What is ISO 27001:2022 Annex A 8.22 Segregation of networks in ISO 27001?
ISO 27001 Annex A 8.22 requires network segregation into separate security perimeters. You must manage this through documented processes in SharePoint or Confluence. Boundaries should isolate sensitive traffic from untrusted areas. This control prevents unauthorised access across the network. Internal repositories provide the required oversight.
Auditor’s Eye: The Shortcut Trap
SaaS platforms cannot verify physical or logical VLAN isolation. They provide a green tick without technical context. I want to see your actual network maps in Confluence. I check Jira history for firewall change requests. Native repositories prove that you own the security architecture. Automated tools often hide design flaws. Auditors look for management intent within organisational records: not a third-party dashboard.
| ISO 27001:2013 Reference | ISO 27001:2022 Reference | Key Focus |
|---|---|---|
| Annex A 13.1.3 | Annex A 8.22 | Logical or physical separation of groups of information services. |
How to Implement ISO 27001:2022 Annex A 8.22 Segregation of networks (Step-by-Step)
The core requirement is the logical or physical separation of groups of information services. You must document boundaries in your internal wiki. Implementation involves defining VLANs or subnets and logging configurations in SharePoint. This ensures management understands how the network isolates critical data assets.
- Create a detailed network diagram in Confluence.
- Store this diagram in a version-controlled SharePoint library.
- Draft access rules for each network perimeter in SharePoint.
- Link these rules to your organisational risk register.
- Use Jira to track monthly network isolation audits.
- Record all configuration change approvals in Jira workflows.
ISO 27001:2022 Annex A 8.22 Segregation of networks Audit Evidence Checklist
Focus on manual records and internal document versions. These items prove human oversight and intent. Auditors expect to see these in your organisational document management system.
- Network diagrams showing security perimeters stored in Confluence.
- Jira ticket history for firewall rule changes.
- Management meeting minutes reviewing network segregation risks.
- VLAN and subnet configuration logs in SharePoint.
- Internal audit reports verifying zone isolation.
Relational Mapping
Annex A 8.22 depends on several core organisational dependencies:
- Annex A 8.20: Directs the security of network services.
- Annex A 8.21: Governs network security controls.
- Clause 8.1: Operational planning and control of boundaries.
Auditor Interview
Auditor: How do you manage the boundaries between your guest WiFi and production network?
Manager: We define logical VLANs. Our configuration standards reside in SharePoint. We review these monthly.
Auditor: Where is the evidence of your last boundary test?
Manager: You can find the test results in our Jira audit project. We also record the management sign-off there.
Common Non-Conformities
| Failure Mode | Description | Corrective Action |
|---|---|---|
| Automated Complacency | Relying on a SaaS platform’s green tick without internal procedural evidence. | Document actual VLAN configs in SharePoint. |
| Flat Network Design | No separation exists between sensitive data and public access points. | Implement VLAN isolation. Record steps in Jira. |
| Outdated Maps | Network diagrams in Confluence do not match current hardware. | Update diagrams and use version control. |
Frequently Asked Questions
What is network segregation in ISO 27001?
The Bottom Line: Network segregation is the logical or physical separation of information services. You must document boundaries in your internal wiki. Implementation involves defining VLANs or subnets and logging configurations in SharePoint. This ensures management understands how the network isolates critical data assets. It prevents lateral movement by attackers.
How do you implement Annex A 8.22?
The Bottom Line: Implement segregation by defining security perimeters around specific data groups. Use SharePoint to store your network policies. Utilise Jira workflows to manage and approve firewall changes. This integrated approach proves that security is part of your daily technical operations. It moves beyond a simple policy statement.
Why avoid SaaS for network compliance?
The Bottom Line: SaaS compliance platforms cannot see your actual network architecture. They provide a green tick without technical verification. Auditors prefer seeing original network maps in Confluence. Native repositories prove that your internal technical team owns the security design. This approach ensures your security records are not in a black box.