What is ISO 27001:2022 Annex A 8.21 Security of network services in ISO 27001?
ISO 27001 Annex A 8.21 ensures security in network service agreements. Organisations must document these processes within SharePoint and Confluence. This control manages service levels and security requirements for all network providers. It integrates security into daily operations rather than using disconnected external software. Active management proves management ownership.
Auditor’s Eye: The Shortcut Trap
Automated platforms often fail during an audit. They offer a generic dashboard without specific organisational context. Auditors require evidence of active provider management. We look for Jira workflows that monitor service level breaches. Black box software hides the lack of human intent. Store your network service records in SharePoint to prove genuine oversight. Evidence within native repositories carries more weight than third party software ticks.
| ISO 27001:2013 Reference | ISO 27001:2022 Reference | Summary of Change |
|---|---|---|
| Annex A 13.1.2 | Annex A 8.21 | Minor wording updates. Focus remains on service levels and security requirements in agreements. |
How to Implement ISO 27001:2022 Annex A 8.21 Security of network services (Step-by-Step)
Security of network services requires documented agreements with all providers. You must identify security requirements and service levels. Use SharePoint to store all vendor contracts. This ensures version control and management oversight. Follow these integrated steps.
- List all network service providers in a SharePoint asset register.
- Define security requirements for each service in Confluence.
- Establish Jira workflows to monitor provider performance monthly.
- Record service level reviews in management meeting minutes.
- Upload all provider security certificates to a central SharePoint folder.
ISO 27001:2022 Annex A 8.21 Security of network services Audit Evidence Checklist
Focus on manual records and internal document versions. These prove human oversight and intent. Maintain these within your native organisational tools.
- Network service agreements stored in SharePoint.
- Service level requirements documented in Confluence.
- Jira tickets for monthly provider performance reviews.
- Minutes from management meetings discussing network risks.
- Provider security audit reports and certificates.
Relational Mapping
Annex A 8.21 connects to several core ISO 27001 requirements. It supports Clause 8.1 regarding operational planning and control. It links to Annex A 5.19 for supplier relationships. This control also assists Annex A 8.20 regarding network security. All documentation should reside in your Document-Based Management System.
Auditor Interview
Auditor: How do you manage network service security?
Manager: We document all requirements in SharePoint. We use Jira to track provider performance.
Auditor: Where do you keep service level agreements?
Manager: Agreements reside in our version-controlled SharePoint library. We review them annually.
Common Non-Conformities
| Failure Mode | Description | Corrective Action |
|---|---|---|
| Automated Complacency | Relying on a platform tick without local evidence. | Store all agreements in SharePoint. |
| Poor Oversight | Failing to review provider performance. | Use Jira for monthly performance reviews. |
Frequently Asked Questions
What is ISO 27001 Annex A 8.21?
The Bottom Line Up Front: It manages the security of network services through formal agreements. You must define service levels and security requirements. Use SharePoint to maintain these records. This ensures all providers meet your organisational security standards.
How do I implement this control?
The Bottom Line Up Front: Document requirements in Confluence and store contracts in SharePoint. Track performance using Jira tickets. Regular reviews prove that providers adhere to agreed security levels. Manual oversight is necessary for compliance.
Why avoid SaaS tools for this control?
The Bottom Line Up Front: SaaS tools often lack the specific details of your vendor agreements. They provide surface level evidence. Auditors prefer seeing evidence in your native repositories. Store agreements in SharePoint to demonstrate genuine management ownership.