Overview of the ISO 27001 Shared Services blueprint sample
On July 11, 2026, Blueprints (Preview) will be deprecated. Migrate your existing blueprint definitions and assignments to Template Specs and Deployment Stacks. Blueprint artifacts are to be converted to ARM JSON templates or Bicep files used to define deployment stacks. To learn how to author an artifact as an ARM resource, see:
The ISO 27001 Shared Services blueprint sample provides a set of compliant infrastructure patterns and policy guardrails that help toward ISO 27001 attestation. This blueprint helps customers deploy cloud-based architectures that offer solutions to scenarios that have accreditation or compliance requirements.
The ISO 27001 App Service Environment/SQL Database workload blueprint sample extends this sample.
The ISO 27001 Shared Services blueprint sample deploys a foundation infrastructure in Azure that can be used by organizations to host multiple workloads based on the Virtual Datacenter (VDC) approach. VDC is a proven set of reference architectures, automation tooling, and engagement model used by Microsoft with its largest enterprise customers. The Shared Services blueprint sample is based on a fully native Azure VDC environment shown below.
This environment is composed of several Azure services used to provide a secure, fully monitored, enterprise-ready shared services infrastructure based on ISO 27001 standards. This environment is composed of:
- Azure roles used
for segregation of duties from a control plane perspective. Three roles are defined before
deployment of any infrastructure:
- NetOps role has the rights to manage the network environment, including firewall settings, NSG settings, routing, and other networking functionality
- SecOps role has the necessary rights to deploy and manage Azure Security Center, define Azure Policy definitions, and other security-related rights
- SysOps role has the necessary rights to define Azure Policy definitions within the subscription, manage Log Analytics for the entire environment, among other operational rights
- Log Analytics is deployed as the first Azure service to ensure all actions and services log to a central location from the moment you start your secure deployment
- A virtual network supporting subnets for connectivity back to an on-premises datacenter, an
ingress and egress stack for Internet connectivity, and a shared service subnet using NSGs and
ASGs for full micro-segmentation containing:
- A jumpbox or bastion host used for management purposes, which can only be accessed over an Azure Firewall deployed in the ingress stack subnet
- Two virtual machines running Azure Active Directory Domain Services (Azure AD DS) and DNS only accessible through the jumpbox, and can be configured only to replicate AD over a VPN or ExpressRoute connection (not deployed by the blueprint)
- Use of Azure Net Watcher and standard DDoS protection
- An Azure Key Vault instance used to host secrets used for the VMs deployed in the shared services environment
All these elements abide to the proven practices published in the Azure Architecture Center - Reference Architectures.
The ISO 27001 Shared Services infrastructure lays out a foundational architecture for workloads. You still need to deploy workloads behind this foundational architecture.
For more information, see the Virtual Datacenter documentation.
You've reviewed the overview and architecture of the ISO 27001 Shared Services blueprint sample. Next, visit the following articles to learn about the control mapping and how to deploy this sample:
Additional articles about blueprints and how to use them: