Azure Service Enablement Framework — FSI Edition
Based on: Microsoft CAF – Service Enablement Framework · FSI Landing Zones SEF Template Version: 2.0 · Last Revised:
Service Request Details
| Field | Value |
|---|---|
| Service Name | |
| Azure Service / Resource Type | |
| Requested By | |
| Business Unit / Team | |
| Use Case / Workload Description | |
| Target Environment | ☐ Dev ☐ Test ☐ UAT ☐ Production |
| Target Region(s) | |
| Platform Topology | ☐ Hub-Spoke ☐ VWAN ☐ Standalone ☐ Other: |
| Date Submitted | |
| Review Date | |
| Template Version Used | |
| Document Version |
Pre-Qualification
Complete this block first. Answers here determine which sections are mandatory vs optional below.
| Question | Answer |
|---|---|
| Service deployment model | ☐ IaaS ☐ PaaS ☐ SaaS ☐ Hybrid |
| Assessment type | ☐ Net-new service ☐ Migration ☐ Config change to existing service |
| Data classification of workload | ☐ Public ☐ Internal ☐ Confidential ☐ Restricted |
| Is this workload in-scope for PCI DSS? | ☐ Yes ☐ No ☐ Partial (explain in notes) |
| Is this service a Critical or Important Function (DORA)? | ☐ Yes ☐ No ☐ Under assessment |
| Does this service involve personal data (GDPR/UK GDPR)? | ☐ Yes ☐ No |
| Does this service involve client financial data? | ☐ Yes ☐ No |
| Is an existing BIA available for this workload? | ☐ Yes – attach ref ☐ No – to be completed |
| Is a third-party ICT risk assessment required (DORA / EBA Outsourcing)? | ☐ Yes ☐ No ☐ In progress |
Pre-qualification notes:
Assessment Summary
Record the overall risk verdict per dimension. Detailed criteria follow.
| Dimension | Rating | Notes |
|---|---|---|
| Security | ☐ Low ☐ Medium ☐ High | |
| Identity & Access Management | ☐ Low ☐ Medium ☐ High | |
| Governance & Data | ☐ Low ☐ Medium ☐ High | |
| Operations | ☐ Low ☐ Medium ☐ High | |
| Regulatory & Compliance | ☐ Low ☐ Medium ☐ High | |
| Cost & FinOps | ☐ Low ☐ Medium ☐ High | |
| Overall Verdict | ☐ Approved ☐ Conditional ☐ Rejected ☐ Risk Accepted |
Conditions / Remediation Required Before Approval:
List any gaps or pre-conditions that must be resolved
1. Security
1.1 Network Endpoint
For each question, record the technical response AND how the service fits into the organisation's existing hub-spoke/VWAN topology.
| # | Criteria | Response | Status |
|---|---|---|---|
| 1.1.1 | Does the service have a public endpoint accessible outside of a virtual network? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.1.2 | Does it support VNet Service Endpoints? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.1.3 | Can Azure services interact directly with the service endpoint? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.1.4 | Does it support Azure Private Link / Private Endpoints? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.1.5 | Can the service be deployed within a virtual network (VNet injection)? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.1.6 | Which subscription and VNet will the Private Endpoint land in? Is DNS resolution owned by the platform team? | ☐ Confirmed ☐ Pending ☐ N/A | |
| 1.1.7 | Has the network design been reviewed and approved by the platform / network team? | ☐ Yes ☐ No |
Notes:
1.2 Data Exfiltration Prevention
| # | Criteria | Response | Status |
|---|---|---|---|
| 1.2.1 | Does the PaaS service have a separate BGP community in ExpressRoute Microsoft peering? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.2.2 | Does ExpressRoute expose a route filter for the service? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.2.3 | Does the service support Private Link to prevent data exfiltration? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.2.4 | Are outbound data transfer paths documented and controlled? | ☐ Pass ☐ Fail ☐ N/A |
Notes:
1.3 Network Traffic Flow (Management & Data Plane)
| # | Criteria | Response | Status |
|---|---|---|---|
| 1.3.1 | Is it possible to inspect traffic entering/exiting the service (e.g. via Azure Firewall or NVA)? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.3.2 | Can traffic be force-tunnelled with user-defined routes (UDR)? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.3.3 | Do management operations use Azure shared public IP ranges? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.3.4 | Is management traffic directed via a link-local endpoint exposed on the host? | ☐ Pass ☐ Fail ☐ N/A |
