Networks Security - ISO 27001 Annex A Control

ISO 27001 Annex A 8.20

The network is the connective tissue - if it fails or is compromised, everything else is exposed.

ISO 27001 Annex A 8.20 - Networks Security

Networks carry every interaction between systems and users. The control treats network security as foundational - protecting the network protects everything that runs on it. The scope covers internal LANs, wireless networks, wide-area links, internet connections, and increasingly the mesh of cloud network services and SD-WAN connections that have replaced traditional perimeters.

Practical network security combines defensive design (segmentation, controlled traffic flows, firewalls between zones), authentication (strong access controls for network management), monitoring (visibility into traffic patterns and anomalies), and configuration baselines (consistent secure setup across network devices). Each addresses a different aspect of the overall protection.

The traditional model of a hard outer perimeter with a soft interior has largely given way to zero-trust thinking - assume the network is hostile and verify every connection. Whether the organisation has formally adopted zero trust or not, the principles increasingly apply: identity-aware access, least-privilege traffic flows, and end-to-end encryption rather than relying on network location for security.

The network security gap that bites organisations most often is the legacy connection that escaped the modern controls. A point-to-point link to a partner that does not go through the firewall. A management network that bypasses the access controls. A historic VPN configuration that grants more access than needed. Each is hard to find without a deliberate review of the actual network paths.

Documentation matters because the audit looks at the network as designed and the network as operating. Where the documentation is current and reflects the actual configuration, the audit moves quickly. Where the documentation is incomplete or out of date, the audit slows down and starts asking deeper questions about what else might have drifted.

Practical Compliance Guidance

Network security is described in the IMS1 manual at section 8.3 on IT equipment alongside the wider information security arrangements. Network diagrams and firewall configuration provide the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Information Security Policy including the network security baseline. Use as the source for network governance and the link to access controls.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What does network security typically include?

Firewalls between network zones, intrusion detection or prevention systems, segregation of network segments by function or sensitivity, secured network management, monitoring of traffic patterns, and authentication for access to network devices. The exact mix depends on the architecture and risk profile.

Should we adopt zero trust?

Zero trust is a direction of travel rather than a single product. Most modern architectures already incorporate zero-trust principles in some areas (identity-aware access, MFA, traffic encryption) without formally adopting the framework. Whether to commit to a full zero-trust programme depends on the organisation's risk profile and architecture maturity.

How are network changes managed?

Through the change management process under A.8.32. Network changes carry particular risk because they can affect multiple systems and may be hard to reverse cleanly. The change process should reflect this through stronger review and tested rollback plans.

Further Resources