If you have been keeping an eye on the world of cybersecurity compliance, you know that the transition from the 2013 version of ISO 27001 to the 2022 update was more than just a quick edit. It was a fundamental rethink of how we categorise and manage security in a world dominated by cloud computing and remote work. One of the standout changes is found in Annex A 8.20, which covers Network Security.
In the old 2013 standard, network security was spread across several different controls, primarily found in Domain 13. With the 2022 update, things have been streamlined, but the expectations have also become more rigorous. Let’s break down exactly what has changed and why it matters for your next audit.
Table of contents
The Consolidation: From 13.1.1 to 8.20
In the ISO 27001:2013 version, you might remember dealing with control 13.1.1 (Network controls). This sat within the Communications Security domain. In the 2022 version, this has been reclassified as Annex A 8.20 and is now grouped under the “Technological” theme.
While the jump from “13.1.1” to “8.20” sounds like simple renumbering, the 2022 version reflects a much broader scope. According to Hightable.io, Annex A 8.20 is now viewed as a dual-purpose control: it is both preventive (stopping unauthorised access) and detective (spotting activity if someone does get through). This shift encourages organisations to stop thinking of the network as just “cables and routers” and start thinking about it as a dynamic environment that includes virtual private clouds (VPCs), software-defined networking, and wireless signals.
Broadening the Scope of Network Management
The 2013 version was written in an era where many businesses still relied heavily on physical on-premise servers. The 2022 update recognizes that the “network” now extends far beyond the office walls. The new guidance for Annex A 8.20 places a much heavier emphasis on the following areas:
- Device Visibility: It isn’t enough to just secure the devices you know about. You now need to ensure all devices connecting to the network are visible, authenticated, and manageable.
- Firmware and Configuration Records: There is a sharper focus on maintaining up-to-date records of configuration files and firmware versions for all network equipment, such as switches and firewalls.
- Protocol Management: The 2022 standard is more explicit about disabling or suspending vulnerable or unstable network protocols that are no longer required for business operations.
The Four Pillars of Modern Implementation
When moving to the 2022 version, auditors are looking for a more mature approach to network security management. As noted by Hightable.io, successful implementation typically rests on four pillars:
- Documentation and Hygiene: This involves keeping living, dated network diagrams that clearly show where your network ends and the public internet begins.
- Roles and Responsibilities: You need clear segregation of duties. For example, the person who designs the network architecture should ideally not be the same person who audits its security.
- Technical Architecture: This includes risk-driven segmentation (ensuring your guest Wi-Fi isn’t on the same segment as your HR database) and ensuring data is encrypted in transit using modern protocols like TLS or IPsec.
- Logging and Monitoring: Every action that impacts network security should be logged. The 2022 version pushes for a tighter integration between your network controls and your monitoring activities (which are covered in Annex A 8.16).
Practical Differences for Your Audit
In a 2013 audit, a basic firewall policy and a simple network map might have been enough to satisfy the requirements. Under the 2022 standard for Annex A 8.20, an auditor is likely to dig deeper. They will want to see evidence of continuous justification. If you have an open port or a specific network segment, why does it exist? Is that justification still valid today?
The 2022 update also highlights the need for isolation capabilities. If a security incident occurs, can you quickly isolate business-critical sub-networks? This requirement for “resilience” is a recurring theme throughout the 2022 version and is specifically emphasized in the technological controls like 8.20.
Conclusion: Is Your Network Ready?
The transition from ISO 27001:2013 to the 2022 version represents a shift from “checkbox compliance” to “operational resilience.” Annex A 8.20 Network Security is at the heart of this change. By moving beyond simple network controls and embracing a more holistic, technical management of your entire digital footprint, you aren’t just meeting a standard, you’re significantly reducing your risk profile.
If you are currently mapping your transition, starting with an audit of your existing network diagrams and service-level agreements is a great first step. By aligning with the updated requirements found in resources like Hightable.io, you can ensure your organisation is ready for the challenges of the modern threat landscape.