ISO Standards for .NET Developers

ISO standards stopped being a compliance-department problem the moment developers started writing the infrastructure. ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27701 define the controls; the Bicep template, the Key Vault reference, and the AuthenticationHandler decide whether the controls actually hold. The articles in this collection translate the standards into the .NET and Azure decisions that implement them, control by control.

The three standards overlap deliberately. 27001 defines the Information Security Management System — access control, cryptography, operations, incident response — and is the one most enterprise contracts require. 27017 adds cloud-specific controls on top: shared-responsibility boundaries, administrator separation, virtual network isolation, the assumptions that on-premises 27001 guidance leaves implicit. 27701 layers privacy onto 27001 and is how the standard becomes GDPR-relevant: consent management, data subject rights, purpose limitation, data minimization.

Articles map controls to working code. Access Control (A.9) becomes ASP.NET Core authorization policies and Azure RBAC role assignments. Cryptography (A.10) becomes Data Protection key isolation and Key Vault-backed key wrapping. Operations Security (A.12) becomes audit log shipping to Application Insights with retention policies that survive a tenant move. Each article picks one control, explains what the auditor will look for, and shows the implementation that produces evidence rather than paperwork.

The companion series at iso-standards series walks the controls in publication order. This tag aggregates every article that touches an ISO control, including the cross-cutting pieces on Infrastructure as Code, supply chain security, and incident response that map to multiple standards at once. The recurring theme: compliance lives in the codebase, not in the policy document.

Your Logout Button Is Lying: ASP.NET Session Security Done Right

That StackOverflow answer suggesting Session.Timeout = Int32.MaxValue for “better UX”? It’s how security becomes checkbox theater. Sessions that never expire, logout buttons that don’t invalidate tokens, cookies transmitted over HTTP—auditors catch these patterns immediately. Here’s how to configure ASP.NET Core authentication that actually works.

Your TLS Config is Probably Wrong: Five Audit Failures I Keep Finding

Production systems with HTTP endpoints wide open and TLS 1.0 enabled for backward compatibility that died in 2020 are still everywhere. If auditors haven’t flagged your encryption config yet, they will. This guide shows the fatal configurations that fail security audits and the Azure Front Door patterns that actually pass.

Trust Is Not a Control: ISO 27001 Compliance via GitHub

Process documents don’t impress auditors. “We trust our developers” isn’t a control mechanism. ISO 27001 demands technical enforcement, not organizational promises. This guide shows how GitHub branch protection, CODEOWNERS, and environment protection transform compliance from checkbox theater into system enforced reality with a six week implementation path.

Cookie Banners Won't Save You From ISO 27701

That boolean column you call “consent”? Regulators will laugh at it.

ISO 27701 demands granular, auditable, expiring consent, not cookie theater. Here’s the complete .NET implementation with Entity Framework Core, middleware validation, and Azure Functions that survives an audit.

NuGet Packages: The Suppliers You Forgot to Audit

Every NuGet package is a supplier relationship under ISO 27001. Learn how to implement Central Package Management, automated vulnerability scanning, and package signature verification to transform your .NET dependency management from security liability into auditable compliance control.