ISO Standards for .NET Developers

ISO standards stopped being a compliance-department problem the moment developers started writing the infrastructure. ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27701 define the controls; the Bicep template, the Key Vault reference, and the AuthenticationHandler decide whether the controls actually hold. The articles in this collection translate the standards into the .NET and Azure decisions that implement them, control by control.

The three standards overlap deliberately. 27001 defines the Information Security Management System — access control, cryptography, operations, incident response — and is the one most enterprise contracts require. 27017 adds cloud-specific controls on top: shared-responsibility boundaries, administrator separation, virtual network isolation, the assumptions that on-premises 27001 guidance leaves implicit. 27701 layers privacy onto 27001 and is how the standard becomes GDPR-relevant: consent management, data subject rights, purpose limitation, data minimization.

Articles map controls to working code. Access Control (A.9) becomes ASP.NET Core authorization policies and Azure RBAC role assignments. Cryptography (A.10) becomes Data Protection key isolation and Key Vault-backed key wrapping. Operations Security (A.12) becomes audit log shipping to Application Insights with retention policies that survive a tenant move. Each article picks one control, explains what the auditor will look for, and shows the implementation that produces evidence rather than paperwork.

The companion series at iso-standards series walks the controls in publication order. This tag aggregates every article that touches an ISO control, including the cross-cutting pieces on Infrastructure as Code, supply chain security, and incident response that map to multiple standards at once. The recurring theme: compliance lives in the codebase, not in the policy document.