Security of Network Services - ISO 27001 Annex A Control

ISO 27001 Annex A 8.21

Network services - whether internal or contracted - need defined security characteristics.

ISO 27001 Annex A 8.21 - Security of Network Services

Network services - internet connectivity, MPLS links, VPN services, dedicated point-to-point connections, cloud network services - are typically provided by external suppliers. The control asks for the security characteristics of these services to be defined and monitored, not just the operational ones. Bandwidth and uptime matter, but so do encryption, access controls and the supplier's own security posture.

Service requirements should be set in the contract before the service is engaged. Encryption requirements, authentication arrangements, logging and monitoring expectations, and incident notification thresholds all belong in the contract alongside service levels for performance. The supplier security arrangements under A.5.20 provide the wider framework.

Monitoring confirms the service is delivering against the security requirements as well as the performance ones. Service reports, supplier security disclosures, and the organisation's own monitoring of the connection all contribute to ongoing assurance. Where the service falls short, the contractual position should support remediation.

The network service that creates the most surprise during audit is the one whose contract was set years ago and never refreshed. The original requirements may not match current expectations, the supplier's security posture may have changed, and nobody has reviewed the arrangement against current standards. Periodic supplier review under A.5.22 is what catches this drift.

Practical Compliance Guidance

Network service security is described in the IMS1 manual at section 8.5 alongside the Supplier Management Procedure. The supplier register and contract records hold the operational detail.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the supplier security arrangements including the requirements for network service contracts. Use as the source for the contractual baseline.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What security requirements typically apply to network services?

Encryption (in transit at minimum, often end-to-end), authentication for service management, logging and monitoring with appropriate access for the customer, incident notification within defined timescales, and clear allocation of security responsibilities between provider and customer.

How is supplier compliance monitored?

Through service reports, supplier-published certifications and audit reports (SOC 2, ISO 27001), and where applicable the customer's own monitoring of the connection. The supplier review process under A.5.22 brings these together into an annual assessment.

What about cloud network services?

Cloud network services (load balancers, DNS, content delivery networks, virtual networks) follow the same logic. The provider's certifications and shared responsibility model define the baseline; the customer configures the service and monitors what is within their scope.

Further Resources