ISO 27001 A.8.21: Security of network services
What This Control Requires
Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.
In Plain Language
You likely rely on external providers for critical network services - internet connectivity, VPNs, managed firewalls, CDNs, DNS, email hosting. If any of these get compromised or go down, your business feels it immediately. The question is: do you actually know what security controls those providers have in place? For each network service, whether internal or outsourced, you need to pin down the security mechanisms required, agree on service levels that include security commitments, and actively monitor that those commitments are being met. Service agreements should spell out what security features are provided, availability SLAs, the provider's obligations for monitoring and incident response, and your right to audit or receive assurance reports. Auditors will ask to see these agreements and evidence that you are actually reviewing provider performance.
How to Implement
Map out every network service your organisation uses, both internal and external. For each one, document the provider, security features, SLAs, and the internal person responsible. Define security requirements per service. Think about encryption standards (minimum TLS versions, cipher suite requirements), authentication mechanisms, intrusion detection, DDoS protection, logging and monitoring capabilities, redundancy and failover, incident response procedures, and compliance with relevant standards. For outsourced services, bake security requirements into the contract. Specify what controls the provider must maintain, SLAs for security metrics (like DDoS mitigation response time), incident notification timelines, the right to audit or receive SOC 2 reports, and data protection obligations for any data the provider can access. Monitor your network services continuously. Use network monitoring tools to verify availability and performance. Watch for security events - DDoS attacks, routing anomalies, degradation. Review provider security reports and audit results on a regular schedule. Track SLA compliance and escalate breaches. Deploy your own security controls at service boundaries. Put firewalls and IPS at ingress and egress points. Implement DDoS mitigation for internet-facing infrastructure. Use DNSSEC where supported. Configure secure routing with BGP authentication. Review network service arrangements periodically. Check whether security requirements are still being met. Evaluate whether the provider's security posture is still adequate given changes in the threat landscape. Have a transition plan ready if you need to switch providers.
Evidence Your Auditor Will Request
- Inventory of network services with security requirements
- Service level agreements including security provisions
- Network service monitoring configuration and reports
- Provider security assessment or audit report reviews
- Network boundary security configuration (firewalls, IPS)
Common Mistakes
- Network service agreements do not include security requirements
- Security capabilities of network services are not verified
- No monitoring of network service security performance
- DDoS protection is not implemented for internet-facing services
- Service provider security is not assessed periodically
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.6 | Related |
| SOC 2 | CC9.2 | Partial overlap |
| NIS2 | Art.21(2)(d) | Related |
Frequently Asked Questions
What security should we require from an ISP?
How do we monitor network service security?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment