ISO 27001 in the Cloud: Mapping Controls to Azure Services
How to map ISO 27001 Annex A controls to Azure-native services — from Azure Policy to Defender for Cloud to audit-ready compliance dashboards.
ISO 27001 remains the gold standard for information security management, but implementing it in cloud environments introduces unique challenges. Controls designed for on-premises infrastructure do not map neatly to shared-responsibility models, ephemeral resources, and platform-managed services. This guide shows how to bridge that gap using Azure-native capabilities.
The Shared Responsibility Reality
Before mapping any controls, you must understand what you are responsible for in Azure. Microsoft publishes detailed shared responsibility matrices, but the principle is straightforward:
- IaaS: You own everything above the hypervisor — OS patching, network configuration, data protection, access control
- PaaS: Microsoft manages the platform; you own application configuration, identity, and data
- SaaS: Microsoft manages nearly everything; you own identity, access policies, and data classification
Critical insight: ISO 27001 auditors will assess your controls, not Microsoft's. You need to demonstrate that your configuration of Azure services meets the control objectives — not just that Azure has the certifications.
Mapping Key Annex A Controls to Azure Services
The 2022 revision of ISO 27001 reorganised Annex A into four themes: Organisational, People, Physical, and Technological. Here is how the most challenging technological and organisational controls map to Azure.
A.5.15 — Access Control
Control objective: Ensure authorised access and prevent unauthorised access.
Azure implementation:
- Microsoft Entra ID as the central identity provider with Conditional Access policies
- Azure RBAC with custom roles following least privilege
- Privileged Identity Management (PIM) for just-in-time admin access
- Access Reviews on a quarterly cycle for all privileged roles and group memberships
- Entitlement Management for governed access packages to resources
Audit evidence: Export Conditional Access policies, PIM activation logs, access review completion reports, and RBAC role assignments.
A.5.23 — Information Security for Cloud Services
Control objective: Manage information security risks associated with cloud services.
Azure implementation:
- Azure Policy to enforce organisational standards (allowed regions, required encryption, mandated SKUs)
- Management Groups to apply policies hierarchically across subscriptions
- Azure Resource Graph queries to inventory and validate resource configuration at scale
- Microsoft Cloud Security Benchmark as the baseline — it maps directly to ISO 27001 controls
Audit evidence: Azure Policy compliance dashboard exports, Resource Graph query results, Management Group hierarchy documentation.
A.8.1 — User Endpoint Devices
Control objective: Protect information on user endpoint devices.
Azure implementation:
- Microsoft Intune for device compliance policies (encryption, OS version, EDR status)
- Conditional Access device compliance requirement — non-compliant devices cannot access corporate resources
- Microsoft Defender for Endpoint for threat detection and automated remediation
- Windows Autopilot for consistent, secure device provisioning
Audit evidence: Intune compliance reports, Conditional Access policy exports, Defender for Endpoint threat summary.
A.8.9 — Configuration Management
Control objective: Establish and maintain secure configurations.
Azure implementation:
- Azure Policy with deny and audit effects to enforce configuration baselines
- Azure Automanage Machine Configuration (formerly Guest Configuration) for OS-level settings
- Infrastructure as Code (IaC) via Bicep or Terraform with mandatory policy checks in CI/CD pipelines
- Azure Resource Graph for drift detection and configuration auditing
Audit evidence: Policy compliance reports, IaC templates stored in version control, Resource Graph query exports showing configuration state.
A.8.11 — Data Masking
Control objective: Limit exposure of sensitive data.
Azure implementation:
- Azure SQL Dynamic Data Masking for database fields containing PII
- Microsoft Purview Information Protection sensitivity labels with content marking and encryption
- Azure Key Vault for secrets, keys, and certificate management with access policies and audit logging
Audit evidence: Data masking rule configuration exports, Purview label deployment reports, Key Vault access logs.
A.8.15 — Logging
Control objective: Produce and protect logs of activities, exceptions, and events.
Azure implementation:
- Azure Monitor and Log Analytics as the central logging platform
- Diagnostic settings on all resources, forwarding to a dedicated Log Analytics workspace
- Activity Log retention at 90+ days (or archived to immutable storage for longer retention)
- Microsoft Sentinel for security event correlation and alerting
- Immutable storage on the Log Analytics workspace or Azure Storage for log integrity
Audit evidence: Diagnostic settings configuration, Log Analytics retention policy, storage immutability policy, sample log queries demonstrating availability.
