Compliance and governance ensure that software systems follow legal, regulatory, and industry security standards. DevSecOps integrates these requirements directly into development and delivery processes so that organizations remain compliant without slowing down engineering. Compliance frameworks such as ISO 27001, SOC 2, and GDPR define strict rules for data handling, access control, risk management, security controls, and incident response. Governance ensures these rules are consistently applied, monitored, and improved.
Why Compliance Matters in DevSecOps
Compliance frameworks exist to protect sensitive data, ensure operational transparency, reduce security risk, and enforce accountability. Without compliance, organizations face penalties, data breaches, reputational damage, and legal consequences.
Compliance is not a one-time activity. It requires continuous controls, documentation, monitoring, auditing, and improvement. DevSecOps embeds these activities into CI/CD pipelines and everyday workflows.
Core Concepts of Compliance and Governance
Regulatory Requirements
Laws and regulations such as GDPR define how organizations must protect user data, notify about breaches, and provide transparency.
Security Controls
Frameworks require technical controls such as encryption, access control, logging, secure configurations, patching, and risk assessments.
Risk Management
Organizations must identify risks, evaluate impact, and apply mitigations.
Documented Procedures
Policies, standards, guidelines, and workflow documentation ensure repeatability and auditability.
Audit Trails
Every access, change, and deployment must be recorded to prove compliance during audits.
Continuous Monitoring
Security posture must be monitored continuously for anomalies, vulnerabilities, and configuration drift.
ISO 27001
ISO 27001 defines how to build an Information Security Management System. It requires organizations to adopt policies, risk assessments, controls, and continuous improvement.
ISO 27001 Focus Areas
Information Security Policies
Organizations must create formal policies for security, access, data handling, and system operations.
Risk Assessment
Identify threats, evaluate likelihood and impact, and implement controls.
Asset Management
Maintain an inventory of assets such as servers, data, secrets, and services. Define ownership and classification.
Human Security
Ensure secure onboarding, offboarding, and training.
Access Control
Apply least privilege and role-based permissions. Enforce strong authentication mechanisms.
Cryptography
Encrypt data at rest and in transit.
Operations Security
Monitor systems, manage changes, control code repositories, and maintain secure configurations.
Physical Security
Protect servers, systems, and access to data centers.
Supplier Relationships
Evaluate and monitor third-party risks.
Incident Response
Define processes to detect, report, and resolve incidents.
Compliance Audit
Conduct internal audits and prepare for external certification.
SOC 2
SOC 2 evaluates the organization’s controls across trust areas such as security, availability, confidentiality, integrity, and privacy. It is especially common for SaaS companies.
SOC 2 Trust Principles
Security
Protect systems from unauthorized access using access control, network segmentation, secure configurations, and monitoring.
Availability
Ensure uptime and performance through capacity planning, redundancy, backups, and incident processes.
Processing Integrity
Systems must process data accurately and reliably.
Confidentiality
Sensitive information must be protected, encrypted, and access-restricted.
Privacy
Personal data must be handled in accordance with legal requirements.
SOC 2 requires documentation, evidence collection, and continuous control validation.
GDPR
GDPR protects personal data of individuals in the EU. It defines strict rules for data consent, transparency, rights, and security practices.
Key GDPR Requirements
Lawful Data Collection
Data must be collected with consent, contract necessity, or legitimate interest.
Data Minimization
Collect only what is necessary.
Purpose Limitation
Use data only for the stated purpose.
Individual Rights
Users have rights to access, rectification, deletion, and portability.
Breach Notification
Organizations must disclose breaches within strict timeframes.
Data Transfer
Transferring data outside EU requires safeguards.
Security Controls
Implement strong technical and organizational safeguards.
Governance in DevSecOps
Governance ensures compliance requirements are translated into repeatable, automated processes.
Policy Enforcement
Rules for coding, scanning, deployment, and data handling become part of the CI/CD pipeline.
Access Governance
Identity systems enforce least privilege, MFA, and audit logs.
Change Management
Deployments require documented procedures, approvals, and traceability.
Configuration Governance
Systems follow stable, secure, and codified configurations enforced through IaC scanning.
Evidence Collection
Logs, reports, and audit data are collected automatically for compliance audits.
Compliance Automation in DevSecOps
Integrating compliance into pipelines ensures continuous, real-time validation.
• Security gates block noncompliant builds
• IaC scanning detects misconfigurations
• Container scanning ensures dependency safety
• Secrets scanners protect sensitive data
• Policy engines enforce deployment rules
• Audit logs track pipeline events
Compliance becomes measurable and consistently enforced.
Extensive Practical Section
Below are deep, full-length practicals that implement compliance and governance across DevSecOps workflows.
