ISO/IEC 27001, 27017 & 27701 for .NET Developers — The Complete Series

ISO compliance is not a compliance department problem anymore. The moment you write Infrastructure as Code, configure Azure Key Vault, or make a decision about what your API returns to the client, you’re making ISO compliance decisions — whether you realize it or not. This series is for developers who want to understand what those decisions actually mean before the auditor does.

The three standards covered here are distinct but overlapping. ISO/IEC 27001 is the foundational Information Security Management System standard — it defines a broad set of controls covering access, cryptography, operations, incident response, and more, and it’s the one most enterprise contracts and procurement processes require. ISO/IEC 27017 extends 27001 specifically for cloud services: it adds cloud-specific controls for shared responsibility, virtual machine hardening, administrator access separation, and network isolation that on-premises 27001 guidance doesn’t adequately address. ISO/IEC 27701 is a privacy extension on top of 27001 — it maps 27001 controls to GDPR and other privacy regulation requirements, adding consent management, data subject rights, purpose limitation, and data minimization as explicit control categories. If your organization processes personal data in Europe, 27701 is how 27001 becomes GDPR-relevant.

Compliance theater — where you file the right documents, display the certification badge, and keep hardcoding secrets in appsettings.json — doesn’t survive cloud-native development. The controls in all three standards now map directly to how you handle secrets, authenticate users, log data, manage dependencies, and design APIs. The gap isn’t between “compliant” and “non-compliant” organizations. It’s between developers who understand what these standards require in code and those who don’t.

This series answers that gap with code, not policy paraphrasing. Each article takes a specific control or control cluster, explains what it actually requires, and shows a working implementation in .NET or Azure. Nearly 30 articles. Seven phases. The policy documents won’t stop your next audit finding — but understanding what the controls mean in practice might.

Phase 1 — Foundations

Why ISO Standards Actually Matter for .NET Developers opens the series by explaining the historical disconnect between compliance teams and engineering, why cloud-native development collapsed that gap, and what ISO/IEC 27001, 27017, and 27701 each address. Read this first.

Your [Authorize] Attribute Is Compliance Theater covers what access control in ASP.NET Core actually requires for ISO compliance — beyond slapping [Authorize] on controllers and hoping for the best.

Audit Logging That Survives Your Next Security Incident explains what audit logs need to contain, why Application Insights isn’t a compliance audit trail by default, and how to configure logging that satisfies ISO 27001 control requirements under adversarial conditions.

Phase 2 — Core Security Controls

Your appsettings.json Is a Compliance Violation is the article that prompts the most uncomfortable recognition. Where secrets actually live in .NET projects, why Azure Key Vault integration is an ISO 27001 requirement rather than a nice-to-have, and how to implement it without friction.

Your Encryption Is Broken — .NET Data Protection Done Right covers why XOR operations and hardcoded encryption keys don’t survive audits, and how the .NET Data Protection API with Azure Key Vault key management delivers cryptographic compliance that holds up.

Stop Hoarding Personal Data in Entity Framework addresses data minimization under ISO 27701 and GDPR — what you’re collecting versus what you actually need, and how Entity Framework models often encode privacy violations directly into the schema.

Your Incident Response Plan Is a Lie. Here’s How to Fix It. examines what ISO 27001 requires from incident response processes and how to implement runbooks and automated workflows in GitHub Actions that describe what actually happens rather than what you wish would happen.

Your Azure SQL Is Public Right Now. ISO 27017 Demands You Fix It covers network isolation requirements under ISO 27017 for cloud services — private endpoints, VNet integration, and the Azure networking decisions that move you from compliant-on-paper to compliant-in-practice.

NuGet Packages: The Suppliers You Forgot to Audit covers supplier risk management as ISO 27001 requires it — your NuGet dependencies are third-party suppliers, and ignoring them is an audit finding waiting to happen.

Phase 3 — Consent and Change Control

Cookie Banners Won’t Save You From ISO 27701 explains the gap between displaying a cookie banner and implementing consent management that satisfies ISO 27701 privacy requirements — and what ASP.NET Core Identity needs to do to bridge it.

Trust Is Not a Control: ISO 27001 Compliance via GitHub covers change control requirements and how GitHub branch protection, required reviews, and status checks implement them in ways that survive ISO 27001 audits.

Standalone Controls

Your TLS Config is Probably Wrong: Five Audit Failures I Keep Finding covers the five TLS misconfigurations that appear repeatedly in Azure environments — and how Azure Front Door configuration either fixes or introduces them.

Your Logout Button Is Lying: ASP.NET Session Security Done Right covers what ISO 27001 requires from session management and the ASP.NET Core authentication settings that most applications leave at insecure defaults.

Phase 4 — Data Lifecycle and Operational Security

Nobody Runs Your Cleanup Script (And Regulators Know It) covers data retention under ISO 27701 and GDPR — why manual cleanup processes don’t satisfy retention requirements and how Azure Storage lifecycle policies implement them automatically.

