If you have been following the evolution of cybersecurity standards, you know that the leap from ISO 27001:2013 to the 2022 version was more than a simple rebrand. It was a tactical shift designed to address the complexities of modern infrastructure, think cloud-native environments, hybrid work, and zero-trust architectures. One of the most vital technical controls in this update is Annex A 8.22: Segregation of Networks.
While the concept of keeping different parts of your network separate isn’t new, the way the 2022 standard expects you to manage it has matured significantly. Let’s break down the transition from the old domain-based system to the new thematic approach.
Table of contents
The Shift from Annex A 13.1.3 to Annex A 8.22
In the ISO 27001:2013 framework, network segregation was found under control 13.1.3 within the “Communications Security” domain. In the 2022 update, it has been consolidated and moved to Annex A 8.22.
This isn’t just a change in the index. The new version categorises 8.22 as a Technological control. According to Hightable.io, this shift emphasises that segregation is no longer just a policy-level “good idea”, it is a functional technical requirement that must be actively enforced and monitored. The 2022 standard also introduces “Attributes,” defining 8.22 primarily as a Preventive control aimed at containing potential breaches and preventing lateral movement within your systems.
What Actually Changed in the Requirement?
The core objective remains the same: ensuring that groups of information services, users, and information systems are segregated on networks. However, the 2022 guidance is more explicit about how and why you do it.
In the 2013 version, the focus was often on physical or logical separation between “public” and “private” networks. In the 2022 update, the scope has widened to include:
- Risk-Based Segmentation: You are now expected to justify your segregation based on the specific risks to the data within each segment. For example, a development environment should not sit on the same segment as your HR database.
- Logical vs. Physical: While 2013 hinted at it, the 2022 guidance (via ISO 27002:2022) is much more comfortable with logical segregation, such as VLANs, Virtual Private Clouds (VPCs), and software-defined networking (SDN).
- Zero-Trust Principles: The 2022 version leans into the idea that just being “on the network” doesn’t mean you should have access to everything. It encourages verifying every connection that crosses a boundary.
Why Annex A 8.22 Matters for Your Next Audit
Under the 2013 standard, an auditor might have been satisfied with a static network diagram from three years ago. That won’t fly anymore. As noted by Hightable.io, auditors are now looking for living documentation. They want to see that your segregation is current, enforced by firewalls or gateways, and reflects your actual business logic.
In a modern audit, you will likely need to provide evidence of:
- Enforcement: Proof that your access control lists (ACLs) or firewall rules actually prevent a user in “Segment A” from reaching “Segment B” without a valid business reason.
- Monitoring: Evidence that you are watching the traffic that passes through these gateways for signs of unauthorised movement.
- Justification: A clear rationale for why your network is split the way it is, usually documented in your Statement of Applicability (SoA) and risk treatment plan.
Practical Steps for Implementing the 2022 Changes
If you are transitioning from a flat 2013-style network to the more robust 2022 requirements, consider these steps:
- Map Your Trust Zones: Don’t just split by department; split by trust level and data criticality. Your production environment, guest Wi-Fi, and employee workstations should all live in separate zones.
- Secure the Gateways: Use firewalls or specialized gateways to manage the traffic between these zones. This is your “digital checkpoint” where security happens.
- Update Your Diagrams: Ensure your network diagrams include your cloud assets. If you use AWS or Azure, your VPCs and Subnets are part of your Annex A 8.22 scope.
The Bottom Line
The transition to Annex A 8.22 reflects the reality of the 2020s: the perimeter is gone, and the internal network is no longer “safe” by default. By moving network segregation from a broad communications domain to a specific technological control, ISO 27001:2022 forces organisations to get serious about containment. As Hightable.io often points out, the goal is resilience, ensuring that even if a single system is compromised, the rest of your organisation remains protected behind a well-defined boundary.