Practical 1: Create a Compliance Requirements Folder
Create:
/compliance/
iso27001/
soc2/
gdpr/
policies/
procedures/
evidence/
Populate with initial documentation.
Practical 2: Build an Asset Inventory
Document assets:
• Databases
• Buckets
• Secrets
• CI/CD runners
• Repositories
• VMs or containers
• Cloud resources
• Authentication systems
Store in:
/compliance/iso27001/asset-inventory.md
Practical 3: Create ISO 27001 Security Policies
Write policies for:
• Access control
• Data classification
• Encryption rules
• Logging requirements
• Patch management
• Network controls
• Secure SDLC requirements
Add policies under /compliance/policies/.
Practical 4: Implement Risk Assessment Template
Create:
/compliance/iso27001/risk-assessment.md
Include:
• Threat
• Impact
• Likelihood
• Controls
• Owner
Perform a full risk assessment.
Practical 5: Automate Policy Enforcement With OPA
Install OPA:
opa eval --data policies/ --input request.json
Create policies such as:
• Deny deployments using unencrypted storage
• Block containers running as root
• Block public security groups
• Enforce image signing
Integrate OPA into CI.
Practical 6: Add GDPR Data Retention Enforcement Script
Write a script:
find /data/user/ -type f -mtime +365 -delete
Integrate into scheduled jobs.
Document logic to comply with retention laws.
Practical 7: Implement Access Governance
Perform audit:
aws iam list-users
aws iam list-policies
aws iam list-roles
Evaluate:
• Dormant accounts
• Overprivileged roles
• Missing MFA
• Inline policies
Document in compliance folder.
Practical 8: Add Secrets Governance
Enforce secrets policies:
• Store secrets in vault
• Rotate secrets
• Block plaintext storage
Scan repository:
gitleaks detect
Fix violations.
Practical 9: Automate Infrastructure Governance With Checkov
Run:
checkov -d infrastructure/
Check for:
• Public S3 buckets
• Open ports
• Weak IAM roles
• Unencrypted storage
• Insecure defaults
Document findings under ISO 27001 Annex A controls.
Practical 10: SOC 2 Evidence Collection Pipeline
Create CI job:
name: evidence-collection
steps:
- run: cp logs/*.log compliance/evidence/logs/
- run: cp reports/*.json compliance/evidence/scans/
Collect:
• Build logs
• Security scan reports
• Deployment logs
• Access logs
Store for audits.
Practical 11: GDPR Data Mapping Exercise
Document:
• What data is collected
• Where data is stored
• Who accesses it
• How long it is retained
• Encryption details
• Access justification
Store mapping under /compliance/gdpr/data-mapping.md.
Practical 12: Conduct Privacy Impact Assessment
Create assessment:
• Data categories
• Processing purpose
• Risks
• Mitigations
• Safeguards
• Approval
Document under /gdpr/pia/.
Practical 13: Validate Encryption Compliance
Check TLS:
nmap --script ssl-enum-ciphers -p 443 example.com
Check storage encryption in AWS:
aws s3api get-bucket-encryption
aws ec2 describe-volumes
Document results.
Practical 14: Implement Change Management Logs
Create workflow:
• Every deployment must have a ticket ID
• Every ticket must document purpose
• Logs captured automatically
• Changes must be traceable to commit ID
Add templates to /compliance/procedures/changes.md.
Practical 15: Create Incident Response Runbooks
Document:
• Detection
• Logging
• Escalation
• Containment
• Eradication
• Communication
Add runbooks under /compliance/procedures/incident-response/.
Practical 16: Conduct an Internal Audit Simulation
Review:
• Policies
• Evidence
• Logs
• Access controls
• IaC configurations
• Pipeline security
• Threat models
Document audit findings and corrective actions.
Practical 17: Build Continuous Compliance Dashboard
Pull data from:
• SAST
• SCA
• IaC scans
• Secrets scans
• Logs
• Access reviews
Display:
• Violations
• Trends
• Failing policies
• High-risk areas
Integrate dashboard into team workflow.
Practical 18: Create a Compliance Training Program
Record training for:
• GDPR basics
• SOC 2 controls
• ISO domains
• Secure coding
• Access governance
• Incident response
Add training materials under /compliance/training/.
Intel Dump
• Compliance frameworks define legal and security obligations
• ISO 27001 requires policies, risk assessment, controls, and audits
• SOC 2 focuses on security, availability, confidentiality, integrity, and privacy
• GDPR defines strict rules for personal data handling and rights
• Governance enforces policy, access, configuration, and audit controls
• DevSecOps automates compliance through pipelines, scanning, and evidence collection
• Practicals include asset inventory, risk assessment, policies, OPA enforcement, GDPR data mapping, SOC 2 evidence, IaC scanning, encryption validation, incident runbooks, and compliance dashboards