ISO 27001:2022 Annex A Control 8.20

Network Classification and Segmentation

• Information Classification: Identify and classify data flowing through each segment (e.g., confidential, internal, public). A clear classification helps you apply the right protective measures to each network zone. Use our Data Classification Template if you like to start with a solid foundation.
• Network Segmentation: Divide your network into sub-networks (or VLANs) based on data sensitivity or business function. This approach prevents attackers from moving freely across your environment, reducing the potential impact of a breach.
• Drawbridges and Isolation: In the event of a network-based attack, isolate critical subnetworks—sometimes referred to as “drawbridges”—to contain threats while maintaining essential operations elsewhere.

Network Device Management

• Up-to-Date Documentation: Keep current network diagrams, asset inventories, and configuration files for all devices (routers, switches, wireless access points, etc.). This documentation is essential for troubleshooting, compliance, and audits.
• Assign Clear Responsibilities: Define who manages routers, who updates firewalls, and who oversees wireless controllers. Separation of duties ensures better accountability and reduces the likelihood of configuration mistakes.
• Device Hardening: Disable unnecessary services, change default passwords, and regularly patch or update firmware to reduce vulnerabilities. Hardening network devices is crucial for preventing common exploits.

Network Access Control (NAC)

• Authentication: Require devices and users to authenticate before gaining network access. This might involve 802.1X for wired and wireless networks, certificate-based authentication, or multi-factor verification.
• Restricting & Filtering: Employ firewalls, intrusion prevention systems (IPS), and intrusion detection systems (IDS) to inspect traffic at key points, preventing unauthorized ingress and egress.
• Device Connectivity: Use NAC solutions to detect and block unknown or unmanaged devices on the network. By validating a device’s security posture (e.g., antivirus status, patch level), you reduce infection risk.

Network Administration and Responsibilities

• Separation of Duties: Where possible, separate network operations from ICT system operations to prevent conflicts of interest (see ISO 27001 Control 5.3 for more).
• Administrators’ Access: Secure remote administration channels (e.g., using SSH instead of Telnet) to protect login credentials and minimize eavesdropping.
• Coordinated Management: Ensure that your network administrators, security teams, and IT management communicate and collaborate. Consistent coordination leads to standardized configurations and minimized misconfigurations.

Data Protection over Networks

• Encryption: Always encrypt sensitive data in transit—especially over public or third-party networks. Use robust protocols such as TLS, HTTPS, or IPsec VPNs to protect data confidentiality and integrity.
• Maintaining Data Integrity: Keep an eye on data traveling across the network with checksums and secure protocol validations. This helps detect and prevent tampering or data corruption.
• Availability Safeguards: Implement redundancy strategies like link failover, load balancing, and automatic re-routing to keep network services running smoothly in the event of disruptions.

Logging and Monitoring

• Comprehensive Logging: Log network activities such as firewall changes, VPN connections, and switch port modifications. These logs serve as an audit trail for both operational and forensic purposes.
• Real-Time Monitoring: Deploy network monitoring and intrusion detection solutions to spot anomalies—like unusual traffic spikes or repeated log-in failures—and trigger alerts.
• Automated Alerting: Set up automatic notifications to promptly inform your security team about critical events, allowing immediate response to potential threats.

Virtualized Networks and Software-Defined Environments

• SDN and SD-WAN Security: Introduce security controls (like policy enforcement, encryption, and route validation) at the software-defined networking layer to guard against misconfiguration or malicious changes.
• Configuration Management: Document and maintain the configurations of virtual routers, switches, and controllers within a centralized repository. This ensures streamlined management and quick recovery if issues occur.
• Isolated Network Segments: Even in a virtualized environment, logical separation can be as critical as physical isolation in preventing cross-segment threats.

Disabling Vulnerable Protocols

• Protocol Review: Regularly audit your network to identify outdated or insecure protocols such as Telnet, FTP, or SSLv2.
• Transition to Secure Protocols: Migrate to more secure alternatives like SSH, SFTP, TLS (1.2 or higher), and SNMPv3. This step significantly reduces opportunities for attackers to compromise your network.