Framework - ISO 27001 (Cyber)

Annex A.8.21 establishes the requirement for security of network services, ensuring that whether a network is internally managed, outsourced, or cloud-delivered, it meets defined security expectations for confidentiality, integrity, and availability. The control requires that organizations evaluate and continually verify the trustworthiness of the services they rely upon — from internet connections and WAN providers to VPN gateways, leased lines, and cloud interconnects. The intent is to make sure that these essential channels are not treated as blind spots simply because they are managed by third parties. Oversight of external providers must integrate directly with internal controls, aligning operational assurance with business accountability.

Before any network service is adopted, organizations must perform due diligence to ensure it meets acceptable security standards. Providers should be evaluated for industry certifications such as ISO/IEC 27001, SOC 2, or equivalent attestations that demonstrate mature governance. Service-level agreements (SLAs) should explicitly outline responsibilities for encryption, monitoring, and incident response cooperation. Visibility is key — contracts should guarantee that logs from provider-managed devices can be accessed or reviewed by the organization as needed. Regulatory and contractual obligations must be reflected in provider agreements to ensure compliance even when infrastructure ownership lies elsewhere. In short, trust must be earned through evidence, not convenience.

Operational safeguards reinforce these assurances once services are active. Encryption must be consistently applied to data in transit, ensuring that interception yields only unreadable ciphertext. Administrative interfaces for managing network equipment require strong authentication and logging to prevent unauthorized changes. Continuous monitoring verifies that the provider delivers agreed service levels and that alerts are raised when deviations occur. Joint testing of incident response protocols — such as coordinated drills or failover simulations — ensures both parties can act cohesively during a crisis. These measures bridge the operational gap between “you own the network” and “we share the responsibility.”

Auditors evaluating compliance with A.8.21 seek tangible evidence that the organization doesn’t take network services for granted. Signed contracts must include explicit security clauses detailing encryption requirements, access restrictions, and response procedures. Provider compliance reports and certifications, such as annual audit summaries or penetration testing results, validate that commitments are being met. Monitoring logs from internal systems and provider interfaces demonstrate real-time visibility into performance and security. Finally, documentation of service acceptance testing and periodic reviews proves that oversight is continuous, not a one-time onboarding activity. These records show that network security governance extends beyond organizational borders.

Once services are assured, attention shifts to A.8.22: segregation of networks, which governs how those services are structured to limit exposure and lateral movement. This control requires that sensitive and non-sensitive environments remain logically and physically separated, ensuring that a compromise in one zone cannot cascade across the enterprise. Network segregation embodies the principle of defense-in-depth and aligns directly with modern zero trust architectures, which assume that no single segment — even internal — should be trusted by default. ISO emphasizes that this control applies universally: whether networks are on-premises, in private or public clouds, or in hybrid combinations spanning both. The goal is not isolation for its own sake, but containment — limiting the blast radius when incidents occur.

Designing network segregation begins with mapping functions and risk levels to separate logical or physical zones. Virtual LANs (VLANs) can isolate departmental traffic without requiring distinct physical networks, providing efficient separation of functions like HR, finance, and production systems. Firewalls or gateways act as checkpoints between zones, enforcing strict access rules and monitoring cross-boundary traffic. For highly sensitive or safety-critical systems, such as those supporting industrial controls or national security functions, complete air gaps may be warranted, disconnecting networks entirely from the internet. In cloud architectures, segmentation is achieved through virtual private clouds (VPCs), subnets, and security groups that replicate the same layered principles in virtualized form. Proper design ensures data and users flow only where explicitly allowed.

For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.

The risks addressed by A.8.22 are among the most frequent causes of large-scale breaches. In a flat network, malware or ransomware can propagate freely once it gains a foothold, encrypting systems across departments and even data centers in minutes. Without clear separation, unauthorized users in general zones can reach administrative interfaces or sensitive databases that should have been isolated. Development and test systems, which often contain partial production data, may inadvertently connect to live environments, violating privacy and compliance rules. Regulatory frameworks, especially those governing financial services or critical infrastructure, explicitly require segmentation of regulated data or operational technology (OT) from general IT networks. Proper segregation stops these risks at the design stage, preventing them from becoming operational emergencies.

Failures to segregate properly have produced some of the most severe incidents in cybersecurity history. Organizations have suffered enterprise-wide ransomware infections simply because their corporate and production environments shared the same network space. In other cases, test environments with sensitive datasets were accidentally exposed to the internet via public IPs, leading to major privacy violations. Retailers have seen point-of-sale systems compromised through connections from unsecured kiosks or office networks, while industrial operations have experienced downtime when IT infections spread into operational technology systems controlling machinery. Each of these scenarios demonstrates that segregation isn’t merely a compliance checkbox — it is a structural safeguard that defines whether an incident remains contained or spirals into catastrophe.

Different industries implement A.8.22 in ways that reflect their operational priorities. Financial institutions separate trading systems and payment gateways from general business networks, ensuring that customer transactions cannot be impacted by office malware or web browsing. Hospitals isolate life-critical medical devices and diagnostic systems from administrative IT, preventing malware outbreaks from endangering patient safety. Utility companies operate SCADA and control networks on physically or logically separate infrastructures to ensure uninterrupted service delivery. Cloud-based SaaS providers segment development, staging, and production tenants so that customer data remains walled off from testing environments. Despite differing technologies, the principle remains constant: segmentation preserves trust by containing risk.

When viewed together, Annexes A.8.21 and A.8.22 represent two layers of network assurance that reinforce each other. Securing network services ensures that the channels connecting systems are trustworthy, encrypted, and well-managed, while network segregation ensures that those systems are compartmentalized, preventing one compromise from infecting the next. If a network provider suffers a breach, proper segregation keeps exposure limited to defined zones rather than the entire enterprise. Conversely, if internal segmentation fails, secure network services ensure that external boundaries remain intact. Together, these controls form the architectural foundation for defense-in-depth and modern zero trust frameworks, where every connection is authenticated, every route is deliberate, and every segment has a clear purpose.

In combination, these controls offer resilience, accountability, and containment — the three cornerstones of dependable network governance. Resilience ensures that networks continue to function even when parts of the infrastructure fail or come under attack. Accountability guarantees that every data flow and connection has an identifiable owner and documented approval. Containment limits the damage radius of any incident, giving security teams a fighting chance to respond before widespread disruption occurs. Through disciplined implementation of A.8.21 and A.8.22, organizations move beyond simple perimeter defense to an adaptive network posture that can withstand complexity, vendor dependencies, and evolving threats.

Annexes A.8.21 and A.8.22 remind us that network security is not a product but a living architecture — one that depends equally on design precision and operational vigilance. By ensuring that every network service is trustworthy and every connection purposeful, these controls transform connectivity from a liability into a controlled capability. They establish not just compliance but confidence: the assurance that no single failure, vendor misstep, or human error can expose the entire enterprise. In an interconnected world, where networks define how business and data move, these two controls serve as the blueprint for trustworthy communication — a structure built to contain risk, preserve service, and maintain trust across every layer of connection.