INFRA-10 Infrastructure as Code

What is this control about?

Infrastructure as Code (IaC) is managing the infrastructure through code instead of manual process. If your organization is managing infrastructure through code, it must be documented in your policy.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them.

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• N/A – no templates recommendation

Control implementation

Note: This control is 100% automated by TrustCloud. Connect your system to enjoy the benefit of automation

For a manual implementation: 

Implement an IaC tool and consider the following:

1. Keep and maintain a configuration file
2. Version control on all config files
3. Regularly test and monitor the configurations

If IaC tool is not used:

• Document your IaC code changes process in your change management policy and follow the code change process for each infrastructure code change

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Provide the IaC configuration file that shows the version control and latest test

If IaC tool is not used:

• Provide most recent example of infrastructure code change ticket documentation

Evidence example

From the suggested action above, an example is provided below.

1. Provide the IaC configuration file that shows the version control and latest test.

Example of an IaC configuration, provide the full configuration file to the auditor

Google search

2. Provide most recent example of infrastructure code change ticket documentation

• See screenshots under PDP-8