Implementing ISO 27001 Annex A 8.21 is the management of Security of Network Services to ensure the integrity and confidentiality of data across managed infrastructure. This control mandates establishing rigorous service level agreements (SLAs), enforcing strong encryption for transit data, and monitoring network traffic to prevent unauthorized access and protect business continuity.
ISO 27001 Annex A Security of Network Services Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.21 by establishing rigorous technical agreements and monitoring mechanisms for all internal and external network provisions. Compliance requires verifying that network service providers (ISPs, Cloud, MSPs) deliver specific security features like encryption and DDoS protection, rather than accepting generic “uptime” guarantees.
1. Define Security Requirements in Service Agreements
Control Requirement: Security mechanisms, service levels, and management requirements of all network services must be identified and included in network services agreements. Required Implementation Step: Audit your current ISP and WAN contracts. Negotiate specific security schedules that mandate DDoS mitigation thresholds (e.g., “Mitigation triggers at 1Gbps attack volume”) and guaranteed response times for security incidents, not just connectivity outages.Minimum Requirement: Signed contracts explicitly listing security responsibilities (e.g., who patches the edge router?).
2. Enforce Strong Encryption for Transit Data
Control Requirement: Mechanisms must be in place to protect data traversing public or untrusted networks. Required Implementation Step: Configure your VPN concentrators and web servers to reject obsolete cipher suites. Specifically, disable TLS 1.0/1.1 and SSL 3.0 on your load balancers. Enforce TLS 1.3 for all web-facing services and use IPsec with AES-256 for site-to-site tunnels.Minimum Requirement: A “Grade A” rating on SSLLabs or similar verification for all external endpoints.
3. Implement 802.1x Network Access Control (NAC)
Control Requirement: Access to network services must be authenticated. Required Implementation Step: Deploy a RADIUS server (e.g., Microsoft NPS or FreeRADIUS) and configure your switches and wireless access points to enforce 802.1x authentication. Ensure that no device can obtain an IP address or talk to the network simply by plugging into a wall socket without a valid machine certificate.Minimum Requirement: Physical ports in reception or meeting rooms immediately reject unauthenticated devices.
4. Segregate Network Service Functions
Control Requirement: Different network services should be separated to prevent cascading failures or breaches. Required Implementation Step: Configure VLANs (Virtual Local Area Networks) and VRFs (Virtual Routing and Forwarding) to isolate Voice (VoIP), Storage (iSCSI), and User Data traffic. Ensure that a DDoS attack on the public website IP range cannot flood the internal management network bandwidth.Minimum Requirement: VoIP phones and Surveillance Cameras must reside on isolated, non-routable VLANs.
5. Configure Secure DNS Services
Control Requirement: Network naming services must be secure and resilient. Required Implementation Step: Configure your internal DNS servers to use DNSSEC validation to prevent cache poisoning attacks. On endpoints, enforce the use of secure, filtered DNS resolvers (like Quad9 or Cisco Umbrella) via DHCP options to block resolution of known command-and-control domains.Minimum Requirement: Prevention of users resolving known malicious domains at the network layer.
6. Mandate NTP Stratum Synchronisation
Control Requirement: Accurate time is essential for correlating network security events. Required Implementation Step: Configure your core switch or firewall as the internal Stratum 1 NTP source, syncing from at least three distinct external geographic sources (e.g., `time.google.com`, `pool.ntp.org`). Force all internal servers and appliances to sync only from this internal source to ensure log timestamps align perfectly during forensics.Minimum Requirement: All network device logs match to the millisecond to allow for incident reconstruction.
7. Establish Perimeter Intrusion Prevention (IPS)
Control Requirement: The network service must inspect traffic for malicious content. Required Implementation Step: Enable the IPS (Intrusion Prevention System) module on your perimeter firewalls. Configure it to “Drop” mode for critical severity signatures (e.g., Exploit Kits, SQL Injection patterns) rather than just “Alert”. Regular tuning is required to minimise false positives.Minimum Requirement: Automated blocking of known exploit traffic at the network edge.
8. Monitor Network Traffic Metadata (NetFlow/IPFIX)
Control Requirement: Network usage must be monitored to detect anomalies. Required Implementation Step: Enable NetFlow or IPFIX export on all core routing equipment. Send these flows to a collector (e.g., ELK Stack, PRTG, or Darktrace). Set alerts for “Top Talkers” and unusual protocol usage (e.g., a printer sending 5GB of data to an external IP on port 443).Minimum Requirement: Ability to identify exactly which internal IP consumed bandwidth at any specific past time.
9. Secure Remote Management Channels
Control Requirement: Management of network equipment must be performed securely. Required Implementation Step: Disable Telnet and HTTP on all routers and switches. Enable SSHv2 and HTTPS only. Create a standard Access Control List (ACL) applied to the “VTY” lines that restricts management connections solely to the IP addresses of the IT Admin subnet or Jump Box.Minimum Requirement: Management interfaces are invisible to standard users and the public internet.
10. Verify Third-Party MPLS/SD-WAN Security
Control Requirement: Managed network services must maintain the organisation’s security posture. Required Implementation Step: Request the “SOC 2 Type II” or ISO 27001 certificate from your WAN provider. Specifically, verify that their routing equipment (CPE) located in your server room is physically tamper-sealed and that they have a process for immediate patching of vulnerabilities in their router firmware.Minimum Requirement: Evidence that the provider manages the physical and logical security of the equipment they install on your site.
ISO 27001 Annex A 8.21 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| SLA Management | GRC tool asks: “Do you have an internet contract?” (Yes/No). | Fails if the contract guarantees 99.9% uptime but has zero clauses regarding data interception or DDoS mitigation. |
| Encryption | SaaS platform checks if “HTTPS” is used on the website. | Fails if the backend site-to-site VPN is using a cracked pre-shared key (PSK) or DES encryption. |
| Network Authentication | Tool assumes a password on Wi-Fi is sufficient. | Fails if an attacker can unplug a printer and plug in a laptop to gain full network access. Only 802.1x NAC stops this. |
| Traffic Monitoring | Tool checks for “Firewall Logs” existence. | Fails if nobody looks at them. Real compliance means analyzing NetFlow data to spot data exfiltration in progress. |
| DNS Security | Not checked by standard questionnaires. | Fails if malware bypasses the firewall by tunnelling data over DNS queries. Secure DNS resolvers are mandatory. |
| Remote Management | Tool asks “Is remote access secure?” | Fails if your core switch management interface is exposed to the Guest Wi-Fi VLAN with default credentials. |
| Provider Security | Upload a PDF of the ISP invoice. | Fails if the ISP’s router in your rack hasn’t been patched since 2019 and is a pivot point for attackers. |
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
About the author