Notes:
1.4 Data Encryption at Rest
| # | Criteria | Response | Status |
|---|---|---|---|
| 1.4.1 | Is encryption applied by default? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.4.2 | Can encryption be disabled? (Flag if yes — requires risk acceptance) | ☐ Pass ☐ Fail ☐ N/A | |
| 1.4.3 | Is encryption done with Microsoft-managed keys (MMK) or customer-managed keys (CMK)? | ☐ MMK ☐ CMK ☐ Both | |
| 1.4.4 | Is CMK via Azure Key Vault supported? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.4.5 | Is the Key Vault backed by a standard vault or Azure Managed HSM? | ☐ Standard KV ☐ Managed HSM ☐ N/A | |
| 1.4.6 | For Restricted data: is HSM-backed CMK mandatory per policy? | ☐ Yes ☐ No ☐ N/A |
Notes:
1.5 Data Encryption in Transit
| # | Criteria | Response | Status |
|---|---|---|---|
| 1.5.1 | Is traffic to the service encrypted at protocol level (TLS/SSL)? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.5.2 | Are there any unencrypted HTTP endpoints? Can they be disabled? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.5.3 | Is underlying inter-service communication encrypted? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.5.4 | Is Bring-Your-Own-Key (BYOK) / BYOE supported for transport encryption? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.5.5 | What is the minimum TLS version enforced? Is TLS 1.0/1.1 disabled? | ☐ TLS 1.2 ☐ TLS 1.3 ☐ Not enforced |
Notes:
1.6 Software Deployment
| # | Criteria | Response | Status |
|---|---|---|---|
| 1.6.1 | Can application software or third-party products be deployed to the service? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.6.2 | How is software deployment done and managed? (describe) | ☐ Pass ☐ Fail ☐ N/A | |
| 1.6.3 | Can policies enforce source code / image integrity (e.g. signed images)? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.6.4 | Can antimalware, vulnerability management, and security monitoring tools be used? | ☐ Pass ☐ Fail ☐ N/A | |
| 1.6.5 | Does the service provide native security capability (e.g. AKS, App Service)? | ☐ Pass ☐ Fail ☐ N/A |
Notes:
2. Identity & Access Management
2.1 Authentication and Access Control
| # | Criteria | Response | Status |
|---|---|---|---|
| 2.1.1 | Are all control plane operations governed by Microsoft Entra ID? | ☐ Pass ☐ Fail ☐ N/A | |
| 2.1.2 | Is there a nested control plane (e.g. AKS, Databricks)? If yes, document it. | ☐ Yes ☐ No | |
| 2.1.3 | What methods exist to access the data plane? (document) | ☐ Pass ☐ Fail ☐ N/A | |
| 2.1.4 | Does the data plane integrate with Microsoft Entra ID? | ☐ Pass ☐ Fail ☐ N/A | |
| 2.1.5 | Is authentication between Azure services done via managed identities or service principals? | ☐ Managed Identity ☐ Service Principal ☐ Other | |
| 2.1.6 | Is workload identity federation supported to replace service principal secrets? | ☐ Pass ☐ Fail ☐ N/A | |
| 2.1.7 | How are keys or shared access signatures (SAS) managed? (describe) | ☐ Pass ☐ Fail ☐ N/A | |
| 2.1.8 | How can access be revoked in an emergency? (describe) | ☐ Pass ☐ Fail ☐ N/A | |
| 2.1.9 | Is a break-glass / emergency access procedure defined for this service? | ☐ Yes ☐ No |
Notes:
2.2 Privileged Access Management
| # | Criteria | Response | Status |
|---|---|---|---|
| 2.2.1 | Is Privileged Identity Management (PIM) used for elevated role assignments? | ☐ Pass ☐ Fail ☐ N/A | |
| 2.2.2 | Is Just-in-Time (JIT) access enforced for privileged operations? | ☐ Pass ☐ Fail ☐ N/A | |
| 2.2.3 | Are privileged role activations subject to approval workflow and time-bound? | ☐ Pass ☐ Fail ☐ N/A | |
| 2.2.4 | Are standing permissions (permanent Owner/Contributor) prohibited? | ☐ Pass ☐ Fail ☐ N/A |
Notes:
2.3 Segregation of Duties
| # | Criteria | Response | Status |
|---|---|---|---|
| 2.3.1 | Does the service separate control plane and data plane operations within Entra ID? | ☐ Pass ☐ Fail ☐ N/A | |
| 2.3.2 | Are privileged roles (e.g. Owner, Contributor) separated from data-level roles? | ☐ Pass ☐ Fail ☐ N/A | |
| 2.3.3 | Does the service support dual-authorisation / 4-eyes approval for sensitive operations? | ☐ Pass ☐ Fail ☐ N/A | |
