Network security is often seen as the backbone of a robust information security management system. When you look at ISO 27001 Annex A 8.20, you are looking at the specific control designed to protect your network infrastructure. At ISO27001.com, we find that many beginners feel overwhelmed by the technical jargon associated with this control. However, the core concept is quite simple. You need to ensure that the networks you use to process information are secure, managed, and controlled.
This guide will walk you through the implementation of Annex A 8.20 from the perspective of a certification body. We will explore what this control actually asks of you and exactly what an auditor will look for during your certification audit.
Table of contents
Understanding Annex A 8.20
Annex A 8.20 focuses on networks security. The goal is to protect information in networks and its supporting information processing facilities. In the past, this might have meant locking a server room and setting up a firewall. Today, networks are vast and complex. They include cloud environments, remote workers, wireless access points, and third-party services.
The standard requires you to establish, document, and implement controls to secure these networks. It is not enough to just buy a router and hope for the best. You must actively manage the security of the data flowing through your systems. This includes separating networks, controlling access, and logging activity.
Start with a Network Policy
The first step is documentation. You cannot secure what you have not defined. You should create a topic-specific policy on network security. This document does not need to be a novel. It should clearly state your rules for network access and management.
Your policy should cover who is allowed to access the network and how they authenticate themselves. It should also define what constitutes acceptable use. For example, are employees allowed to connect personal devices to the corporate Wi-Fi? If the answer is no, write it down. Auditors at ISO27001.com expect to see a clear link between your written policy and your technical reality.
Segregate Your Networks
One of the most effective ways to implement this control is through network segregation. This means splitting your network into smaller parts. You should not have your guest Wi-Fi on the same network as your critical financial servers. If a visitor’s laptop is compromised, you do not want that threat spreading to your core database.
You can achieve this through Virtual Local Area Networks, known as VLANs. By separating teams or data classifications into different zones, you limit the blast radius of a potential attack. During an audit, we will ask for a network diagram. We want to see that you have thought about the flow of data and separated high-risk areas from low-risk areas.
Secure Your Network Services
Many businesses rely on third parties for network services. This could be your internet service provider or a cloud host like AWS or Azure. Annex A 8.20 requires you to manage these services securely. You need to ensure that the security features offered by these providers are actually turned on and configured correctly.
Review your service level agreements. Do you know where the provider’s responsibility ends and yours begins? For cloud services, this is often the “shared responsibility model.” You must ensure that you are upholding your side of the bargain. An auditor will check if you monitor these service levels and if you review the security reports provided by your vendors.
Control Access and Log Activity
Access control is vital. You should restrict access to network management functions. Only authorized IT staff should be able to change firewall rules or router configurations. If everyone has admin rights, you have a problem. Use strong authentication, such as multi-factor authentication, for any administrative access.
Furthermore, you need to know what is happening on your network. Logging and monitoring are essential. You should log relevant events to help you identify potential incidents. If a firewall blocks a thousand connection attempts from a single IP address in one minute, you need to know about it. We will look for evidence that you review these logs and act on suspicious activity.
What the Auditor Expects
When we arrive for an audit, we are not looking for perfection on day one. We are looking for assurance that you are in control. We expect to see a current network diagram that matches reality. We will check that your wireless networks are encrypted and separated from the internal corporate network.
We will also interview your staff. If your policy says that remote access requires a VPN, we will ask an employee to show us how they connect from home. If they log in without a VPN, that is a non-conformity. Consistency is key. Your implementation must match your documentation.
ISO27001.com recommends conducting internal vulnerability scans as well. While not explicitly the whole of A 8.20, scanning helps you verify that your network controls are working as intended. Showing an auditor a clean scan report is a great way to demonstrate due diligence.
Common Mistakes to Avoid
A common mistake is treating network security as a “set and forget” task. Networks change. New devices are added and staff move roles. You must review your access lists and firewall rules regularly. Another error is neglecting physical security. If someone can walk in and plug a laptop into a network port at an unattended desk, your digital firewalls might not save you.
Finally, do not overcomplicate your controls. If you are a small business, you do not need enterprise-grade solutions meant for a bank. You need controls that are appropriate for your risks. Keep it simple, keep it documented, and keep it tested.
By following these steps, you will be well on your way to satisfying the requirements of ISO 27001 Annex A 8.20. Remember that security is a journey. Build a solid foundation with your network controls, and the rest of your information security management system will stand on firm ground.