ISO 27001:2022 Annex A 8.22 Segregation of networks

ISO 27001 Annex A 8.22

ISO 27001:2022 Annex A 8.22: Segregation of Networks

Imagine your organisation’s network is a submarine. If a “flat” network—one big open space—springs a leak, the water fills the entire vessel, and you sink. But if you have watertight doors separating different sections, a leak in one room is contained. The rest of the submarine stays dry and operational.

This is the core concept behind ISO 27001:2022 Annex A 8.22. It moves us away from the old-school “castle and moat” security (where everything inside is trusted) toward a model where different parts of the network are separated based on risk, value, and function.

Table of contents

What is Annex A 8.22?

Technically, this control requires you to separate groups of information services, users, and information systems on your networks. It is a preventive control designed to limit the “blast radius” of a cyber attack.

In simple terms, it means your Guest Wi-Fi shouldn’t be able to talk to your Finance Server, and your Marketing intern’s laptop shouldn’t have a direct line to your Production Database.

Why Segregation Matters

Beyond checking a box for your auditor, there are three massive practical benefits to getting this right:

  • Preventing Lateral Movement: Attackers rarely land directly on their target. They land on a weak point (like a printer or a receptionist’s PC) and “move laterally” to find the gold. Segregation acts as an internal firewall that stops this movement.
  • Regulatory Compliance: Many other standards (like PCI-DSS for payments) explicitly require that the environment handling sensitive data is isolated from the rest of the corporate network.
  • Performance Optimization: By splitting your network into smaller “broadcast domains,” you reduce network congestion. It’s like adding lanes to a highway so that slow local traffic doesn’t block the fast express lane.

How to Implement Network Segregation

You don’t need to buy expensive new hardware to achieve this. Most modern switches and routers have the capability built-in. Here is a practical workflow to get compliant:

1. Define Your Security Domains

You need to group your assets based on trust levels. A common “Zone” structure might look like this:

  • Public/Guest Zone: Untrusted access (e.g., Guest Wi-Fi). Direct internet access only, no internal access.
  • User/Corporate Zone: Standard staff devices. Access to email, printers, and file shares.
  • Server/Production Zone: Where the critical data lives. Tightly controlled access.
  • Management Zone: For IT administrators to manage switches and firewalls (this should be the fortress of the network).

2. Use Virtual Local Area Networks (VLANs)

Physical separation (plugging cables into different switches) is great but expensive and inflexible. Logical separation using VLANs is the industry standard. This allows you to carve up a single physical switch into multiple virtual networks that cannot talk to each other without passing through a gateway (firewall) first.

3. Control the Traffic (The Gateway)

Segregation is useless if you allow all traffic to pass between zones. You must implement a “Default Deny” policy at the perimeter of each zone. Only allow the specific traffic that is required for business. For example, the User Zone can talk to the Printer Zone on port 9100, but nothing else.

4. Wireless Segregation

This is a common failure point in audits. Your wireless networks must be segregated just like your wired ones. Ensure your Guest SSID is on a completely separate VLAN from your Internal SSID. If a guest can ping your server, you are non-compliant.

Documentation and The Auditor

For ISO 27001, if it isn’t written down, it didn’t happen. You need robust documentation to prove your segregation is intentional and managed. For a broader view of how this fits into your Information Security Management System (ISMS), resources like ISO27001.com can be helpful.

What the auditor will ask for:

  • Network Diagrams: These must be up-to-date. If your diagram shows a server that was decommissioned three years ago, it proves you aren’t reviewing your network.
  • Access Control Lists (ACLs): They may spot-check your firewall rules to see if traffic is actually being restricted between zones.
  • Justification: Be ready to explain why you grouped certain assets together. “Because it was easier” is not a valid answer; “Because they share the same risk profile” is.

The Future: Zero Trust and Micro-Segmentation

As you mature, you might move beyond simple VLANs toward “Micro-Segmentation” or “Zero Trust.” This is where every single device is its own “zone” and must authenticate before talking to any other device, even one sitting right next to it. While not strictly required for basic compliance, this is the gold standard for modern security.

ISO 27001 Document Templates
ISO 27001 Document Templates
Get Auditor Approved ISO 27001 Templates