| 2.3.4 | How is SoD enforced in IaC pipelines deploying this service? (describe) | ☐ Pass ☐ Fail ☐ N/A |
Notes:
2.4 Multifactor Authentication & Conditional Access
| # | Criteria | Response | Status |
|---|---|---|---|
| 2.4.1 | Is MFA enforced for user-to-service interactions? | ☐ Pass ☐ Fail ☐ N/A | |
| 2.4.2 | Can Conditional Access policies be applied to restrict access? | ☐ Pass ☐ Fail ☐ N/A | |
| 2.4.3 | Are Conditional Access policies aligned with the organisation's CA baseline? | ☐ Yes ☐ No ☐ Exceptions noted |
Notes:
3. Governance & Data
3.1 Data Classification & Handling
| # | Criteria | Response | Status |
|---|---|---|---|
| 3.1.1 | What is the highest data classification tier this service will handle? (from pre-qualification) | ☐ Public ☐ Internal ☐ Confidential ☐ Restricted | |
| 3.1.2 | Are data handling controls appropriate for the classification tier identified? | ☐ Pass ☐ Fail ☐ N/A | |
| 3.1.3 | Is Microsoft Purview (or equivalent) used for data classification and labelling? | ☐ Pass ☐ Fail ☐ N/A | |
| 3.1.4 | Are there any data minimisation requirements applicable to this workload? | ☐ Yes ☐ No |
Notes:
3.2 Data Portability
| # | Criteria | Response | Status |
|---|---|---|---|
| 3.2.1 | Can data be exported from the service securely and in encrypted form? | ☐ Pass ☐ Fail ☐ N/A | |
| 3.2.2 | Can data be imported securely and in encrypted form? | ☐ Pass ☐ Fail ☐ N/A | |
| 3.2.3 | Is data lineage documented for regulated data flows? | ☐ Pass ☐ Fail ☐ N/A |
Notes:
3.3 Data Privacy & Usage
| # | Criteria | Response | Status |
|---|---|---|---|
| 3.3.1 | Can Microsoft engineers access customer data stored in this service? | ☐ Pass ☐ Fail ☐ N/A | |
| 3.3.2 | Is any Microsoft Support interaction with the service audited and logged? | ☐ Pass ☐ Fail ☐ N/A | |
| 3.3.3 | Is the service covered by the Microsoft Data Processing Addendum / DPA? | ☐ Pass ☐ Fail ☐ N/A | |
| 3.3.4 | If personal data is processed: is a DPIA required and has it been completed? | ☐ Yes ☐ No ☐ N/A | |
| 3.3.5 | Are cross-border data transfer mechanisms in place (SCCs, adequacy decisions)? | ☐ Yes ☐ No ☐ N/A |
Notes:
3.4 Data Residency
| # | Criteria | Response | Status |
|---|---|---|---|
| 3.4.1 | Is data contained within the designated service deployment region? | ☐ Pass ☐ Fail ☐ N/A | |
| 3.4.2 | Is geo-replication used? If yes, are the secondary regions within acceptable boundaries? | ☐ Pass ☐ Fail ☐ N/A | |
| 3.4.3 | Does the service support data residency commitments required by your organisation? | ☐ Pass ☐ Fail ☐ N/A | |
| 3.4.4 | For UK/EU firms: does data residency meet UK GDPR / EU GDPR Chapter V requirements? | ☐ Pass ☐ Fail ☐ N/A |
Notes:
4. Operations
4.1 Monitoring
| # | Criteria | Response | Status |
|---|---|---|---|
| 4.1.1 | Does the service integrate with Azure Monitor (metrics and logs)? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.1.2 | Can diagnostic logs be sent to a Log Analytics Workspace? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.1.3 | Can the service be integrated with Microsoft Sentinel for security monitoring? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.1.4 | Does Microsoft Defender for Cloud support this service? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.1.5 | What is the log retention period and does it meet regulatory requirements (e.g. 5 years for MiFID II)? | ☐ Pass ☐ Fail ☐ N/A |
Notes:
4.2 Backup Management
| # | Criteria | Response | Status |
|---|---|---|---|
| 4.2.1 | Which data in this workload needs to be backed up? (describe) | ☐ Pass ☐ Fail ☐ N/A | |
| 4.2.2 | How are backups captured — native service backup or Azure Backup? | ☐ Native ☐ Azure Backup ☐ Other | |
| 4.2.3 | What is the maximum backup frequency (RPO target)? | Free text | |
| 4.2.4 | What is the maximum backup retention period? | Free text | |
| 4.2.5 | Are backups encrypted? Are they encrypted with CMK? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.2.6 | Is backup restore tested on a defined schedule? (date of last test) | ☐ Pass ☐ Fail ☐ N/A |
Notes:
4.3 Disaster Recovery & Business Continuity
Cross-reference with the workload's BIA (from pre-qualification). If no BIA exists, flag as a pre-condition before approval.
