How to Implement ISO 27001:2022 Annex A 8.21: Security of Network Services

/ By
How to Implement ISO 27001 Annex A 8.21

Most businesses today run on a complex web of connections. You have your office internet (ISP), your cloud providers (AWS/Azure), your VPNs for remote workers, and perhaps even third-party managed firewalls. If any of these “pipes” are compromised or fail, your business stops.

ISO 27001:2022 Annex A 8.21, “Security of network services,” is the control designed to manage this risk. Unlike Annex A 8.20, which looks at the security of the network infrastructure itself (the routers and switches), control 8.21 looks at the services provided over those networks.

The objective is to ensure that the security mechanisms, service levels, and management requirements of these services are identified, implemented, and monitored. Whether you manage these services in-house or outsource them to a big telecom provider, you need to be in the driver’s seat.

Step-by-Step Implementation Guide

Implementing this control is about moving from “hoping the internet works” to “managing the service.” Here is a practical approach to getting it right.

1. Create a Network Services Inventory

You cannot secure what you don’t know you have. The first step is to list every network service your organization relies on. This isn’t just your broadband connection; it includes:

  • Internet Service Providers (ISPs).
  • Cloud connectivity (e.g., AWS Direct Connect or Azure ExpressRoute).
  • VoIP or SIP trunking services for phones.
  • VPNs and remote access gateways.
  • Managed security services (e.g., outsourced firewall management).

According to the experts at Hightable.io, you should map each of these services to a business owner. Who is responsible for the relationship with the ISP? Who calls support if the VPN goes down? If you can’t name the owner, you have a gap.

2. Define Your Security Requirements

Once you have your list, you need to define what “secure” means for each service. You shouldn’t just accept whatever the vendor offers by default. You need to identify specific security features such as:

  • Encryption: Is the connection encrypted in transit? (e.g., using TLS or IPsec).
  • Authentication: How do users or systems verify their identity before using the service?
  • Access Control: Can you restrict access to specific IP addresses or locations?

3. Establish Service Level Agreements (SLAs)

This is the core of Annex A 8.21. For every external network service, you should have a contract or Service Level Agreement (SLA) that defines the expected performance and security.

Don’t just look at “uptime” (availability). Your SLAs should ideally cover security metrics too. For example, how quickly will the provider notify you of a security breach? How often do they patch their infrastructure? If you are managing the service in-house, you still need an “internal SLA” or operational agreement so the business knows what to expect from the IT team.

4. Monitor and Review the Services

A contract in a drawer is useless. You need to actively monitor that the service provider is delivering on their promises. This involves:

  • Technical Monitoring: Using tools to track uptime, latency, and packet loss.
  • Security Monitoring: Reviewing logs for suspicious activity or unauthorized access attempts.
  • Regular Reviews: Meeting with critical providers (perhaps quarterly or annually) to review their performance against the SLA and discuss any security incidents.

Hightable.io suggests that you should specifically look for evidence that the provider is maintaining their own security standards—such as asking for their ISO 27001 certificate or a SOC 2 report.

Common Challenges

The “Commodity” Trap: It is easy to treat internet access as a basic utility like electricity, assuming it’s “just there.” However, a cheap ISP with no security guarantees can be a major liability if they route your traffic insecurely.

Shadow IT: Departments might buy their own network services (like a 4G dongle or a separate cloud load balancer) without telling IT. Regular audits and network scanning can help you find and bring these rogue services under management.

A Quick Checklist for Annex A 8.21

To ensure you are ready for your audit, run through this quick checklist:

  • Do you have an inventory of all internal and external network services?
  • Are security requirements defined for each service (e.g., encryption, authentication)?
  • Do you have signed SLAs with providers covering security and availability?
  • Are you monitoring these services for uptime and security incidents?
  • Do you review the performance of these service providers at least annually?

Why This Control Matters

Implementing Annex A 8.21 ensures that the lifelines of your business are robust. By defining your requirements and holding your providers accountable, you ensure that your network services support your security strategy rather than undermining it.

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor ⚡ 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top