ISO 27001 is a widely adopted global security standard and framework that sets out requirements and best practices for a comprehensive approach to managing company and customer information. Proving IT security practices is an important element of achieving ISO 27001. The standard is an effective way to reduce the risk of your organization suffering a data breach, satisfies audit requirements and establishes trust both internally and externally that security controls are properly managed, providing customers with greater confidence in doing business with you.

When a organization puts together an Information Security Management System (ISMS), it is a sophisticated process that is not one-size-fits-all. The management system will be driven by factors i.e. the goals of the firm, the concerns with compromise, and the operations of the entity, as well as the way it is structured and how large it is. ISO 27001 is somewhat flexible in the sense that different types of companies (based on size, form, etc.) will have different security needs. Measuring and reporting on ISO controls in the Cloud is different than for your traditional data center environments. While public Cloud Service Providers maintain ISO 27001 certification, you are responsible for the controls relevant to how you build and manage your infrastructure in the Cloud.

ISO 27001 Annex A is a very important flexible approach that allows a CSP to decide what level of risk is acceptable. Annex A is the best known series of security control objectives for Implementation ISO/IEC 27001:2013 – this is because it provides an essential controls for managing security.  It consists of

  • »14 Control Area : Core topic areas that Covered Most Aspects of Information Security
  • » 34 Control Objective : Objectives of Control
  • » 114 Control : Applicable Controls to be Implemented on ISMS Program

Microsoft recommends 13 Key principles and recommendations  for ISO 27001 compliance all Azure customers. By incorporating these principles and recommendations, customers can help mitigate and manage security risks from early stages of their adoption of cloud computing.

Cloudneeti  ISO 27001 Dashboard Snapshot

Cloudneeti now provides an out-of-box automation for continuously assessing Customer responsible ISO27001 posture. The product addresses 8 out of 14 control areas and Cloudneeti’s ISO 27001 dashboard is pivoted towards these control areas.

The covered areas are:

  • A.6 Organization of information security : To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.
  • A.9 Access control : This control is for Access control policy, user access management, system and application access control, and user responsibilities.
  • A.10 Cryptography : To protect the confidentiality, authenticity or integrity of information by cryptographic means.  These controls are related to encryption and key management.
  • A.12 Operations security : This controls are related to Operational procedures and responsibilities, Protection from malware, Backup, Logging and monitoring, Technical vulnerability management.
  • A.13 Communications security : This controls are related to network security, segregation, network services, transfer of information etc.
  • A.14 System acquisition development and maintenance : To control ensures that security is an integral part of information systems. These controls defining security requirements and security in development and support processes.
  • A.17 Information security aspects of business continuity management : This control reflects business continuity in general, requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy.
  • A.18 Compliance with internal & external requirements : This control ensures compliance of systems with organizational security policies and standards.

Organizations implementing  ISO 27001 understand the efforts involved in the audit and report on the state of controls within their cloud environment.  Cloudneeti ISO 27001 benchmark delivers organization the overview into the implementation of key principles through continuous and automated monitoring.

Documentation References:

Take a Test Drive

Try Cloudneeti on Microsoft Azure today.


Benchmarks help you safeguard systems, software, and networks against today’s evolving cyber threats. Although the ISO/IEC 27001:2013 standards are developed by the ISO Standards body, this specific Benchmark and related policies are an interpretation and potential applicability of requirements to Microsoft Azure.  ISO has not published a benchmark specifically for Microsoft Azure. The rules & policies listed here are based on a NIST 800-53 baseline, our interpretations, interaction with our customers and security analysts.

[easy-tweet tweet=”Cloudneeti offers ISO 27001 continuous validation for public cloud workloads” user=”Cloudneeti” hashtags=”Compliance, ISO, Azure, Security” url=””]