ISMS as Code

Reality in audit

“How do you ensure that your roles in Azure AD are up to date? ”

The question comes up in the audit. The answer:

• A screenshot.
• An Excel spreadsheet.
• A shrug?

In practice, information security is often only equated with documentation.

But it is precisely this paper-heavy view that leads to typical weaknesses in operations and audits: Evidence is incomplete, responsibilities are unclear, and the overview is lost.

Instead of effective management, there is additional bureaucratic effort. Guidelines in Word, evidence in SharePoint, measures in Excel — that may be enough for the auditor, but not for the reality of dynamic organizations.

Sounds absurd? But it's a part of everyday life.

Regology (State of Regulatory Compliance 2024): According to the survey, 82% of compliance teams still reliant on manual processes, and 79% use spreadsheets for compliance management [link]

The BSI is also responding — and will provide basic IT protection as a JSON set of rules from 2026 [link].

Why ISMS is failing today — and how to do it better

Many information security management systems (ISMS) look as if they were written for a static organization:

• Reactive rather than proactive
• Paper-heavy instead of integrated
• Controlling rather than supporting

What if information security was included as a digital teammate — like an intelligent assistant in the background?

ISMS as code — from document to dynamic system

The question is not whether information security can be automated — but when to start doing so. The modern approach is”ISMS as Code”. An automated ISMS that not only describes, but also actively controls and evaluates requirements, such as:

• Requirements are machine-readable and versioned
• Controls are automated and rule-based
• Roles, assets, and risks are logically linked

An end-to-end automated, intelligent ISMS is not a luxury, but a necessity — like resilient infrastructure in a fast-growing city.

Not everything needs to be renewed immediately. But where processes stall, connectable, modular solutions are needed. Old systems cannot be replaced overnight — but they can be further developed with vision.

Modularity is key: Requirements can be prioritized, implemented iteratively and flexibly adapted. In this way, the ISMS remains controllable — even with constant changes.

The technical basics are already available, such as: OSCAL (Open Security Controls Assessment Language), REGO (policy-as-code) or Documentation As Code

As much as technology can automate, there is one thing that cannot be delegated: Responsibility must remain human — even in the age of AI. Automation creates clarity, consistency and speed, but does not replace the duties of the people involved. She can be a team member and sparring partner — but never the leader.

Martin Peters, CEO of Secobo GmbH

The Enterprise Security Graph — Context instead of Chaos

There is plenty of data in ISMS - but there is often no connection:

• Who is responsible?
• Which role has access to which asset?
• Which policy covers which risk?

This is exactly where the concept of a Enterprise Security Graph on.

One possible approach is the open source “Emergence Security Graph”: a model that represents security-relevant information — guidelines, roles, risks, measures, evidence — in a searchable network of relationships.

example: An asset is associated with a risk. A responsible person is defined. But this is not included in measures? The graph automatically recognizes this, reports the deviation, and documents it in an audit-proof manner.

Introduction to an automated ISMS — practical and scalable

A modern ISMS is more than a structured repository. It is a living system integrated into the processes and tool landscape.

Over 2,300 working hours saved: By introducing Microsoft 365 Copilot and Azure-based automation, a company was able to save more than 2,300 hours of time on internal audit reporting alone [https://blogs.microsoft.com/]

Five tools and three use cases to get you started:

1. structure requirements → e.g. with OSCAL
2. Model dependencies → e.g. with OpenCre
3. Define sets of rules → e.g. with REGO/GRANDPA
4. Integrate automations → e.g. via n8n, GitHub Actions, Jira Workflows
5. Create context → with a Security Graph

1. Ownership check Does every resource in Azure, AWS, or GCP have an assigned owner? An automated reconciliation with Entra ID immediately detects gaps and reports them [8].

2. Automate role review Comparison between roles defined in policies and real permissions in Azure AD, GitHub, Jira. Variations automatically generate tasks in your ticket system.

3. Verify data classification Microsoft Purview can link classified data with protection requirements. If there is a discrepancy, an automated notification is sent.

conclusion

Governance, risk and compliance do not have an impact in the audit report, but in everyday life, exactly where support is needed or risks arise.

Now is the right time to start. Because: Anyone who integrates automation, context and control today secures the necessary know-how — and remains connectable in an increasingly dynamic and regulated world.

Whether it's a specific use case or a holistic concept — you can get started quickly, in a structured and practical way.

We support — hands-on, open to technology and with a clear eye for what is feasible.

Click here to book a non-binding strategy meeting.

glossary

• ISMS — Information security management system
• OSCAL — Machine-readable requirement formats
• REGO/GRANDPA — Rules as code (policy-as-code)
• Enterprise Security Graph — Context model for ISMS data
• OpenCre — Open source for dependencies between standards

‍