Service

Compliance-as-Code Engineering

Replace manual evidence collection with automated, auditable pipelines.

Request a quote

The problem

Manual compliance evidence collection — screenshots, spreadsheets, shared drives, email chains — is slow, error-prone, and does not scale. When an auditor asks for six months of access logs, the answer should not be 'give us a week.' Every control that requires a human to remember to collect evidence is a control that will eventually have gaps. Compliance-as-Code builds evidence collection into the systems themselves — making compliance continuous, consistent, and auditable by design.

Our methodology

  • Assessment of current compliance evidence collection processes — what is manual, what takes the most time, what has gaps
  • Identification of automatable controls — which evidence can be pulled via API rather than collected by hand
  • Python-based pipeline development for identified controls
  • Cloud-native integration with Azure, Microsoft 365 Graph API, and Cloudflare where applicable
  • Version-controlled compliance artefacts — evidence stored in Git, with full change history
  • Automated report generation — structured compliance reports produced on schedule without manual assembly
  • Handover and training session — your team can maintain and extend the pipelines

What you will receive

  • Compliance automation assessment report
  • Working pipeline code (Python, documented, version-controlled)
  • Integration documentation for all connected systems
  • Automated report templates
  • Handover and training session (2 hours)
  • Maintenance guide for extending the pipeline to new controls

Estimated timeline

Scoped per engagement — typically 6–10 weeks for initial build. Maintenance and extension available as retainer.

Overview

Compliance evidence has traditionally been a manual, labour-intensive process — someone opens a spreadsheet, takes screenshots, saves files to a shared drive, and hopes the folder is still there when the auditor comes. Compliance-as-Code replaces that with automated, version-controlled pipelines that collect evidence continuously, consistently, and at scale.

The result: when an auditor asks for evidence, you generate the report in minutes, not days.

The Problem with Manual Evidence

Every manual evidence collection step introduces risk: the step is forgotten, the wrong screenshot is taken, the folder gets reorganised, the spreadsheet formula breaks. Over time, evidence gaps accumulate. When an audit arrives, the scramble to reconstruct what happened six months ago is both expensive and unreliable.

The real cost of manual compliance is not just the hours — it is the quality of the evidence when it matters.

What Automation Looks Like

For Microsoft 365, an automated pipeline might:

  1. Pull the current Conditional Access policy list from Graph API every morning
  2. Record the MFA enforcement status for all users
  3. Extract the audit log for privileged role changes over the past 30 days
  4. Assemble these into a structured monthly compliance report
  5. Commit all evidence to a Git repository with timestamps

This runs without anyone remembering to do it. The evidence is always current, always consistent, and always auditable.

A Simple Example

# Fetch MFA status for all users via Microsoft Graph API
import requests

def get_mfa_status(access_token: str) -> list:
    url = "https://graph.microsoft.com/v1.0/reports/credentialUserRegistrationDetails"
    headers = {"Authorization": f"Bearer {access_token}"}
    response = requests.get(url, headers=headers)
    response.raise_for_status()
    return response.json().get("value", [])

This is one control, automated. We build pipelines covering dozens of controls — tailored to the frameworks you need to evidence.

Handover and Ownership

We do not build black boxes. Every pipeline is documented, every integration explained, every dependency listed. The handover session ensures your team can run it, maintain it, and extend it to new controls as your compliance programme grows. You own the code.

Frequently asked questions

What compliance frameworks can this work for?

The approach is framework-agnostic — we automate the evidence collection for specific controls, regardless of which framework those controls belong to. We have experience building pipelines for ISO 27001, PCI-DSS, NIST CSF, APRA CPS 234, and CIS Benchmarks. For Tanzanian SMEs, we can target Tanzania PDPA evidence collection and BoT compliance reporting.

Do we need DevOps capability in-house to maintain this?

Not necessarily. We write pipelines that are designed to be maintainable by someone with basic Python familiarity — not a software engineer. The handover session covers how to run the pipeline, how to update API credentials, how to add new controls, and what to do when something breaks. For organisations with no technical capacity, we can offer a managed pipeline service as part of an ongoing retainer.

Can you integrate with our existing tools?

Likely yes. If your tools have an API — and most modern cloud tools do — we can integrate. We have built pipelines integrating with Microsoft Graph API (M365), Azure Resource Manager, Cloudflare APIs, and various GRC and ITSM platforms. We assess your tooling landscape during the scoping phase and confirm what is feasible before engagement begins.

What does 'version-controlled compliance artefacts' mean in practice?

Instead of saving evidence screenshots to a shared drive (where they can be overwritten, deleted, or lost), evidence is committed to a Git repository with a timestamp, hash, and full change history. An auditor can see exactly what was collected, when it was collected, and whether it has been modified since. This is far more defensible than a folder of screenshots.

We are a small business. Is this too advanced for us?

The scale of the initial build should match your compliance programme's maturity. For a small business starting with Tanzania PDPA compliance, we might automate three or four key evidence points — a data inventory pull, an access log export, and a monthly report generator. This is meaningful without being overwhelming. The system grows with your programme.

Related services

Cloud Security Posture Assessment

Know exactly where your Microsoft 365 and Azure environment stands.

Tanzania PDPA Compliance Pack

Get ahead of the Personal Data Protection Act — before regulators come to you.

Virtual CISO (vCISO) Retainer

Executive-level security leadership — without the full-time hire.

Ready to get started?

All engagements begin with a free 30-minute discovery call. No commitment, no jargon — just an honest conversation about your situation.

Request a quote View all services