ISO Standards for .NET Developers

ISO standards stopped being a compliance-department problem the moment developers started writing the infrastructure. ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27701 define the controls; the Bicep template, the Key Vault reference, and the AuthenticationHandler decide whether the controls actually hold. The articles in this collection translate the standards into the .NET and Azure decisions that implement them, control by control.

The three standards overlap deliberately. 27001 defines the Information Security Management System — access control, cryptography, operations, incident response — and is the one most enterprise contracts require. 27017 adds cloud-specific controls on top: shared-responsibility boundaries, administrator separation, virtual network isolation, the assumptions that on-premises 27001 guidance leaves implicit. 27701 layers privacy onto 27001 and is how the standard becomes GDPR-relevant: consent management, data subject rights, purpose limitation, data minimization.

Articles map controls to working code. Access Control (A.9) becomes ASP.NET Core authorization policies and Azure RBAC role assignments. Cryptography (A.10) becomes Data Protection key isolation and Key Vault-backed key wrapping. Operations Security (A.12) becomes audit log shipping to Application Insights with retention policies that survive a tenant move. Each article picks one control, explains what the auditor will look for, and shows the implementation that produces evidence rather than paperwork.

The companion series at iso-standards series walks the controls in publication order. This tag aggregates every article that touches an ISO control, including the cross-cutting pieces on Infrastructure as Code, supply chain security, and incident response that map to multiple standards at once. The recurring theme: compliance lives in the codebase, not in the policy document.

Your Privacy Docs Are Fiction: Let's Fix That with .NET CLI Tools

Your Privacy Docs Are Fiction: Let's Fix That with .NET CLI Tools

Spreadsheet-based privacy audits examine yesterday’s system while today’s code deploys undocumented PII. Build .NET CLI tools that discover all personal data, catch expired consents, and verify deletions. Then fail builds when compliance breaks.
Security Tests That Prove Themselves

Security Tests That Prove Themselves

Your security tests run. They pass. But can you prove when they ran and against which code version? Most security testing lives in Word documents, Postman exports, and screenshot folders on SharePoint. The tests themselves might be valid. The evidence trail is not. This article shows how to build CLI-based test suites using xUnit and WebApplicationFactory that generate their own proof: structured logs with timestamps, commit hashes, and correlation IDs captured automatically in CI/CD pipelines. No more quarterly reports that could have been written yesterday. Instead, 847 test executions across 23 deployments, each linked to a specific commit and preserved for 90 days.
Security Cosplay: Your Password-Only Admin Panel Isn't Fooling Anyone

Security Cosplay: Your Password-Only Admin Panel Isn't Fooling Anyone

Username and password for admin access? That’s not security, that’s security cosplay. You’re wearing the costume without any of the actual protection. One leaked credential and attackers walk right through your front door. Azure AD B2C with conditional MFA ends the costume party: risk-based authentication that only challenges when it matters. View a dashboard? Password’s fine. Delete production data? Prove you’re really you.
Certified, Filed, Forgotten: The Compliance Trainwreck

Certified, Filed, Forgotten: The Compliance Trainwreck

Organization gets certified. Consultants cash their checks. Documentation gets filed somewhere. Then compliance becomes a Word document ritual: screenshot the portal, sign the checklist, ship it. Three months later, an audit exposes configuration drift, hardcoded secrets, and vulnerable dependencies nobody noticed. The forensic evidence disagrees with the signatures. The fix isn’t stricter sign-offs or more checklists. It’s treating compliance as an engineering problem with automated CLI tools that run on every deployment.
Who Ran That Migration? Audit Trails for .NET CLI Tools

Who Ran That Migration?

Three hours into a production incident, someone asks the obvious question. Silence. The terminal closed, the build log expired last week, and your migration tool printed “Success” before forgetting everything. This scenario repeats constantly: privileged CLI operations that modify production systems, then vanish without a trace. The fix requires discipline, not genius: structured logging, user identity tracking, and persistent storage.