ISO Standards for .NET Developers

ISO standards stopped being a compliance-department problem the moment developers started writing the infrastructure. ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27701 define the controls; the Bicep template, the Key Vault reference, and the AuthenticationHandler decide whether the controls actually hold. The articles in this collection translate the standards into the .NET and Azure decisions that implement them, control by control.

The three standards overlap deliberately. 27001 defines the Information Security Management System — access control, cryptography, operations, incident response — and is the one most enterprise contracts require. 27017 adds cloud-specific controls on top: shared-responsibility boundaries, administrator separation, virtual network isolation, the assumptions that on-premises 27001 guidance leaves implicit. 27701 layers privacy onto 27001 and is how the standard becomes GDPR-relevant: consent management, data subject rights, purpose limitation, data minimization.

Articles map controls to working code. Access Control (A.9) becomes ASP.NET Core authorization policies and Azure RBAC role assignments. Cryptography (A.10) becomes Data Protection key isolation and Key Vault-backed key wrapping. Operations Security (A.12) becomes audit log shipping to Application Insights with retention policies that survive a tenant move. Each article picks one control, explains what the auditor will look for, and shows the implementation that produces evidence rather than paperwork.

The companion series at iso-standards series walks the controls in publication order. This tag aggregates every article that touches an ISO control, including the cross-cutting pieces on Infrastructure as Code, supply chain security, and incident response that map to multiple standards at once. The recurring theme: compliance lives in the codebase, not in the policy document.

Purpose Limitation in API Design: Leaking Data You Shouldn't

Most APIs expose personal data based on database entities, not caller needs. When a password reset endpoint returns a user’s full profile, purchase history, and marketing preferences, that’s purpose drift. This article shows how to restructure ASP.NET Core APIs around caller purposes using resource-based authorization, consent validation, and field-level access control.

247 Strangers Have Root Access to Your Production

Your organization has a thorough vendor approval process. Procurement forms. Security questionnaires. Legal reviews lasting months. Then your developers run npm install and pull 247 packages from strangers on the internet—and nobody blinks. That’s the supply chain security paradox most teams live with daily. This guide shows you how to implement Dependabot, dependency review, and SBOM generation as the defensive controls they should be—not as checkbox compliance theater.

"Just Delete the User": Famous Last Words Before the GDPR Audit

Your PM thinks erasure is a quick database DELETE. Three weeks later, you’ve found user data in seventeen places: production DB, analytics warehouse, Redis cache, Elasticsearch, backup tapes, and that legacy system nobody dares touch. “Delete” actually means orchestrating coordinated erasure across distributed systems, maintaining audit trails, notifying third parties, and proving it worked. This guide shows the fatal patterns I’ve seen fail spectacularly, then walks through proper orchestration with Azure Durable Functions, soft-delete with anonymization, verification checks, and immutable audit logs.

Why Your Azure Portal Clicks Will Fail the Next Audit

Manual portal configuration creates audit nightmares. When auditors ask “Show me your change control process,” clicking through Azure Activity Logs won’t save you. Here’s how Bicep turns infrastructure into auditable code—where Git history becomes your compliance evidence and pull requests become your approval workflow.

Stop Deploying Garbage to Production

I’ve watched “senior engineers” deploy code with failing tests because “we need to ship.” I’ve seen secrets hardcoded in workflows, vulnerabilities ignored with || true, and production deployments without a single approval gate.

Then the same teams act surprised when they get breached. Or fail an audit. Or both.

Security gates aren’t process overhead—they’re the bare minimum that separates professional engineering from reckless gambling with customer data. Here’s exactly how to build GitHub Actions pipelines that actually protect your systems.