Practical Advice for Locking Down the Network with ISO 27001 Controls A.8.20–A.8.22

A.8.20 Networks security

The objective of this clause is to protect data in transit and defend against internal and external threats targeting the network.

This control requires organisations to design, implement, and manage secure networks that support the confidentiality, integrity, and availability of data and services. It applies to both internal and external networks.

All businesses have multiple information networks. A good starting point is to list all your networks and the controls you have in place to manage and secure them. This should include network components like routers, switches, firewalls, gateways and wireless networks.

Apply layered defences to create multiple barriers within your network including firewalls, intrusion detection and prevention systems and endpoint protection. These devices should be regularly patched so current firmware is used and configurations are standardised across the networks.

When transmitting data between networks or systems, ensure that it is encrypted by using HTTS, TLS, IPsec, or VPNs when sensitive data is transmitted.

Access to networks should be restricted to only those who need to access them through the use of access control lists, firewall rules and role-based access. 

Just as importantly, network traffic should be monitored continuously with alerting for any unusual traffic or potential intrusions.
 

A.8.21 Security of network services

This control aims to ensure the security features, service levels, and management requirements of network services are in place and monitored.

Organisations often rely on third-party providers for network services like connectivity, firewalls, VPNs, or cloud-based DNS. This control ensures those services are secure and meet agreed-upon levels of protection. Any agreements with third parties providing these services, should cover your network security expectations and SLAs. 

Before selecting and entering an agreement with a provider, due diligence evaluating the provider’s capabilities, architecture and incident response capabilities should be performed. Understanding how data is handled, transmitted and stored within the third-party system is a crucial part of this, as ultimately, your organisation remains accountable for the security of your data.
 

A.8.22 Segregation of networks

The objective of this clause is to separate systems, users, and services as necessary to reduce risk and control traffic flow.

Key considerations here are to segment based on risk and use separate networks for separate purposes. For example, separating networks for production systems, internal servers, staff workstations, development systems and guest wi-fi.

Application of zero trust principles, so inspect and authenticate all traffic, even within internal networks. This can be achieved by using VLANs to separate network traffic and enforcing access control within firewalls. As part of this, administrator access should be limited to their own secure segments.
Like everything, regularly review your network to adapt it to the changing needs of the business and IT infrastructure.
 

Other Posts

• Other posts in the series can be found at: A Strategic Approach to ISO 27001 Implementation
• View the previous post in the series: Keeping Systems in Sync: Managing Time, Privileged Tools, and Software Installation in Controls A.8.17 – A.8.19