Cloud Auditor / Compliance Specialist — Complete Learning Package

Beginner Labs (1–15)

Review Defender for Cloud compliance dashboard
Analyze ISO 27001 control status
Export compliance report
Audit Azure Policy compliance
Map ISO controls to Azure services
Audit RBAC roles (Owner/Contributor)
Verify PIM configuration
Check tagging compliance
Review diagnostic settings coverage
Audit NSG rules (open inbound access)
Verify Private Endpoint usage
Check encryption at rest
Audit TLS versions (disable 1.0/1.1)
Review Key Vault access model
Create audit findings register

Intermediate Labs (16–35)

SOC 2 Type II assessment
PCI DSS mapping
HIPAA compliance audit
GDPR compliance review
ISO evidence checklist
Automated compliance reporting
Conditional Access audit
Service principal audit
Policy initiative review
Data classification audit
Backup configuration audit
Network segmentation review
API Management security audit
Compliance trend tracking
Remediation tracking system
Purview classification review
Azure Arc compliance audit
Sentinel coverage review
External auditor evidence package
Power BI compliance dashboard

Advanced Labs (36–50)

Continuous compliance monitoring
Compliance-as-code (Azure Policy)
Automated evidence collection
Cross-cloud compliance (Azure + AWS)
Regulatory change management
Multi-regulation architecture
Vendor risk framework
Data sovereignty audit
Automated remediation
Audit trail integrity verification
Third-party risk management
Privacy impact assessment
Security training audit
Compliance KPI dashboard
Full GRC program implementation

Major Projects

Compliance Programs

ISO 27001 readiness
SOC 2 audit preparation
PCI DSS compliance
HIPAA implementation
GDPR data protection program

Audit Domains

RBAC and identity audit
Network security audit
Data protection audit
Encryption audit
Logging and monitoring audit

Governance & Risk

Vendor risk assessment
Data sovereignty audit
Internal audit program
External audit preparation
Full GRC implementation

Gotchas & Common Mistakes

Compliance dashboard ≠ certification
Policy is point-in-time only
Subscription-level RBAC is risky
Encryption default ≠ CMK compliance
Logs not enabled by default
Evidence must be fresh
Policy Deny not retroactive
Data residency ≠ sovereignty
WAF detection mode = no protection
Compliance ≠ security
Audit findings must be tracked
Evidence screenshots are weak proof
Cross-region replication may violate compliance
Policy exemptions must be documented
Compliance is continuous, not one-time

Internal Audit Process

Plan: Define scope and objectives
Assess: Collect evidence
Analyze: Identify gaps
Report: Document findings
Track: Assign owners and deadlines
Verify: Confirm remediation
Improve: Update controls

Evidence Collection Checklist (ISO 27001)

Control	Evidence	Source	Frequency
Policy	Security policy doc	SharePoint	Annual
Asset Inventory	Resource list	Azure Resource Graph	Monthly
Privileged Access	RBAC + PIM report	Azure CLI	Quarterly
Encryption	Encryption configs	Azure Policy	Monthly
Logging	Diagnostic settings	Azure Policy	Monthly
Monitoring	Alert rules	Azure Monitor	Monthly