.3 Security of Offices, Rooms and Facilities ✓ Inherited Inherited from Cloudflare
7.4 Monitoring Partial Cloudflare monitors; you monitor application
7.5 Protecting Against Physical Threats ✓ Inherited Inherited from Cloudflare
7.6 Clear Desk and Clear Screen N/A Organizational policy
7.7 Equipment Security ✓ Inherited Inherited from Cloudflare

Technological Controls - Annex A.8

8.2 Access Control

Control IDPFlare Status Deployer Action Required
8.2.1 User access management ✓ Built-in Configure RBAC, API key permissions
8.2.2 Identity authentication ✓ Built-in Configure password policies, enable MFA
8.2.3 Access information ✓ Built-in Configure RBAC, audit log queries
8.2.4 Access rights ✓ Built-in Create roles, assign permissions
8.2.5 Authentication information ✓ Built-in Configure session timeouts, token TTL
8.2.6 Authentication information for suppliers N/A If applicable
8.2.7 Access removal ✓ Built-in Implement offboarding procedures
8.2.8 Limitation of access rights ✓ Built-in Use RBAC scopes
8.2.9 Secure authentication ✓ Built-in Enable MFA (TOTP)
8.2.10 Session timeout ✓ Built-in Configure SESSION_DURATION_SECONDS
8.2.11 Session termination ✓ Built-in Configure logout behavior

Implementation Guidance

  • Set MFA_MODE = "required" for high-security deployments
  • Configure RATE_LIMIT_LOGIN_ATTEMPTS and RATE_LIMIT_WINDOW_SECONDS
  • Use RBAC scopes for API keys
  • Regularly review audit logs

8.3 Data Protection

Control IDPFlare Status Deployer Action Required
8.3.1 Information protection N/A Organizational policy
8.3.2 Data loss prevention N/A Implement DLP if required
8.3.3 Information leakage prevention N/A Organizational policy
8.3.4 Data masking N/A Implement if required
8.3.5 Data de-identification N/A Implement if required
8.3.6 Backups ✗ GAP CRITICAL: Implement D1 database backups
8.3.7 Redundancy of information processing facilities ✓ Inherited Inherited from Cloudflare
8.3.8 Logging ✓ Built-in Configure external log aggregation
8.3.9 Monitoring activities ✗ GAP REQUIRED: Implement external monitoring
8.3.10 Clock synchronization ✓ Inherited Inherited from Cloudflare
8.3.11 Use of privileged utility programs N/A Organizational control
8.3.12 Installation of software on operational systems N/A Organizational control
8.3.13 Information deletion Partial Audit logs support cleanup via cleanup()
8.3.14 Data encryption ✓ Built-in JWT signing (RS256), MFA secrets (AES-GCM)

Implementation Guidance

CRITICAL GAP: D1 database backups are not automatic. Implement: 
wrangler d1 exports backup DATABASE_ID > backup.sql
  • Implement log export: Cloudflare Analytics API or scheduled queries
  • Configure monitoring: Use Cloudflare Workers Analytics, Sentry, or DataDog
  • Set up alerts for security events (login failures, account locks)

Encryption at Rest (D1/KV)

IMPORTANT: Database and KV encryption is provided by Cloudflare platform, not IDPFlare source code.
  • Application-Level: MFA secrets encrypted with AES-GCM-256
  • Platform-Level: D1 database and KV storage encryption is a Cloudflare service
For compliance audits, obtain documentation directly from Cloudflare: Do not claim D1/KV encryption without Cloudflare documentation.

Access Token Revocation

Access tokens are stateless JWTs and cannot be directly revoked. They expire based on TTL (default: 1 hour). For immediate session termination, revoke refresh tokens and use short access token TTLs.

8.5 System Protection - Cryptography

Cryptography used in IDPFlare:

  • JWT Signing: RS256 (RSA with SHA-256)
  • Token Hashing: SHA-256
  • MFA Secret Encryption: AES-GCM (256-bit)
  • Random Values: crypto.getRandomValues()
CRITICAL GAPS: Vulnerability management and scanning
  • Set up Dependabot or similar for dependency tracking
  • Integrate Snyk or OWASP Dependency Check in CI/CD
  • Regular security reviews of dependencies

Gap Summary

Critical Gaps (Must Address)

Control Gap Recommended Action
8.3.6, 8.8.4 No automated backup Implement D1 database export automation
8.3.9 No monitoring/alerting Integrate Cloudflare Analytics API or external monitoring
8.5.9, 8.5.10 No vulnerability scanning Add dependency scanning to CI/CD
8.7.x No incident response Implement incident management procedures
8.9.x Supplier review Establish Cloudflare status monitoring

Important Gaps (Should Address)

Control Gap Recommended Action
8.3.8 Logs only in D1 Export logs to SIEM for long-term retention
6.5.1 No user training documentation Create training materials
5.x No policies Create security policies

Implementation Priorities

Phase 1: Critical Controls (Week 1-2)

  1. Backup Implementation 
    # Automated D1 backup script
wrangler d1 exports backup DATABASE_ID > backup_$(date +%Y%m%d).sql
  2. Monitoring Setup
    • Integrate Cloudflare Analytics API
    • Set up alerts for failed logins, account locks
  3. Configure Security Settings
    • Enable MFA required mode
    • Set rate limits appropriately
    • Configure token TTLs

Phase 2: Important Controls (Week 3-4)

  1. Log Aggregation
    • Export audit logs to SIEM
    • Configure log retention
  2. Dependency Management
    • Set up Dependabot
    • Add security scanning to CI/CD
  3. Documentation
    • Create security policies
    • Document incident procedures

Phase 3: Compliance Preparation (Week 5-8)

  1. Audit Preparation
    • Create control matrix
    • Gather evidence
    • Conduct pre-assessment
  2. Process Documentation
    • Backup/recovery procedures
    • Change management
    • Access review procedures

Audit Evidence Sources

Control Evidence Source
8.2.1-8.2.11 Configuration in wrangler.toml, D1 records
8.3.8 D1 audit_log table
8.5.1, 8.5.15 Source code (crypto.ts, jwt.ts)
8.6.12-8.6.16 API endpoints and database schema
8.8.4 Backup scripts/schedules
8.9.1 Cloudflare agreement documents

References

← Back to Compliance Overview