In this ultimate how to implement guide to ISO 27001 Annex A 8.20 Networks Security, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Networks Security Implementation Checklist
- 1. Establish Accurate Network Topology Diagrams
- 2. Implement “Deny-All” Firewall Policies
- 3. Enforce Network Segregation (VLANs)
- 4. Harden Network Devices
- 5. Implement 802.1X Network Access Control (NAC)
- 6. Segregate Wireless Networks
- 7. Secure Remote Administrative Access
- 8. Enable and Centralise Network Logging
- 9. Filter Web Traffic and Content
- 10. Conduct Regular Firewall Rule Audits
- ISO 27001 Annex A 8.20 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 8.20 is the process of establishing deep technical controls to secure, manage, and monitor network infrastructure. This requires enforcing strict network segregation (VLANs), “deny-all” firewall policies, and secure device hardening. The primary business benefit is minimising the attack surface and preventing unauthorised lateral movement within the corporate network.
ISO 27001 Networks Security Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.20. This control mandates that networks are managed and controlled to protect information in systems and applications, requiring deep technical configuration rather than simple policy statements.
1. Establish Accurate Network Topology Diagrams
Control Requirement: You must possess an up-to-date visual representation of your network architecture to identify risks.
Required Implementation Step: Map your physical and logical network using tools like Nmap or automated topology mappers, ensuring every switch, router, and firewall interface is documented. Verify this diagram manually by tracing cables in the server room and auditing route tables; do not rely on static Visio diagrams created three years ago.
Minimum Requirement: A topology diagram dated within the last 90 days matching the active `arp -a` or route table output.
2. Implement “Deny-All” Firewall Policies
Control Requirement: Traffic should be blocked by default and only permitted if specifically authorised.
Required Implementation Step: Configure all perimeter and internal firewalls (including cloud Security Groups) to drop all traffic by default. Explicitly whitelist only the specific ports and protocols required for business logic (e.g., allow TCP 443, deny everything else), documenting the business justification for every open port in the rule comment field.
Minimum Requirement: The default policy on all firewall interfaces is set to DROP/DENY.
3. Enforce Network Segregation (VLANs)
Control Requirement: Different information services, users, and information systems must be segregated on networks.
Required Implementation Step: Configure Virtual LANs (VLANs) or Virtual Private Clouds (VPCs) to isolate critical infrastructure (e.g., Database Subnet) from user traffic (e.g., Wi-Fi Subnet) and public-facing services (DMZ). Implement Access Control Lists (ACLs) that strictly prevent cross-talk between these segments unless routed through a firewall for inspection.
Minimum Requirement: A user on the “Guest Wi-Fi” cannot ping the “Finance Database” server.
