Compliant Azure Infrastructure
for UK Regulated Firms
A fully FCA and PRA-ready Azure Landing Zone deployed through Terraform or Bicep. Nine production-grade modules for the Microsoft cloud platform.
Nine Modules Available in Terraform and Bicep
Every module ships in both IaC formats. Deploy the same compliant environment whether your team uses Terraform or Azure-native Bicep.
01: Subscription Baseline
Azure subscription hardening, Microsoft Defender for Cloud, Azure Policy assignments, and Management Group structure for regulated workloads.
FCA SYSC 13 · CIS Azure02: Logging & Audit
Diagnostic settings across all resources, Log Analytics workspace with retention policies, Activity Log export, and Microsoft Sentinel integration hooks.
PRA SS1/21 · FCA PS21/303: Network Controls
Hub-and-spoke VNet topology, NSG baseline rules, Azure Firewall configuration, DDoS protection, and Private Endpoints for PaaS services.
FCA SYSC 13 · Cyber Essentials04: Data Protection
Azure Key Vault for key management, customer-managed keys for storage encryption, and Purview integration for data classification.
UK GDPR Art. 32 · PRA SS1/2105: Identity & Access
Entra ID Conditional Access policies, Privileged Identity Management, and role assignments following least-privilege RBAC principles.
FCA SYSC 13 · Cyber Essentials06: Resilience & Backup
Azure Backup vaults with geo-redundant storage, Site Recovery configuration for critical workloads, and RTO/RPO alignment to PRA resilience requirements.
PRA SS1/21 · PS26/2 · FCA PS21/307: Threat Detection
Microsoft Defender for Cloud plans, security alerts routing via Logic Apps, and Azure Monitor alert rules for anomaly detection.
FCA SYSC 13 · CTP Regime SS6/2408: CTP Regime Controls
Critical Third Party controls aligned to PS26/2 and SS6/24: service criticality tagging, exit documentation hooks, and concentration risk tooling.
CTP Regime SS6/24 · PS26/209: M365 Integration
Defender for Office 365 policy baselines, Exchange Online data residency configuration, and Intune device compliance policies for regulated endpoint management.
FCA SYSC 13 · UK GDPRCompliance Mapping
Every module ships with a compliance mapping document linking each resource to its regulatory reference.
SYSC 8 & SYSC 13
Outsourcing arrangements, operational risk, and systems and controls requirements for FCA-authorised firms.
SS1/21: Operational Resilience
Important business services, impact tolerances, and self-assessment requirements for PRA-regulated firms.
PS21/3: Outsourcing Policy
Joint policy on outsourcing and third-party risk, covering cloud service providers as material third parties.
SS6/24 & PS26/2
Critical Third Party Regime controls for firms designated under the Financial Services and Markets Act 2023.
UK GDPR
Data protection by design and default, including encryption, access controls, and data residency for Azure regions.
Cyber Essentials
Technical controls aligned to the UK government Cyber Essentials scheme: firewalls, access control, and secure configuration.
How It's Delivered
JME Secure Cloud for Azure is advisory-led. We scope each engagement based on your environment, your regulatory position, and whether you're using Terraform or Bicep.
Discovery
We review your Azure environment, M365 estate, regulatory obligations, and IaC preference before any code is written.
Configuration
Modules are configured for your subscription structure, naming conventions, network topology, and compliance scope.
Deployment
We deploy via Terraform or Bicep, provide full state management guidance, and hand over a working environment with documentation.
Compliance Pack
Every engagement includes a compliance mapping document ready for regulatory review, internal audit, or third-party assessment.
Request a Briefing
Talk to us about your regulatory position and Azure environment. We'll explain how the modules apply to your situation and what an engagement looks like.