Kubernetes security evaluation for ISO 27001 certification

Our client processes payments for a large number of downstream businesses. They were migrating their entire service estate from on-premise servers to Azure Kubernetes Service (AKS) and needed to achieve ISO 27001 certification for the new platform.

ISO 27001 requires demonstrable controls across information security management: access control, cryptography, operations security, communications security, and more. Mapping these controls onto a Kubernetes environment is not straightforward. The platform had been built under delivery pressure, and the team needed an independent evaluation of where they stood before going into the certification process.

The stakes were high:

• Payment processing is critical infrastructure with strict regulatory requirements
• A failed certification would delay the migration and impact client confidence
• Security gaps in a payment platform carry financial and legal consequences beyond the certification itself
• The team needed a clear, prioritised view of what to fix and in what order

We conducted a systematic security evaluation of the AKS platform, mapping ISO 27001 Annex A controls to the Kubernetes environment and assessing compliance across every relevant area.

Network segmentation

We assessed network policies, ingress controls, and namespace isolation. In most Kubernetes environments, the default configuration allows unrestricted pod-to-pod communication. For a payment processing platform, this means a compromise in one service could give an attacker lateral access to sensitive financial data across the cluster. We evaluated whether default-deny policies were in place, whether ingress was properly restricted, and whether network-level controls met ISO 27001 requirements for communications security.

Secrets management

ISO 27001 requires controls around cryptography and key management. We reviewed how secrets were created, stored, rotated, and accessed across the platform. This included evaluating whether secrets were encrypted at rest, whether rotation schedules existed, whether access was scoped through RBAC, and whether external secret management was in use for sensitive credentials.

Change management

The standard requires documented change management processes with audit trails. We assessed the GitOps configuration, environment promotion workflows, and whether changes to production could be traced back to approved pull requests. This included reviewing how configuration differed between environments and whether the structure supported clear, reviewable promotions.

Pod security

We evaluated container security posture: whether containers ran as root, whether resource limits were enforced, whether image provenance was verified, and whether policy enforcement prevented deployment of non-compliant workloads. ISO 27001 requires controls on system acquisition and development, and in a Kubernetes context this maps directly to how pods are configured and what is allowed to run.

Observability and audit

ISO 27001 requires event logging, monitoring, and the ability to detect and respond to security incidents. We assessed the logging stack, alerting configuration, log retention policies, and whether runtime security monitoring was in place. For a payment platform, the ability to reconstruct what happened during an incident is not optional.

The evaluation delivered a comprehensive compliance gap analysis mapped directly to ISO 27001 Annex A controls.

Each finding was mapped to the relevant ISO 27001 control, rated by risk severity, and accompanied by specific remediation guidance. The client received a prioritised roadmap: what to fix first to close the highest-risk gaps, and what could be addressed incrementally. The evaluation gave the team a clear, evidence-based picture of their compliance posture and a concrete path toward certification.