| # | Criteria | Response | Status |
|---|---|---|---|
| 4.3.1 | Can the service be deployed in a regionally redundant configuration? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.3.2 | What is the achievable RTO (Recovery Time Objective)? | Free text | |
| 4.3.3 | What is the achievable RPO (Recovery Point Objective)? | Free text | |
| 4.3.4 | Does the RTO/RPO meet the business requirements defined in the BIA? | ☐ Pass ☐ Fail ☐ BIA pending | |
| 4.3.5 | Who owns the RTO/RPO commitment — platform team or business line? | Free text | |
| 4.3.6 | Does the service support Availability Zones for high availability? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.3.7 | Is Azure Site Recovery supported or an alternative failover solution defined? | ☐ Pass ☐ Fail ☐ N/A |
Notes:
4.4 SKU & Capacity
| # | Criteria | Response | Status |
|---|---|---|---|
| 4.4.1 | What SKUs are available and how do they differ for this use case? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.4.2 | Does the Premium or higher SKU include security-relevant features? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.4.3 | How is capacity monitored and what is the unit of horizontal scale? | ☐ Pass ☐ Fail ☐ N/A |
Notes:
4.5 Patch & Update Management
| # | Criteria | Response | Status |
|---|---|---|---|
| 4.5.1 | Does the service require active patching, or are updates automatic? | ☐ Auto ☐ Manual ☐ Both | |
| 4.5.2 | How frequently are updates applied? Can they be scheduled or automated? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.5.3 | Is there a maintenance window that can be configured? | ☐ Pass ☐ Fail ☐ N/A |
Notes:
4.6 Audit, Configuration & Continuous Compliance
| # | Criteria | Response | Status |
|---|---|---|---|
| 4.6.1 | Are nested control plane operations captured in audit logs (e.g. AKS, Databricks)? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.6.2 | Are key data plane activities recorded? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.6.3 | Does the service support Azure Resource Tags? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.6.4 | Does the service expose a full PUT schema for all resources (ARM/Bicep/Terraform)? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.6.5 | Can Azure Policy be used to enforce configuration of this service? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.6.6 | How is configuration drift detected post-deployment? (e.g. Defender for Cloud, Azure Policy compliance reports) | ☐ Pass ☐ Fail ☐ N/A | |
| 4.6.7 | Is there an ongoing compliance monitoring schedule and owner defined? | ☐ Yes ☐ No |
Notes:
4.7 Cost & FinOps
| # | Criteria | Response | Status |
|---|---|---|---|
| 4.7.1 | Is cost visibility enabled via Azure Cost Management for this service? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.7.2 | Are cost allocation tags applied and mapped to the organisation's billing taxonomy? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.7.3 | Are budget alerts configured with appropriate owners? | ☐ Pass ☐ Fail ☐ N/A | |
| 4.7.4 | Has a cost estimate been produced and approved by the Business Unit owner? | ☐ Yes ☐ No | |
| 4.7.5 | Are Reserved Instances or Savings Plans applicable and have they been considered? | ☐ Yes ☐ No ☐ N/A |
Notes:
5. Regulatory & Compliance
5.1 FSI-Specific Regulatory Requirements
Complete all applicable rows based on the organisation's regulatory perimeter.
