ISO 27001 A.8.20: Networks security
What This Control Requires
Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.
In Plain Language
Your network is the connective tissue between every system you run. If an attacker gets a foothold on one machine and your network is flat, they can walk straight to your database servers, your file shares, your crown jewels. A well-segmented, properly monitored network is the difference between a contained incident and a full-blown breach. This covers all network components - routers, switches, firewalls, wireless access points, load balancers, VPN concentrators, and cloud virtual networks. It also covers how you manage configurations, filter traffic, and monitor for threats. Auditors will look at your network architecture diagram, check your firewall rules for overly permissive entries, and ask how you detect lateral movement. If you cannot show segmentation between trust zones, that is a significant finding.
How to Implement
Design your network architecture with security baked in from the start. Segment into separate trust zones - user networks, server networks, DMZ, management networks, guest networks. Use firewalls to control traffic between zones and apply default-deny rules, only allowing specifically authorised traffic through. Harden every network device. Change all default credentials. Apply CIS benchmarks. Disable unnecessary services and protocols. Restrict management access to a dedicated management network or out-of-band channel. Use encrypted protocols (SSH, HTTPS) and kill unencrypted alternatives (Telnet, HTTP). Keep firmware current. Implement network access control (NAC). Authenticate devices before they get network access. Check device security posture - patch level, endpoint protection status - as a condition for connection. Quarantine anything non-compliant. Use 802.1X authentication for wired and wireless networks. Isolate guest traffic completely. Deploy monitoring and protection tools. Put intrusion detection/prevention systems (IDS/IPS) at network boundaries and between critical segments. Consider network detection and response (NDR) for deeper traffic analysis. Monitor for anomalies and indicators of compromise. Use NetFlow or similar for traffic visibility. Secure wireless properly. Use WPA3 or WPA2-Enterprise encryption with certificate-based or RADIUS authentication. Isolate wireless from wired infrastructure where appropriate. Scan for rogue access points. Keep guest wireless traffic fully separated from corporate networks. Run network configuration changes through change management. Document your current architecture and configurations. Use automated configuration management to deploy and verify settings. Maintain configuration backups and alert on any unauthorised changes.
Evidence Your Auditor Will Request
- Network architecture diagram showing segmentation and security zones
- Firewall rule sets and access control configurations
- Network device hardening configuration records
- Network monitoring tool deployment and alert records
- Network change management records
Common Mistakes
- Network is flat with no segmentation between different trust zones
- Network devices use default or weak credentials
- Firewall rules are overly permissive with excessive 'any-any' rules
- Wireless networks use weak encryption or shared PSK authentication
- No network monitoring for lateral movement or anomalous traffic patterns
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.6 | Equivalent |
| SOC 2 | CC6.1 | Related |
| GDPR | Art.32 | Related |
| NIS2 | Art.21(2)(d) | Related |
Frequently Asked Questions
What is network segmentation and why is it important?
Do we need separate management networks?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment