Compliance as Code
Compliance as Code means translating regulatory requirements (ISO 27001, GDPR, nFADP, EMBAG) into machine-readable test scripts that run automatically and continuously in the CI/CD pipeline or infrastructure. This turns many technical controls into continuously testable evidence, reducing the effort for periodic certification.
The alternative (manual checklists and annual certification projects) is error-prone, expensive, and always reacts too late.
Core concept
- Policy as Code: Security and compliance rules are described in languages such as OPA (Open Policy Agent), Rego, or AWS Config Rules.
- Shift Left: Compliance checks happen at code commit, not at certification time.
- Audit Trail: Every check is versioned, reproducible, and traceable.
- Continuous Compliance: Dashboards show compliance status in real time, not just once a year.
Implementation
- Requirements Inventory: Translating regulatory requirements into testable statements (e.g. All S3 buckets must be encrypted).
- Tool Selection: Open Policy Agent (OPA) for Kubernetes, Checkov for Terraform, AWS Config / Azure Policy for cloud resources.
- Pipeline Integration: Compliance tests run on every pull request and block deployment on violation.
- Reporting: Automated reports for auditors, documenting compliance status at any point in time.
Focus: From Project to Continuous Evidence
Many technical controls can be made continuously measurable. This reduces the effort required for recertification without replacing the need for human risk assessment and organisational controls.
FAQ
Does Compliance as Code replace the human auditor?
No. It replaces manual, repetitive controls. Complex risk assessments and organisational measures still require human judgement. Compliance as Code does, however, create the foundation for efficient, evidence-based audits.
What about compliance requirements that are difficult to automate?
Organisational measures (training, responsibilities) remain manual. Many technical controls, such as configurations, access rights, and encryption, are automatable.
Reference Guide
- NIST Cybersecurity Framework. Risk-based framework for security and compliance management. (2024). www.nist.gov/cyberframework
- Open Policy Agent OPA Documentation. The de-facto standard for Policy-as-Code. www.openpolicyagent.org
- Checkov Static Analysis for IaC. Static analysis for Terraform, CloudFormation, and Kubernetes. www.checkov.io
Related topics
- Standards: ISO 27001, the security standard for controls in Compliance as Code.
- Methods, the methods section that frames Compliance as Code.
Ask AI
These links open external AI services, the conversation and its content are sent to their providers.