If you have been managing information security for a while, you know that the leap from ISO 27001:2013 to the 2022 update was more than just a bit of light editing. It was a major structural overhaul designed to bring the standard into the modern, cloud-first world. One of the key areas that saw a significant shift is how we handle the security of network services, now found in Annex A 8.21.
In the older 2013 version, this was tucked away as control 13.1.2. While the core objective, keeping your network services secure remains the same, the way we categorise and manage these services has matured. Let’s dive into what actually changed and what it means for your compliance journey.
Table of contents
The Shift from 13.1.2 to 8.20 and 8.21
In the 2013 version of ISO 27001, “Security of network services” sat under the Communications Security domain as control 13.1.2. It was a relatively straightforward requirement focused on ensuring that service levels and security requirements for network services were identified and implemented.
With the arrival of ISO 27001:2022, the Annex A controls were consolidated from 114 down to 93. As part of this reshuffle, 13.1.2 became Annex A 8.21. According to Hightable.io, this control is now classified under the “Technological” theme. This change reflects a broader industry trend: network services are no longer just about the cables in your office; they are about the complex web of SaaS, PaaS, and IaaS providers that keep your business running.
What is Different in the 2022 Requirements?
The most noticeable change in the 2022 version is the level of detail regarding the “Attributes” of the control. Annex A 8.21 is now formally categorised as a Preventive control. The goal isn’t just to react when a network service fails or is compromised, but to build security into the service agreement from day one.
While the 2013 version was often interpreted through the lens of physical hardware and local ISPs, the 2022 version is much more explicitly focused on the “Service” aspect. This includes everything from your cloud service provider’s security features to the encryption used by your managed service provider (MSP). As noted by Hightable.io, the update requires a more rigorous look at the security capabilities of these third-party services, ensuring they align with your internal security policies.
Key Focus Areas for Annex A 8.21
When you are transitioning from the 2013 version to the 2022 version, there are several key areas within 8.21 that require fresh attention:
- Service Level Agreements (SLAs): You need to ensure that security is a non-negotiable part of your SLAs. It isn’t just about uptime anymore; it’s about how the provider manages your data and what security protocols they have in place.
- Monitoring and Management: The 2022 version places a higher emphasis on your ability to monitor these external services. You can’t just outsource the service and forget about the security; you must have clear visibility into how those services are performing.
- Authentication and Encryption: There is a sharper focus on the technical mechanisms used to secure the connection between your organisation and the network service provider.
Why Does This Change Matter?
The move to Annex A 8.21 matters because the “network” of 2013 looks nothing like the “network” of 2022. Between these two versions, we saw the explosion of remote work and the total dominance of cloud computing. The 2022 version of the standard finally catches up to this reality.
By following the updated guidance, organisations are forced to look beyond their own firewalls. You are now expected to treat your network service providers as a critical extension of your own security team. This helps prevent “blind spots” where data is vulnerable because it is sitting in a third-party service that wasn’t properly vetted for security compliance.
How to Implement the Changes
If you are updating your Statement of Applicability (SoA) to reflect the 2022 changes, you should start by auditing your current list of network services. This includes your ISP, but also your cloud providers, VPN services, and any managed security services.
Using resources like Hightable.io can help you map your existing 13.1.2 controls to the new 8.21 requirements. You will likely find that while you already have the foundations in place, you need to tighten up your documentation regarding how these services are authorised and monitored. Ensure that your risk assessments specifically account for the failure or compromise of a third-party network service, as this is a major focus of the 2022 update.
The Bottom Line
Annex A 8.21 represents the evolution of network security from a local concern to a global, service-oriented one. The transition from the 2013 version isn’t just a renumbering exercise; it’s an invitation to modernise your approach to third-party risk and technological security. By embracing these changes, you ensure that your ISMS is resilient enough to handle the complexities of today’s digital landscape.