Implementing ISO 27001 Annex A 8.20 is the process of establishing deep technical controls to secure, manage, and monitor network infrastructure. This requires enforcing strict network segregation (VLANs), “deny-all” firewall policies, and secure device hardening. The primary business benefit is minimising the attack surface and preventing unauthorised lateral movement within the corporate network.

ISO 27001 Networks Security Implementation Checklist
ISO 27001 Annex A 8.20 SaaS / GRC Platform Implementation Failure Checklist

ISO 27001 Networks Security Implementation Checklist

Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.20. This control mandates that networks are managed and controlled to protect information in systems and applications, requiring deep technical configuration rather than simple policy statements.

1. Establish Accurate Network Topology Diagrams

Control Requirement: You must possess an up-to-date visual representation of your network architecture to identify risks.

Required Implementation Step: Map your physical and logical network using tools like Nmap or automated topology mappers, ensuring every switch, router, and firewall interface is documented. Verify this diagram manually by tracing cables in the server room and auditing route tables; do not rely on static Visio diagrams created three years ago.

Minimum Requirement: A topology diagram dated within the last 90 days matching the active `arp -a` or route table output.

2. Implement “Deny-All” Firewall Policies

Control Requirement: Traffic should be blocked by default and only permitted if specifically authorised.

Required Implementation Step: Configure all perimeter and internal firewalls (including cloud Security Groups) to drop all traffic by default. Explicitly whitelist only the specific ports and protocols required for business logic (e.g., allow TCP 443, deny everything else), documenting the business justification for every open port in the rule comment field.

Minimum Requirement: The default policy on all firewall interfaces is set to DROP/DENY.

3. Enforce Network Segregation (VLANs)

Control Requirement: Different information services, users, and information systems must be segregated on networks.

Required Implementation Step: Configure Virtual LANs (VLANs) or Virtual Private Clouds (VPCs) to isolate critical infrastructure (e.g., Database Subnet) from user traffic (e.g., Wi-Fi Subnet) and public-facing services (DMZ). Implement Access Control Lists (ACLs) that strictly prevent cross-talk between these segments unless routed through a firewall for inspection.

Minimum Requirement: A user on the “Guest Wi-Fi” cannot ping the “Finance Database” server.

4. Harden Network Devices

Control Requirement: Network equipment must be configured securely to prevent unauthorised management access.

Required Implementation Step: Disable insecure management protocols (Telnet, HTTP) on all switches and routers, replacing them with SSHv2 and HTTPS. Change all default manufacturer passwords and disable discovery protocols (CDP/LLDP) on interfaces connected to untrusted networks.

Minimum Requirement: Telnet is completely disabled on all network infrastructure.

5. Implement 802.1X Network Access Control (NAC)

Control Requirement: Only authenticated and authorised devices should be allowed to connect to the network.

Required Implementation Step: Configure 802.1X port-based authentication on wired switches and wireless access points. Ensure that any device plugging into a wall port is quarantined in a “remediation VLAN” until it presents a valid machine certificate or user credential.

Minimum Requirement: Unknown devices plugging into the office LAN do not receive a routable IP address.

6. Segregate Wireless Networks

Control Requirement: Wireless networks must be treated as untrusted and strictly separated from internal resources.

Required Implementation Step: Configure Enterprise WPA3 encryption for corporate devices, authenticating against a RADIUS server. Create a completely isolated Guest SSID that routes directly to the internet with Client Isolation enabled, preventing peer-to-peer attacks.

Minimum Requirement: Guest Wi-Fi traffic never touches the internal corporate LAN.

7. Secure Remote Administrative Access

Control Requirement: Management of the network infrastructure from remote locations must be secure.

Required Implementation Step: Establish a dedicated Management VLAN or “Jump Box” for network administration. Require a VPN connection with Multi-Factor Authentication (MFA) to access this management plane; never expose switch management interfaces to the public internet.

Minimum Requirement: SSH interfaces for network devices are not reachable from the public internet.

8. Enable and Centralise Network Logging

Control Requirement: Network events must be logged to allow for forensic investigation and monitoring.

Required Implementation Step: Configure all network devices to send syslog and NetFlow/IPFIX data to a centralised SIEM or log server. Set alerts for specific indicators of compromise, such as multiple failed login attempts on a router or traffic on non-standard ports.

Minimum Requirement: Router logs are shipped off-device to a secure, immutable storage location.

9. Filter Web Traffic and Content

Control Requirement: Access to malicious external sites must be restricted.

Required Implementation Step: Deploy a DNS filter or web proxy to block access to known command-and-control (C2) domains, malware distribution sites, and phishing URLs. Ensure this filtering applies to roaming laptops via an endpoint agent, not just devices behind the office firewall.

Minimum Requirement: Attempts to resolve known malware domains are blocked at the DNS level.

10. Conduct Regular Firewall Rule Audits

Control Requirement: Firewall rules must remain relevant and necessary over time.

Required Implementation Step: Schedule a quarterly technical review of the firewall rule base. Remove “temporary” allow rules that were created for testing, prune unused object groups, and tighten “Any/Any” rules that were left wide open.

Minimum Requirement: No firewall rule exists without a documented business owner and justification.

ISO 27001 Annex A 8.20 SaaS / GRC Platform Implementation Failure Checklist

Control Requirement	The ‘Checkbox Compliance’ Trap	The Reality Check
Network Diagrams	SaaS tool asks “Do you have a diagram?” (Yes/No).	You upload a diagram from 2019. Meanwhile, a rogue switch under a desk has bridged your secure VLAN to the Guest Wi-Fi.
Segregation	SaaS tool checks if a “Network Policy” document exists.	The policy says “We segregate,” but the Engineering and HR subnets are fully routed with no ACLs, allowing devs to read payroll files.
Firewall Config	SaaS tool looks for an invoice for a firewall.	The firewall is plugged in, but the rule base ends with `allow ip any any`, effectively turning it into a compliant paperweight.
Remote Access	SaaS tool asks “Is VPN used?”.	Users connect via VPN, but the RDP port is also open to the internet “for emergencies,” and brute-force attacks are hammering it.
Device Hardening	SaaS tool assumes cloud provider defaults are secure.	The core switch still has the default `cisco/cisco` credentials because nobody physically consoled in to change them.
Wireless Security	SaaS tool checks for a “Wi-Fi Policy”.	The “Staff” Wi-Fi password is written on a whiteboard in the reception area, visible to every delivery driver.
Logging	SaaS tool verifies you purchased Splunk.	Splunk is running, but the firewalls aren’t actually configured to send logs to it, so you are blind to network attacks.

ISO 27001 Certainty™: The Ultimate ISO 27001 Certification System & Toolkit

Learn More

Fay Barker - High Table - ISO27001 Director

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

How to Implement ISO 27001 Annex A 8.20 Networks Security

Table of contents