1. Framework FAQs

ISO 27001: 2022 A.8.21 Security of network services

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.21 Security of network services.

ISO 27001: 2022 Control Description

Security mechanisms, service levels and service requirements of network  services shall be identified, implemented and monitored.

Purpose

To ensure the safe and secure use of network services.

Guidance on implementation

It's essential to identify, implement, and monitor the security measures, service levels, and requirements for network services. This applies whether the services are provided internally or by external network service providers. The organisation should ensure that these security measures are in place and properly maintained.

Key Steps:

  1. Identify Security Needs:
    • Determine the specific security features, service levels, and requirements needed for each network service.
  2. Implement Security Measures:
    • Work with network service providers to implement the necessary security mechanisms for the services they offer.
  3. Monitor Service Security:
    • Regularly assess the network service provider's ability to manage services securely.
    • Establish the right to audit network services, agreed upon between the organisation and the provider.
    • Consider third-party attestations from service providers as evidence of their security practices.
  4. Establish Network Usage Rules:
    • Define and enforce rules for network and network service usage, including:
      • Which networks and services are allowed to be accessed.
      • Authentication requirements for accessing different network services.
      • Authorisation procedures to control who can access specific networks and services.
      • Network management, technological controls, and procedures to protect access.
      • Methods for accessing networks (e.g., VPNs or wireless networks).
      • Time, location, and user attributes for access.
      • Monitoring the usage of network services.
  5. Consider Security Features:
    • Ensure network services include appropriate security technologies, such as:
      • Authentication, encryption, and network connection controls.
      • Technical specifications for secure connections, following security and network rules.
      • Caching settings (e.g., in a content delivery network) that align with performance, availability, and confidentiality needs.
      • Procedures to restrict access to certain network services or applications when necessary.