Declarative infrastructure for compliance and certification

Declarative Infrastructure as Compliance Documentation: Talos, NixOS, and Audit-Ready Systems

Here’s how an ISO 27001 audit usually goes. Weeks before the auditor shows up, someone starts collecting screenshots. Configuration panels, firewall rules, a dashboard showing patches applied. Then come the Word documents describing what the systems are supposed to do. Then the change tickets, dug out of a ticketing system, each one referencing a vague “server maintenance” that nobody can fully reconstruct six months later. Everyone treats this as the cost of doing business. I did too, for years. ...

March 23, 2026 · 9 min read · Tom Meurs