Share via

Azure Policy NIST Alignment

YogiBear 170 Reputation points
2024-10-07T12:16:29.3266667+00:00

Hi,

We are aiming to align to the NIST SP 800-53 framework, using the Azure Policy built-in defintion set.

Given there are over 700 policies within this defintion set, and its such a big decision, Im wondering could I get some guidance on how best to aproach things here, to ideally have a seamless enablement of the NIST framework into our enviornment.

Two key questions:

  • Would most large organisations looking to adopt NIST, be selective on the policies they want, or is it recommended to enable the full list of policies?
  • Is audit mode for all policies initially the advised method?

Any other thoughts or best practices very welcome.

Thanks :)

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
918 questions
0 comments
Accepted answer
  1. Sina Salam 12,011 Reputation points
    2024-10-07T17:20:58.96+00:00

    Hello Dave O'Donohoe,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you need more information about Azure Policy aligning with the NIST SP 800-53 framework.

    Regarding your questions:

    Would most large organisations looking to adopt NIST, be selective on the policies they want, or is it recommended to enable the full list of policies?

    Most large organizations typically adopt a selective approach rather than enabling the full list of policies because of how relevance it is to their organization, overwhelming and may lead to unnecessary complexity and all policies might impact system performance and administrative overhead.

    Any organizations should consider starting by identifying the most critical controls that align with their risk management and compliance objectives: https://learn.microsoft.com/en-us/azure/governance/policy/samples/nist-sp-800-53-r5

    Is audit mode for all policies initially the advised method?

    Yes, it is generally recommended to start with audit mode for all policies at initial stage for the purpose of assessment, tuning, and risk mitigation.

    Ensure you embrace best practices:

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.