ISO 27001:2022 Annex A Control 8.21

Abstract of Control 8.21: Security of network services

Control 8.21 under ISO 27001 focuses on ensuring that network services (both internal and external) are secured, managed, and monitored to protect the organization’s information assets. This control covers the identification and implementation of security mechanisms, service-level requirements, and continuous monitoring of network service providers and usage.

Control Type

Information Security Properties

Cybersecurity Concepts

Operational Capabilities

Security Domains

Objective

The main objective of Control 8.21 is to ensure that all network services—whether provided internally or outsourced—are operated securely. This objective extends to:

Identifying security features and requirements for network services.
Implementing appropriate controls and service levels.
Monitoring the effectiveness and security compliance of these network services on an ongoing basis.

Purpose

The purpose of this control is to safeguard the organization’s information that travels through or resides on network services. Proper security measures help prevent unauthorized access, data breaches, downtime, and other security threats that could arise from poorly managed or insecure network connections.

Identification of Security Requirements

Service-Level Agreements (SLAs)

Defining Security Features: Specify responsibilities regarding authentication, encryption, and network traffic monitoring in the SLA.
Agreed Service Levels: Include performance metrics, response times, and escalation procedures to ensure continuous service quality and security.

Network Service Scope and Rules

Allowed Services & Networks: Enumerate which networks (e.g., internal, external, Wi-Fi, VPN) are permitted.
Usage Conditions: Define who can access which network services, under what authentication requirements, and at which times.
Access Management: Implement formal authorization procedures for granting or revoking access to network services.

Technical Security Features

Authentication Mechanisms: Use multifactor authentication where feasible.
Encryption: Protect data in transit with adequate encryption protocols (e.g., TLS, IPSec).
Connection Controls: Configure firewalls, intrusion detection/prevention systems (IDS/IPS), or other perimeter security solutions.
Caching Management: Assess the confidentiality and performance impact of caching (e.g., via CDNs).

Implementation and Operational Controls

Internal vs. External Providers

Provider Assessment: Evaluate internal capabilities versus external providers for meeting security and availability needs.
Contractual Obligations: Ensure the right to audit network service providers is included in contracts, along with provisions for reporting security incidents.
Third-Party Attestations: Require suppliers to provide certifications or attestations (e.g., SOC 2 reports) demonstrating they uphold strong security measures.

Usage Guidelines and Procedures

User Awareness Training: Train staff on acceptable network usage, remote access guidelines, and secure VPN usage.
Device Management: Enforce the use of secure devices, including updated antivirus software, hardened configurations, and regular patches.

Monitoring and Reporting

Logging & Monitoring Tools: Maintain logs for all network activities, especially for privileged or sensitive connections.
Regular Audits: Conduct periodic security audits to verify SLA compliance and the effectiveness of network security controls.
Incident Response: Establish clear procedures for detecting, reporting, and resolving security incidents related to network services.

Monitoring and Auditing

Performance Monitoring: Continuously measure the service against agreed performance and security metrics (e.g., uptime, latency, breach attempts).
Security Compliance Checks: Schedule vulnerability assessments and penetration testing for network infrastructures.
Audit Rights: Exercise the contractual right to audit external providers to ensure adherence to security requirements.

Roles and Responsibilities

IT / Network Administrators: Implement and maintain technical controls (firewalls, IDS/IPS, VPNs).
Information Security Team: Define security requirements, monitor compliance, and manage incident response.
Procurement / Legal: Ensure contracts with service providers include robust security clauses and SLAs.
Senior Management: Provide oversight, approve budgets, and support the enforcement of network security policies.

Implementation Templates for Control 8.21

When you’re implementing Control 8.21, having the right templates can simplify your process, improve consistency, and ensure no detail slips through the cracks. Below are some recommended templates that can help you formalize and standardize your approach to securing network services:

Network Security Policy Template

Purpose: Sets the overarching rules for how network services are used and protected within your organization.
Why: Provides a “single source of truth,” ensuring every stakeholder understands their obligations to maintain network integrity and confidentiality.

Service-Level Agreement (SLA) Template

Purpose: Clearly establishes performance metrics, security responsibilities, escalation processes, and auditing rights for both internal and external network service providers.
Why: Empowers you to negotiate and track measurable service commitments, making vendor management more transparent and enforceable.

Third-Party Supplier Security Checklist

Purpose: Facilitates the evaluation of potential or existing network service providers on their security controls, certifications, and overall posture.
Why: Reduces risk by ensuring you thoroughly vet third-party providers before you entrust them with critical network services.

Network Access Control Matrix

Purpose: Maps out which users or roles have permission to access specific networks, devices, or applications.
Why: Makes it easier to maintain and audit permissions, reducing the likelihood of unauthorized access or privilege creep.

Monitoring and Logging Policy Template

Purpose: Outlines how you’ll collect, retain, and review logs for unusual activity or potential threats to network services.
Why: Helps you detect threats early by standardizing monitoring practices and ensuring you know exactly where to look when anomalies pop up.

Incident Response Plan Template

Purpose: Details your playbook for responding to security incidents that could compromise network services, from detection through resolution and recovery.
Whys: Reduces downtime and chaos by giving your team a predefined set of actions to quickly and effectively mitigate damage during a crisis.

Audit and Review Checklist

Purpose: Ensures all aspects of Control 8.21 are regularly checked, tested, and updated, keeping your security posture strong.
Why: Makes it simple to stay on top of evolving threats and new compliance requirements, providing a systematic approach to validating effectiveness.

Relation to Other ISO 27001 Controls

Several other controls within ISO 27001 complement or overlap with Control 8.21. Key related controls include:

Control 8.20 – Network Security Management: Provides a broader framework for managing network infrastructures securely.
Control 5.15 – Access Control: Governs user authentication, authorization, and identity management (e.g., who can access specific network services).
Control 5.1 – Information Security Policies: High-level policies that set the tone for network security management.
Control 8.28 – Secure Communication: Focuses on ensuring secure data transfer, which may overlap with network encryption and authentication.

Additional Guidance and References

ISO/IEC 29146: Provides guidelines for a broader framework around access management, relevant to setting up secure network service access.
NIST SP 800-53 (if applicable): Offers controls mapping for network protection (SC series).
ITIL Service Design (if applicable): Guides the integration of service security into network service design.