Practice : Compliance-as-Code

Purpose and Strategic Importance

Compliance-as-Code transforms regulatory and organisational compliance requirements into testable, automated code. It eliminates manual checks, reduces audit fatigue, and embeds governance into day-to-day engineering workflows - improving trust, consistency, and velocity.

By codifying controls for environments, infrastructure, and pipelines, organisations ensure security and compliance at scale without slowing down delivery.

Description of the Practice

  • Compliance rules (e.g. encryption, tagging, IAM boundaries) are written as declarative code using policy engines and scanning tools.
  • Common tools include Open Policy Agent (OPA), InSpec, Chef Compliance, Conftest, and tfsec.
  • Policies run in CI/CD pipelines, cloud platforms, or configuration management tools to prevent drift and enforce standards.
  • Reports are generated for internal visibility and audit readiness.

How to Practise It (Playbook)

1. Getting Started

  • Identify key compliance controls applicable to your environments (e.g. CIS benchmarks, GDPR, HIPAA, NIST).
  • Select a policy engine that supports your infrastructure and tooling ecosystem.
  • Define a small set of critical controls as code - test on dev/staging environments.
  • Integrate these checks into pull requests, pipelines, or infrastructure provisioning flows.

2. Scaling and Maturing

  • Expand coverage to infrastructure, CI/CD, application configs, and runtime policies.
  • Apply policies uniformly across environments using reusable modules or baselines.
  • Automate enforcement via allow/block rules, warnings, or drift detection alerts.
  • Link controls to standards and evidence - generate artefacts for audit trails.
  • Enable self-service for developers to run checks before code merges or releases.

3. Team Behaviours to Encourage

  • Treat compliance as a shared engineering concern, not just a security task.
  • Write policies that are transparent, testable, and open to peer review.
  • Use violations as opportunities for learning, not punishment.
  • Pair compliance teams with engineering to translate requirements into automation.

4. Watch Out For…

  • Overly rigid policies that create friction or hinder experimentation.
  • Lack of context in failure messages that confuse developers.
  • Inconsistent enforcement across environments leading to policy drift.
  • Neglecting regular updates to reflect changing regulations or systems.

5. Signals of Success

  • Compliance checks are automated, visible, and embedded in delivery workflows.
  • Engineers understand and contribute to policy enforcement.
  • Audit cycles are faster, with clear traceability to evidence and controls.
  • Non-compliance is rare, short-lived, and resolved proactively.
  • Compliance supports - not blocks - innovation and velocity.