ISO 27001:2022 Annex A 8.20 Networks security

ISO 27001 Annex A 8.20

ISO 27001:2022 Annex A 8.20: A Practical Guide to Network Security

If you think of your organisation’s data as gold in a vault, your network is the system of roads, hallways, and tunnels that leads to it. If those roads are unguarded, unmapped, and open to the public, your gold isn’t safe. This is the core logic behind ISO 27001:2022 Annex A 8.20.

This control, simply titled “Networks Security,” is all about ensuring that the networks connecting your systems, applications, and users are not the weak link in your security chain. It replaces the old Annex A 13.1.1 from the 2013 standard, bringing a sharper focus on managing and securing the flow of data.

Table of contents

What is Annex A 8.20?

In the official standard, this control sits within the “Technological Controls” category. Its purpose is to ensure the protection of information in networks and their supporting information processing facilities. In plain English? You need to stop hackers, malware, and unauthorised users from traversing your network to steal data or cause chaos.

It is classified as both a preventive and detective control. You are trying to prevent bad things from happening (like blocking a port), but you also need to detect when something slips through (like monitoring logs for suspicious traffic).

Why is this Control Important?

Most modern cyber attacks happen over the network. Whether it’s a ransomware worm spreading laterally from one laptop to your entire server farm, or an attacker exfiltrating customer databases, the network is the highway they use. By implementing Annex A 8.20, you are essentially putting up roadblocks, checkpoints, and surveillance cameras.

For a broader look at how this fits into the full list of technological controls, you can explore the resources on ISO27001.com.

How to Implement Network Security

Implementing this control isn’t just about buying a firewall and walking away. It requires a layered approach. Here are the practical steps you should take.

1. Know What You Have (Network Documentation)

You cannot protect a network you don’t understand. Start by creating up-to-date network diagrams. These should show:

  • Your boundaries (where your network ends and the internet begins).
  • Critical assets (servers, databases).
  • Wireless access points.
  • Connections to third parties (vendors, partners).

Auditors love to see a clear diagram that matches reality. If you have a diagram from 2019 but you moved to the cloud in 2023, you have a problem.

2. Network Segregation

Imagine if a guest in your lobby could walk straight into your CEO’s office. That is a flat network. To comply with Annex A 8.20 (and the related Annex A 8.22), you need to segment your network.

This usually involves using Virtual LANs (VLANs) or subnets to separate different types of traffic. For example:

  • Guest Wi-Fi: Should be completely isolated from the corporate network.
  • Corporate User Network: For day-to-day employee work.
  • Server/Production Network: Tightly controlled, only accessible by authorised admins and services.
  • Management Network: A dedicated lane for administrative traffic to manage switches and firewalls.

3. Access Control and Authentication

Just because a device is plugged into a wall jack doesn’t mean it should be on the network. You should implement controls like IEEE 802.1X (Network Access Control) to ensure that only known, authorised devices can connect.

For remote access, Virtual Private Networks (VPNs) are the standard. Ensure they are protected with Multi-Factor Authentication (MFA). The days of a simple username and password for VPN access are long gone.

4. Hardening Network Devices

Your routers, switches, and firewalls are computers too, and they need to be secured. This means:

  • Changing default passwords immediately.
  • Disabling unused ports and services (if you don’t use Telnet, turn it off).
  • Keeping firmware up to date to patch vulnerabilities.
  • Using secure protocols (SSH instead of Telnet, HTTPS instead of HTTP) for management.

5. Monitoring and Logging

This is the “detective” part of the control. You need to know what is happening on your wires. Integrating your network logs into a SIEM (Security Information and Event Management) tool allows you to spot anomalies.

Look for red flags like a workstation scanning thousands of ports, or a server sending gigabytes of data to an unknown IP address in a foreign country.

What Auditors Will Check

When it comes time for your certification audit, the auditor will likely ask for:

  • Network Diagrams: Are they current? Do they show segmentation?
  • Configuration Standards: Do you have a document stating how routers/firewalls should be configured?
  • Access Lists: Who has administrative access to your network gear?
  • Logs: Can you show evidence that you review network logs?
  • Guest Access: They might even try to connect to your guest Wi-Fi and see if they can ping your internal servers.

Common Challenges

The biggest challenge is often “convenience vs. security.” Developers might want open access to production servers “just in case,” or sales staff might want to put their personal phones on the secure corporate Wi-Fi. Annex A 8.20 requires you to stand firm and enforce the rules of least privilege.

Conclusion

ISO 27001 Annex A 8.20 is a foundational control. If your network isn’t secure, your applications and data are sitting ducks. By documenting your topology, segregating your traffic, and keeping a watchful eye on logs, you build a resilient infrastructure that can withstand modern threats and pass your audit with flying colours.

ISO 27001 Document Templates
ISO 27001 Document Templates
Get Auditor Approved ISO 27001 Templates