Your Stack Traces Are Love Letters to Attackers covers information disclosure through error handling — what ISO 27001 requires and what ASP.NET Core’s default exception handling exposes to people who shouldn’t see it.

Your Azure SQL Backups Won’t Save You (Here’s Why) covers business continuity requirements under ISO 27001 — what needs to be in a backup strategy, why “we have geo-redundant backups” isn’t sufficient, and what actually matters for RTO/RPO compliance.

Green Dashboard, Dead Application covers operational monitoring requirements — the difference between health checks that tell you the process is alive and monitoring that satisfies ISO 27001 availability controls.

Phase 5 — Deployment, Privacy, and Authentication

Privacy Health Checks: Beyond Database Connectivity covers data access patterns under ISO 27701 — what “privacy by design” requires in runtime observability and how to detect data access violations before auditors do.

Stop Deploying Garbage to Production covers security testing in CI/CD pipelines as an ISO 27001 control — what gates actually need to exist between code and production for compliance purposes.

Why Your Azure Portal Clicks Will Fail the Next Audit explains why manual Azure configuration doesn’t satisfy ISO 27001 change management requirements and what Bicep and infrastructure as code provide that portal configuration fundamentally cannot.

Security Cosplay: Your Password-Only Admin Panel Isn’t Fooling Anyone covers MFA requirements under ISO 27001 and ISO 27017 — what privileged access requires and how Azure AD B2C implements authentication controls that satisfy them.

Phase 6 — Privacy Rights and Supply Chain

“Just Delete the User”: Famous Last Words Before the GDPR Audit covers right to erasure implementation under ISO 27701 and GDPR — why deleting a user row doesn’t satisfy erasure requirements and what complete erasure actually involves across backups, audit logs, and derived data.

247 Strangers Have Root Access to Your Production covers third-party dependency risk as ISO 27001 views it — what Dependabot provides versus what supply chain security requires, and how to implement controls that treat transitive dependencies as the attack surface they are.

“We Store Secrets in appsettings.json”: A Horror Story in Five Acts covers managed identity and RBAC as ISO 27001 access control — moving from credential-based to identity-based Azure resource access and the RBAC scoping that prevents privilege escalation.

Purpose Limitation in API Design: Leaking Data You Shouldn’t covers purpose limitation under ISO 27701 — what your API response payloads reveal about data you collected for different purposes, and how API design decisions create or prevent privacy compliance problems.

Phase 7 — Audit Trails and Compliance Tooling

Who Ran That Migration? covers audit trail requirements for database changes — what ISO 27001 requires from change records and how .NET CLI tooling implements attribution that satisfies it.

Certified, Filed, Forgotten: The Compliance Trainwreck addresses the gap between achieving certification and maintaining compliance over time — what continuous compliance verification looks like with .NET CLI tools rather than annual point-in-time assessments.

Security Tests That Prove Themselves covers security testing as a control rather than a ceremony — automated tests that validate specific ISO 27001 requirements and generate audit evidence rather than just passing a pipeline.

Your Privacy Docs Are Fiction: Let’s Fix That with .NET CLI Tools closes the series by addressing documentation drift — the gap between what your privacy documentation claims and what your codebase actually does, and how automated tooling keeps them synchronized.

Who This Is For

.NET developers and architects working in environments with ISO 27001, 27017, or 27701 requirements — or environments that will have them after the next customer contract. The series assumes you write code and control infrastructure. It does not assume you have a compliance team to defer to.

Every article contains working .NET code, Azure configuration, or tooling examples. The goal throughout is turning abstract control requirements into specific implementation decisions with clear trade-offs.

Where to Start

Start with Phase 1 if you’re new to ISO compliance or want the foundational context. Jump directly to specific articles if you’re dealing with an immediate implementation requirement — the titles are deliberately direct about what each article addresses.

The series runs roughly in order of foundational to advanced, but each article stands on its own. Secrets management and access control (Phases 1–2) affect everything else; if you haven’t read those, the later articles will make more sense after you do.

A Note on Scope

This series is not ISO certification consulting. It does not tell you whether your organization will pass an audit, does not replace a qualified auditor, and does not constitute legal advice on GDPR or data protection law. If you need a formal gap assessment or certification readiness review, hire someone who does that for a living.

What the series does: takes specific ISO 27001, 27017, and 27701 controls and shows what implementing them looks like in .NET and Azure. Not all controls require code — some are organizational, process-based, or documentation-driven, and those are outside scope here. The focus is the technical controls: the ones where the implementation decision is yours, the trade-offs are real, and “we have a policy document” is not sufficient evidence.

Coverage is also selective by design. ISO 27001 alone has 93 controls across 4 domains and 11 themes. This series covers the controls most directly relevant to .NET application development and Azure infrastructure — not physical security, not HR screening, not supplier contract templates. The goal is depth on what developers own, not breadth across everything a certification program touches.

If you’re reading these articles as part of actual certification preparation, use them alongside your auditor’s guidance, not instead of it.