Security Center's "Regulatory Compliance Control Checks" and best practices for resolution

Steven-3786 1 Reputation point
2021-09-15T07:53:18.267+00:00

We are looking to pass all of the automated compliance checks performed by Azure Defender / Security Center (e.g. ISO 27001). It would be great to get guidance on the following:

  1. For the "greyed out"/disabled control-checks, is it possible to get more information on each of these and specifically why each specific check is greyed out (I'm aware of the general reasons e.g. not automatically checked, responsibility falls on Azure side etc). Even more helpful would be any guidance on what specific manual checks could be done (if any) to internally track these.
  2. Can Fast Track or any Azure support service provide additional help around reaching 100% pass-mark for the checks performed e.g. suggesting a plan of attack, analysing and ordering issues by severity, provide insight into how much work is involved in resolving these, potential risks, best practices etc.
  3. Following on from 2. can the mitigation steps to reach 100% pass-mark of automated checks be potentially actioned/corrected by the Fast Track team or any other Azure support services, or is this something that has to be actioned internally.

Generally what is the recommended approach to tackle this sort of thing?

Azure FastTrack
Azure FastTrack
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.FastTrack: This tag is no longer in use. Please use 'Azure Startups' instead.
75 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,240 questions
{count} votes

2 answers

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,251 Reputation points Microsoft Employee
    2021-09-22T13:36:56.46+00:00

    @Steven-3786 It seems the guidance for those security standards are present in the documents only https://learn.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0 and we do not have anything public facing for now.

    For further comments about fast track and support for helping in these scenarios, it was suggested to raise a case with them and they would be able to provide you a better support boundaries regarding this.

    0 comments No comments

  2. Johan Vosloo 1 Reputation point Microsoft Employee
    2021-10-05T00:06:49.95+00:00

    @Steven-3786 , adding additional information here to add to our discussion during the QnA.

    1. The greyed out items typically are where the compliance cannot be automatically tracked e.g. people and process standards. Microsoft provides some additional information and guidance in docs e.g. https://learn.microsoft.com/en-us/azure/governance/policy/samples/iso-27001. The compliance organizations that provide the standards also provide guidance e.g. https://www.iso.org/isoiec-27001-information-security.html
    2. The FastTrack for Azure team do assist customers that meet program criteria with addressing compliance recommendations.
    3. The FastTrack for Azure team is an advice and guidance service. A combination of customer, FastTrack for Azure and Microsoft Support Services is typical in working through the recommendations.
    0 comments No comments