1. Framework FAQs

ISO 27001: 2022 A.8.22 Segregation of networks

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.22 Segregation of networks.

ISO 27001: 2022 Control Description

Groups of information services, users and information systems shall  be segregated in the organization’s networks.

Purpose

To divide the network into secure zones and control the flow of traffic between them based on business needs.

Guidance on implementation

To effectively manage the security of large networks, it’s important to divide them into separate domains, isolating them from public networks like the internet. These domains should be created based on factors such as trust levels, criticality, and sensitivity. For example, you might have domains for public access, desktops, servers, or for specific organisational units like HR, finance, or marketing. The segregation can be achieved using either physically separate networks or different logical networks (e.g., VLANs).

Key Steps:

  1. Define Network Domains:
    • Determine the boundaries of each network domain based on the level of trust, sensitivity, or organisational structure.
    • Clearly outline the perimeter of each domain.
  2. Control Access Between Domains:
    • If access between domains is necessary, control it at the perimeter using gateways such as firewalls or filtering routers.
    • Base the criteria for network segregation and access control on a thorough assessment of the security needs of each domain, considering factors like access requirements, information classification, and the impact on cost and performance.
  3. Special Considerations for Wireless Networks:
    • Wireless networks need special attention due to their less-defined perimeters. Adjust radio coverage as needed to keep wireless networks segregated.
    • For sensitive environments, treat all wireless access as if it’s coming from an external source. Segregate this access from internal networks until it passes through a secure gateway.
    • Ensure that guest Wi-Fi is separate from the networks used by staff, especially if personnel devices adhere to strict organisational policies. Guest Wi-Fi should have restrictions at least as stringent as the staff Wi-Fi to prevent misuse.

Additional Information

As businesses form partnerships and require the interconnection or sharing of network resources, networks often extend beyond the organisation's boundaries. This extension can increase the risk of unauthorised access to sensitive or critical information systems. Proper network segregation helps protect these systems from unauthorised users.