Start free trial

Compliance

What auditors receive.

Guardrail Ledger produces daily diffs of Azure Policy assignments and exemptions, RBAC role assignments, and resource tags. Accepted deviations become exception records with owner, approver, and expiry on file. At month end, a signed audit pack covers drift history and sign-off records.

  • CIS Azure Foundations

    Policy, RBAC, and tag drift are mapped to CIS Azure Foundations controls. Exception records tie accepted deviations back to the control they affect.

  • ISO 27001:2022 A.8.9

    The exception ledger records owner, approver, expiry date, and reason for every accepted deviation — the fields auditors expect for configuration management.

  • ISO 27001:2022 A.8.20

    Exposure pattern detection flags public IPs, internet-facing storage accounts, and widened Key Vault access against the networks security control.

  • NIS2 Art. 21

    Drift history and sign-off records support risk-management and incident-handling evidence required under NIS2 Article 21.

  • DORA RTS change management

    Daily diffs and exception records document who approved configuration changes and when deviations expire — aligned to DORA RTS change-management clauses.

  • Defender control mapping

    Defender for Cloud recommendations arrive with the control name they affect, not a raw recommendation ID, plus landing-zone deviation flags.

Exception record fields.

  • Owner Person accountable for the deviation
  • Approver Who signed off on acceptance
  • Expiry date When the exception must be reviewed or remediated
  • Reason Reason of record for the auditor
  • Framework CIS Azure Foundations or ISO 27001:2022 A.8.9
  • Scope Subscription and Azure resource scope

Monthly audit pack contents.

  • Drift history Daily policy, RBAC, and tag diffs for the period
  • Exception ledger All accepted deviations with sign-off fields
  • Sign-off records Approver and timestamp per exception
  • Delivery Signed export to Cloudflare R2, time-limited URL
  • Cadence Generated monthly at period end

From deviation to audit pack.

  1. Deviation detected

    The daily scan diffs Azure Policy assignments and exemptions, RBAC role assignments, and resource tags against the last baseline per subscription.

  2. Exception recorded

    Accepted deviations enter the exception ledger with owner, approver, expiry date, and reason — mapped to CIS Azure Foundations and ISO 27001:2022 A.8.9.

  3. Expiry reminder

    Exceptions approaching expiry surface in the ledger so owners can remediate or renew before the date passes.

  4. Month-end audit pack

    A signed export — drift history, exception ledger, and sign-off records — is written to Cloudflare R2 with a time-limited download URL.

Put sign-off on file.

Record exceptions with approvers and expiry dates, then hand auditors a signed monthly pack from Cloudflare R2.

See pricing Book a demo