Segregation of Networks - ISO 27001 Annex A Control

ISO 27001 Annex A 8.22

Compartmentalising the network limits how far an attacker can travel.

ISO 27001 Annex A 8.22 - Segregation of Networks

Network segregation creates internal boundaries that contain incidents. When an attacker compromises one part of the network, segregation determines how far they can move laterally. A flat network gives them everything; a well-segregated network confines them to a smaller area while detection and response take effect. The control asks for segregation that matches the sensitivity of the systems involved.

Practical segregation patterns include separating user networks from server networks, separating production from non-production, isolating systems handling regulated data, segregating guest and IoT networks from staff networks, and segregating management networks from production traffic. Each pattern serves a particular purpose and the design should reflect what the organisation actually operates.

Modern network technology makes segregation more flexible than the traditional VLAN approach. Cloud networks, software-defined networking, and microsegmentation tools allow boundaries to be defined logically rather than physically, and to follow workloads rather than being tied to network locations. The principle remains the same: meaningful boundaries between groups of resources with different security profiles.

The segregation that audit finds most often is the one that does not actually segregate. Networks in different VLANs but routing freely between them. Production and test environments theoretically separate but sharing services. Guest wifi nominally separate but connected to internal resources for convenience. Each defeats the purpose of the segregation. The test is to look at actual traffic flows rather than network labels.

Practical Compliance Guidance

Network segregation is described in the IMS1 manual at section 8.3 on IT equipment alongside the network architecture. Network diagrams and firewall configuration provide the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Information Security Policy including the network segregation principles applied across the estate. Use as the source for segregation design.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How do we decide where to segregate?

By the sensitivity and trust level of the systems involved. Production systems handling regulated data warrant tighter segregation than internal collaboration tools. Guest networks should always be segregated from staff networks. Management interfaces should sit on separate management networks where the architecture allows.

Does cloud architecture provide segregation by default?

Cloud platforms expose tools for segregation (security groups, network ACLs, VPC architectures) but do not segregate by default. The organisation needs to design and configure segregation appropriate to the workloads. Default-open configurations are common pitfalls that audits and security reviews surface.

How is segregation tested?

Through configuration review (the documented design matches the live configuration) and traffic testing (the boundaries actually block what they should). Penetration testing often probes segregation by attempting to move between segments and reports gaps.

Further Resources