Wednesday, December 8, 2021

Azure Policy : How I managed to comply ISO 27001:2013 for my cloud workloads

We can have many resources in our cloud. How can we enforce compliance and governance out there?

Let's say that we are already compliant with ISO 27001:2013 for our on-premises workloads. How can we achieve it after the cloud migration?

Or how can we stay compliant if we have a hybrid setup?

If your cloud provider is Microsoft Azure, then you are lucky. You can use the features of Azure Policy to save you.

Azure Policy is a service provided by Microsoft Azure, where you can assign individual policies or initiative (collection of policies) to a targeted scope (e.g. Subscription) to ensure they are governed according to those policies.

Let's try out by creating an initiative. Luckily we have ISO27001:2013 as a built-in initiative

Let's see the result.

In order to check the level of compliance, navigate to the initiative and click on View compliance link.

This was my initial score. Lot to improve, isn't it :)

As you can see below, we can see a summary of compliance split into following areas

  • Controls
  • Policies
  • Non-compliant resources
  • Events

Let's see a sample control.

Let's take the Password management system control

Now we know the current position. It's time to do some housekeeping to make our tenant compliant

No comments: