How to Implement ISO 27001:2022 Annex A 8.20

/ By
How to Implement ISO 27001 Annex A 8.20

If you have ever stared at a network diagram and wondered how on earth you are going to get it past an auditor, you are not alone. Network security is often seen as the beast of information security—complex, technical, and constantly changing. But with the update to ISO 27001:2022, the new control Annex A 8.20 (Network Security) has actually streamlined things. It replaces the old Annex A 13.1 from the 2013 version and brings a sharper focus to protecting the information that flows through your cables and Wi-Fi signals.

So, how do you actually implement this without pulling your hair out? Let’s break it down into a practical, conversational guide that combines the best industry advice to get you audit-ready.

Table of contents

What is Annex A 8.20 Really Asking For?

At its core, this control is asking you to do one thing: secure, manage, and control your networks to protect the information within them. It sounds simple, but as Hightable.io notes, it serves two critical functions: it is both a preventive control (stopping bad actors from getting in) and a detective control (spotting them if they do sneak past). Think of it as both the castle wall and the guards patrolling the perimeter.

You need to prove that you have a handle on everything connecting your systems, whether that’s a physical office LAN, a cloud environment, or the virtual networks tying your remote workers together.

The Four Pillars of Implementation

To keep this manageable, it helps to categorize your efforts. You can essentially break your implementation down into four main pillars: documentation, roles, technical controls, and monitoring.

1. Documentation and “Hygiene”

This is where most organizations trip up. You might have the most secure firewall in the world, but if you cannot show an auditor a current diagram of where it sits, you are going to struggle.

You need to maintain up-to-date network diagrams. These shouldn’t just be scribbles on a whiteboard; they need to be formal documents that show the flow of data. Hightable.io suggests applying “document hygiene” here, which means version control and classification. For example, a map of your public guest Wi-Fi might be classified as ‘Public’, but the diagram showing your server architecture should definitely be ‘Confidential’.

Your documentation should explicitly cover:

  • Network boundaries: Where does your network end and the public internet begin?
  • Data flows: Which segments carry sensitive customer data?
  • Configuration files: Are you keeping records of how your routers and switches are set up?

2. Roles and Responsibilities

You cannot have the same person designing the network, implementing the changes, and auditing the security. That is a conflict of interest waiting to happen. You need to establish clear segregation of duties.

As part of your implementation, define who is allowed to do what. Who is the “Network Security Manager”? Who has admin rights to the firewalls? A great rule of thumb is that the person requesting a firewall change shouldn’t be the one pushing the button to enable it. This separation ensures checks and balances are in place.

3. Technical Controls and Architecture

This is the “meat” of the control where your IT team will likely spend the most time. You need to implement layered defenses. Relying on a single perimeter firewall isn’t enough anymore.

Consider these technical elements:

  • Segregation: Divide your network into segments based on risk. Your HR database shouldn’t sit on the same network segment as your smart lightbulbs or guest Wi-Fi.
  • Encryption: Ensure data is encrypted in transit. If you are sending data across public networks (like the internet), use strong encryption protocols (VPNs, TLS).
  • Hardening: Don’t just plug devices in and hope for the best. Change default passwords, disable unused ports, and turn off vulnerable protocols.

A specific note on Virtual Networks: If you are using cloud infrastructure or heavy virtualization, these count too. As Hightable.io points out, there is even a specific standard, ISO/IEC TS 23167, that covers virtual network security if you want to dive deep into best practices there.

4. Logging and Monitoring

Building the wall isn’t enough; you have to watch it. You need to log activity on your network boundaries to detect unauthorized access. This doesn’t mean you need to read every single log line, but you do need automated tools that alert you when something looks wrong—like a massive data transfer at 3 AM or repeated failed login attempts.

DO IT YOURSELF

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit
ISO 27001 Toolkit Business Edition

What Will an Auditor Look For?

When the audit day comes, the auditor is going to look for evidence. They don’t just want to hear that you are secure; they want proof. Common evidence requests include:

  • Network Diagrams: Are they dated? Do they match reality?
  • Change Logs: If you opened a port last week, is there a ticket authorizing it?
  • Access Lists: Can you show a list of who has administrative access to your routers and why?
  • Audit Reports: Have you run internal scans or penetration tests to verify your controls are working?

Making It Stick

Implementing Annex A 8.20 isn’t a one-time project. Networks are living things—devices are added, employees leave, and new software is installed. Make reviewing your network security part of your regular management rhythm. If you treat your network diagrams as living documents and keep your segregation of duties sharp, you won’t just pass the audit; you will actually be more secure.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Stuart Barker - High Table - ISO27001 Director
Stuart Barker, an ISO 27001 expert and thought leader, is the author of this content.
Shopping Basket
Scroll to Top