| # | Regulation / Standard | Applicable? | Status | Notes |
|---|---|---|---|---|
| 5.1.1 | DORA (EU Digital Operational Resilience Act) — ICT third-party risk register entry required? | ☐ Yes ☐ No | ☐ Registered ☐ Pending ☐ N/A | |
| 5.1.2 | DORA — Is this service classified as supporting a Critical or Important Function? | ☐ Yes ☐ No | ☐ Documented ☐ Pending ☐ N/A | |
| 5.1.3 | EBA ICT Risk Guidelines / EBA Outsourcing Guidelines — Does use of this service constitute outsourcing requiring notification? | ☐ Yes ☐ No | ☐ Notified ☐ Pending ☐ N/A | |
| 5.1.4 | FCA SYSC (UK firms) — Does this service impact operational resilience obligations? | ☐ Yes ☐ No | ☐ Pass ☐ Fail ☐ N/A | |
| 5.1.5 | PCI DSS — Is the service in-scope and have CDE boundaries been mapped? | ☐ Yes ☐ No | ☐ Pass ☐ Fail ☐ N/A | |
| 5.1.6 | MiFID II — Does this service support transaction reporting or recordkeeping? If yes, are retention requirements met? | ☐ Yes ☐ No | ☐ Pass ☐ Fail ☐ N/A | |
| 5.1.7 | SWIFT CSP — Is this service used within the SWIFT messaging environment? | ☐ Yes ☐ No | ☐ Pass ☐ Fail ☐ N/A | |
| 5.1.8 | GDPR / UK GDPR — Has a DPIA been completed where required? | ☐ Yes ☐ No | ☐ Complete ☐ Pending ☐ N/A | |
| 5.1.9 | Organisation-specific regulations (list below) |
Organisation-specific regulatory requirements:
5.2 Certifications & External Audits
| # | Criteria | Response | Status |
|---|---|---|---|
| 5.2.1 | Is the service PCI DSS compliant? | ☐ Yes ☐ No ☐ Partial | |
| 5.2.2 | Is the service ISO 27001 certified? | ☐ Yes ☐ No | |
| 5.2.3 | Is the service SOC 1 / SOC 2 / SOC 3 audited? | ☐ Yes ☐ No | |
| 5.2.4 | Is the service covered by NIST 800-53 controls (if applicable)? | ☐ Yes ☐ No ☐ N/A | |
| 5.2.5 | Is the service listed on the Microsoft Trust Center? | ☐ Yes ☐ No | |
| 5.2.6 | Are audit reports available and have they been reviewed by the Compliance team? | ☐ Yes ☐ No ☐ Pending |
Notes:
5.3 Service Availability
| # | Criteria | Response | Status |
|---|---|---|---|
| 5.3.1 | Is the service Generally Available (GA)? | ☐ GA ☐ Preview ☐ Private Preview | |
| 5.3.2 | In which regions is the service available? Are required regions supported? | ☐ Pass ☐ Fail ☐ N/A | |
| 5.3.3 | Is the service regional or global in scope? | ☐ Regional ☐ Global |
Note: Preview services require explicit risk acceptance before use in Production or in-scope FSI environments.
Notes:
5.4 Service Level Agreements
| # | Criteria | Response | Status |
|---|---|---|---|
| 5.4.1 | What is the published SLA for service availability? | Free text | |
| 5.4.2 | What is the SLA for performance (if applicable)? | Free text | |
| 5.4.3 | Does the SLA meet the workload's business requirements and BIA targets? | ☐ Pass ☐ Fail ☐ N/A |
Notes:
6. Decision & Sign-Off
6.1 Open Issues & Remediation Actions
Add rows as needed. All High Risk findings must have an owner and due date before Conditional Approval is granted.
| # | Issue / Gap | Severity | Owner | Due Date | Resolved |
|---|---|---|---|---|---|
| 1 | ☐ High ☐ Med ☐ Low | ☐ | |||
| 2 | ☐ High ☐ Med ☐ Low | ☐ | |||
| 3 | ☐ High ☐ Med ☐ Low | ☐ | |||
| 4 | ☐ High ☐ Med ☐ Low | ☐ | |||
| 5 | ☐ High ☐ Med ☐ Low | ☐ |
6.2 Conditions of Approval (if Conditional)
List mandatory guardrails, Azure Policies, or compensating controls that must be in place before or shortly after service deployment.
6.3 Risk Acceptance (if applicable)
Required if any High Risk finding is proceeding without full remediation, or if a Preview service is being approved for Production.
| Field | Value |
|---|---|
| Risk(s) being accepted | |
| Business justification | |
| Compensating controls in place | |
| Review date for risk acceptance | |
| Risk Acceptance Owner (named individual) |
6.4 Approval
Roles can be adapted to match the organisation's governance structure. Unused roles should be marked N/A with a brief reason.
| Role | Name | Signature / Approval | Date |
|---|---|---|---|
| Platform / Cloud Architect | |||
| Security / CISO Representative | |||
| Compliance / Risk Officer | |||
| Business Unit Owner | |||
| FinOps / Cost Owner | |||
| Additional role (if required) |