ISO INTERNAL AUDITOR AND RISK ANALYST PRO UNLIMITED AT SYMANTEC. 11 MONTHS) Prepare and execute ISO/IEC internal audits for Symantec business units Create ISO/IEC 27001 internal audit reports in accordance with ISO/IEC 27001 requirements and internal processes Monitors, analyzes, and remediates IT security risks and vulnerabilities by adhering to defined operating procedures.
-->The ISO 27001 Shared Services blueprint sample provides a set of compliant infrastructure patternsand policy guard-rails that help towards ISO 27001 attestation. This blueprint helps customersdeploy cloud-based architectures that offer solutions to scenarios that have accreditation orcompliance requirements.
The ISO 27001 App Service Environment/SQL Database workloadblueprint sample extends this sample.
Architecture
The ISO 27001 Shared Services blueprint sample deploys a foundation infrastructure in Azure that canbe used by organizations to host multiple workloads based on the Virtual Datacenter (VDC) approach.VDC is a proven set of reference architectures, automation tooling, and engagement model used byMicrosoft with its largest enterprise customers. The Shared Services blueprint sample is based on afully native Azure VDC environment shown below.
This environment is composed of several Azure services used to provide a secure, fully monitored,enterprise-ready shared services infrastructure based on ISO 27001 standards. This environment iscomposed of:
- Role-based access control (RBAC) roles usedfor segregation of duties from a control plane perspective. Three roles are defined beforedeployment of any infrastructure:
- NetOps role has the rights to manage the network environment, including firewall settings, NSGsettings, routing, and other networking functionality
- SecOps role has the necessary rights to deploy and manage Azure Security Center,define Azure Policies, and other security-related rights
- SysOps role has the necessary rights to define Azure Policieswithin the subscription, manage Log Analytics for theentire environment, among other operational rights
- Log Analytics is deployed as the first Azure service toensure all actions and services log to a central location from the moment you start your securedeployment
- A virtual network supporting subnets for connectivity back to an on-premises datacenter, aningress and egress stack for Internet connectivity, and a shared service subnet using NSGs andASGs for full micro-segmentation containing:
- A jumpbox or bastion host used for management purposes, which can only be accessed over an Azure Firewalldeployed in the ingress stack subnet
- Two virtual machines running Active Directory Domain Services (ADDS) and DNS only accessiblethrough the jumpbox, and can be configured only to replicate AD over a VPN or ExpressRouteconnection (not deployed by the blueprint)
- Use of Azure Net Watcherand standard DDoS protection
- An Azure Key Vault instance used to host secrets usedfor the VMs deployed in the shared services environment
All these elements abide to the proven practices published in the Azure Architecture Center - Reference Architectures.
Note
The ISO 27001 Shared Services infrastructure lays out a foundational architecture for workloads.You still need to deploy workloads behind this foundational architecture.
For more information, see the Virtual Datacenter documentation.
Next steps
You've reviewed the overview and architecture of the ISO 27001 Shared Services blueprint sample.Next, visit the following articles to learn about the control mapping and how to deploy thissample:
Additional articles about blueprints and how to use them:
- Learn about the blueprint lifecycle.
- Understand how to use static and dynamic parameters.
- Learn to customize the blueprint sequencing order.
- Find out how to make use of blueprint resource locking.
- Learn how to update existing assignments.