This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.20 Networks security.
ISO 27001: 2022 Control Description
Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.
Purpose
To protect information in networks and the systems and applications they support from being compromised via the network.
Guidance on implementation
Implement controls to ensure the security of information within networks and to safeguard connected services from unauthorised access. Consider the following actions:
- Information Type and Classification:
- Identify the type and classification level of information that the network will handle.
- Management Responsibilities:
- Define clear responsibilities and procedures for managing networking equipment and devices.
- Up-to-Date Documentation:
- Keep current documentation, including network diagrams and configuration files for devices like routers and switches.
- Separation of Responsibilities:
- Where appropriate, separate the operational responsibilities for networks from ICT system operations to enhance security.
- Data Protection Over Networks:
- Implement controls to protect the confidentiality and integrity of data transmitted over public, third-party, or wireless networks. Ensure connected systems and applications are also protected. Additional controls may be necessary to maintain the availability of network services and connected computers.
- Logging and Monitoring:
- Log and monitor network activity to record and detect any actions that could affect information security.
- Coordinated Network Management:
- Ensure network management activities are closely coordinated to optimise service delivery and consistently apply controls across the information processing infrastructure.
- System Authentication:
- Authenticate systems connecting to the network to prevent unauthorised access.
- Connection Restrictions:
- Restrict and filter system connections to the network, for example, by using firewalls.
- Device Authentication:
- Detect, restrict, and authenticate devices connecting to the network to prevent unauthorised access.
- Network Device Hardening:
- Strengthen network devices against attacks by implementing hardening techniques.
- Segregation of Network Traffic:
- Separate network administration channels from other network traffic to enhance security.
- Isolating Critical Subnetworks:
- Temporarily isolate critical subnetworks, such as by using drawbridges, if the network is under attack.
- Disabling Vulnerable Protocols:
- Disable any network protocols that are known to be vulnerable to attacks.
Additionally, ensure that virtualised networks, including software-defined networking (SDN) and SD-WAN, are secured with appropriate controls. Virtualised networks can offer enhanced security through logical separation of communications over physical networks, especially for systems and applications using distributed computing.