ISO 27001:2022 Annex A Control 8.22
Abstract of Control 8.22: Segregation of networks
Are you looking for a way to contain threats within your organization’s infrastructure? Network Segregation under ISO 27001 Annex A Control 8.22 creates defined boundaries and reduces the risk of unauthorized access by separating your systems into distinct segments. This action will minimize the lateral movement of attackers and safeguard sensitive data.
Control Type
- Preventive
Information Security Properties
- Confidentiality
- Integrity
- Availability
Cybersecurity Concepts
- Protect
Operational Capabilities
- System and Network Security
Security Domains
- Protection
Objective of Control 8.22
Your objective with Control 8.22 is to create clear boundaries within your network. This approach confines internal risks, keeps user groups in separate domains, and prevents disruptive incidents from affecting every corner of your organization. You establish these divisions with well-defined rules, ensuring that each segment handles specific tasks and processes only the necessary traffic.
Purpose of Control 8.22
You want to split your network into various security domains and then control the flow of data between them based on business needs. This organized layout keeps confidential information shielded from prying eyes, keeps vital applications running smoothly, and makes it easier to monitor suspicious movement. Think of it as configuring digital barricades to manage who can get in, where they can go, and what they can access.
Scope and Definitions
Scope
All your networked environments—on-premises, cloud-based, and hybrid—fall under the umbrella of Control 8.22. Whether your organization deals with financial data, personal employee information, or customer records, any area connected to a network should follow the segregation principles.
Definitions
- Network Segregation: Splitting your infrastructure into smaller, well-defined zones or domains, each with dedicated security policies.
- Domain: A logical or physical segment where a group of devices or systems share uniform trust and similar security requirements.
- Perimeter: The boundary that separates one domain from another or from the outside world.
- Gateway: A firewall, router, or other device that manages and filters traffic passing between domains or the internet.
Network Segregation Strategy
Criteria for Segregation
Start by identifying which sections of your network handle the most critical data or operations. You may also consider grouping systems by trust levels or by departments. Finance servers might sit in a higher-security domain, while publicly accessible web services remain in a perimeter-facing zone.
Physical vs. Logical Segregation
You can choose physical segregation by using different hardware and cables, creating a clear physical barrier. Alternatively, you can opt for logical segregation with VLANs, virtual routing, and software-defined networking. Combining both can give you an extra layer of resilience, especially when your organization is large or handles diverse types of data.
Network Perimeter Controls
Perimeter Definition
Each domain needs a well-defined perimeter to manage incoming and outgoing traffic. You might use firewalls, IDS/IPS systems, or specialized gateways. One study shows that over 70% of reported breaches originate internally, often pivoting from one machine to another. A strong perimeter prevents malware or attackers from hopping freely between segments.
Access Between Domains
When domains do communicate, you control that traffic using strict security rules. Only required protocols should pass, such as allowing a specific application server to connect with an internal database. This layer of filtering and monitoring keeps data flow predictable and logs every attempt to cross into another domain.
Special Considerations for Wireless Networks
Wireless Segregation
Wireless signals can extend beyond the physical walls of your office, so keep them separate from your key business segments. Create a dedicated Wi-Fi domain for employees and route all connections through a gateway before hitting core systems. This strategy reduces the risk of drive-by attacks and unauthorized intercepts.
Guest vs. Personnel Networks
Offer guests their own limited domain. Your employees should not have a reason to use the guest network because it may have stricter limitations or reduced speeds. This setup keeps visitor traffic away from internal business processes, ensuring no accidental exposures.
Implementation and Best Practices
Risk Assessment
A thorough risk assessment will help you spot which segments need the tightest controls. You might discover that a legacy server contains valuable archives yet relies on older systems. You can isolate it in a specialized domain with minimal inbound and outbound connections.
Documentation
You keep track of every network domain, every VLAN configuration, and every access rule. That record will make it much easier to identify where an incident starts and how it might spread. This documentation also plays a big role when auditing your ISO 27001 compliance.
Policy Alignment
Your organization probably has an access control policy and a classification policy. Ensure your segregation strategy supports both. You can’t have an HR domain that’s openly accessible to marketing teams if the data inside is classified as highly confidential.
Ongoing Monitoring and Maintenance
Implementing network segregation is not a one-off project. Continuous logs, intrusion detection systems, and periodic configuration reviews help you spot anomalies and correct misconfigurations quickly. By staying on top of changes, you maintain a robust, dynamic defense posture.
Templates That Can Help with Control 8.22
Certain templates can guide your segmentation activities and streamline documentation. You may find reusable network diagrams that outline logical separation, VLAN mapping sheets for assigning IP addresses, or checklist-based forms for gateway policy configuration. A well-structured template for domain classification allows you to categorize each segment by data sensitivity and define the corresponding security requirements.
Other Relevant Controls
Look at Access Control measures from ISO 27001 (such as Control 5.15) to integrate user privileges and authentication methods with your segmentation plan. You also align your segmentation strategy with Controls 8.20 or Control 8.21, which focus on broader network security considerations. Creating these connections across different controls helps form a holistic security framework that extends from device to domain.