A.8.20 — Network Security
Control objective: Protect information in networks and supporting systems.
Azure implementation:
- Network Security Groups (NSGs) with documented rule sets — deny-all default, explicit allow rules
- Azure Firewall or third-party NVA for centralised traffic inspection
- Private Endpoints for PaaS services — eliminate public internet exposure
- Azure DDoS Protection on virtual networks hosting internet-facing resources
- NSG Flow Logs analysed by Traffic Analytics for visibility and anomaly detection
Audit evidence: NSG rule exports, Firewall policy documentation, Private Endpoint configuration, DDoS Protection plan assignment, Traffic Analytics reports.
A.8.24 — Use of Cryptography
Control objective: Ensure effective use of cryptography.
Azure implementation:
- TLS 1.2+ enforcement across all services (deny TLS 1.0/1.1 via Azure Policy)
- Azure Storage Service Encryption (SSE) with customer-managed keys where required
- Azure Disk Encryption or server-side encryption for VM disks
- Azure Key Vault with HSM-backed keys for critical cryptographic material
- Transparent Data Encryption (TDE) with customer-managed keys for Azure SQL
Audit evidence: Azure Policy compliance for TLS enforcement, Key Vault key inventory with rotation dates, encryption configuration per storage account and database.
The Compliance Dashboard: Continuous Visibility
Azure provides a built-in regulatory compliance dashboard in Microsoft Defender for Cloud that maps your resource configuration to ISO 27001 controls in real time.
To set it up:
- Enable Defender for Cloud on all subscriptions (at minimum, the free CSPM tier)
- Add the ISO 27001 regulatory standard in the Environment Settings > Regulatory Compliance section
- Review the compliance dashboard — each control shows a compliance percentage based on automated assessments
- Export compliance data on a schedule via Continuous Export to Log Analytics or Event Hub for historical tracking
What the dashboard cannot do: It assesses technical configuration, not procedural controls. You still need to demonstrate policies, training records, risk assessments, and management reviews outside of Azure.
Preparing for the Audit
ISO 27001 auditors will typically want:
- Statement of Applicability (SoA) — showing which controls you have implemented, excluded, and why
- Risk assessment and treatment plan — demonstrating that your control selection is risk-driven
- Evidence of control effectiveness — not just that a policy exists, but that it works
For Azure-specific evidence, build an evidence collection runbook that exports:
- Azure Policy compliance state (per initiative, per subscription)
- Defender for Cloud regulatory compliance scores
- Entra ID Conditional Access policies and sign-in logs
- PIM activation logs and access review results
- Key Vault access logs and key rotation records
- NSG and Firewall rule configurations
- Diagnostic settings and log retention configurations
Pro tip: Automate evidence collection using Azure Resource Graph queries and Logic Apps on a monthly schedule. Auditors appreciate consistent, timestamped evidence far more than ad-hoc screenshots.
Common Gaps We See
From our ISO 27001 consulting engagements on Azure, these are the most common findings:
- Inconsistent diagnostic settings — some resources log to Log Analytics, others do not, and retention periods vary
- Overly permissive RBAC — Owner and Contributor roles assigned at subscription scope instead of resource group scope
- Missing access reviews — PIM is enabled but access reviews are not configured or completed
- No encryption policy enforcement — encryption is available but not mandated via Azure Policy
- Compliance dashboard not monitored — the dashboard exists but nobody reviews or acts on findings
Final Thought
ISO 27001 in Azure is not about replacing your ISMS with Azure tools — it is about using Azure-native capabilities as the implementation layer for your controls. The management system — risk assessment, policies, management review, continuous improvement — still needs to exist above the technology. But when the technology layer is well-configured and continuously monitored, audits become a confirmation of what you already know, not a scramble to assemble evidence.
Disclaimer: This article provides general technical guidance on regulatory requirements and should not be construed as legal advice. Regulations may be subject to updates, national transposition differences, and evolving enforcement interpretations. Always consult qualified legal counsel for compliance decisions specific to your organisation.
Need help mapping your ISO 27001 controls to Azure? Contact our team — we specialise in building audit-ready cloud environments.