In this ultimate how to implement guide to ISO 27001 Annex A 8.21 Security of Network Services, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Define Security Requirements in Service Agreements
- 2. Enforce Strong Encryption for Transit Data
- 3. Implement 802.1x Network Access Control (NAC)
- 4. Segregate Network Service Functions
- 5. Configure Secure DNS Services
- 6. Mandate NTP Stratum Synchronisation
- 7. Establish Perimeter Intrusion Prevention (IPS)
- 8. Monitor Network Traffic Metadata (NetFlow/IPFIX)
- 9. Secure Remote Management Channels
- 10. Verify Third-Party MPLS/SD-WAN Security
Implementing ISO 27001 Annex A 8.21 is the management of Security of Network Services to ensure the integrity and confidentiality of data across managed infrastructure. This control mandates establishing rigorous service level agreements (SLAs), enforcing strong encryption for transit data, and monitoring network traffic to prevent unauthorized access and protect business continuity.
ISO 27001 Annex A Security of Network Services Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.21 by establishing rigorous technical agreements and monitoring mechanisms for all internal and external network provisions. Compliance requires verifying that network service providers (ISPs, Cloud, MSPs) deliver specific security features like encryption and DDoS protection, rather than accepting generic “uptime” guarantees.
1. Define Security Requirements in Service Agreements
Control Requirement: Security mechanisms, service levels, and management requirements of all network services must be identified and included in network services agreements. Required Implementation Step: Audit your current ISP and WAN contracts. Negotiate specific security schedules that mandate DDoS mitigation thresholds (e.g., “Mitigation triggers at 1Gbps attack volume”) and guaranteed response times for security incidents, not just connectivity outages.
Minimum Requirement: Signed contracts explicitly listing security responsibilities (e.g., who patches the edge router?).
2. Enforce Strong Encryption for Transit Data
Control Requirement: Mechanisms must be in place to protect data traversing public or untrusted networks. Required Implementation Step: Configure your VPN concentrators and web servers to reject obsolete cipher suites. Specifically, disable TLS 1.0/1.1 and SSL 3.0 on your load balancers. Enforce TLS 1.3 for all web-facing services and use IPsec with AES-256 for site-to-site tunnels.
Minimum Requirement: A “Grade A” rating on SSLLabs or similar verification for all external endpoints.
3. Implement 802.1x Network Access Control (NAC)
Control Requirement: Access to network services must be authenticated. Required Implementation Step: Deploy a RADIUS server (e.g., Microsoft NPS or FreeRADIUS) and configure your switches and wireless access points to enforce 802.1x authentication. Ensure that no device can obtain an IP address or talk to the network simply by plugging into a wall socket without a valid machine certificate.
Minimum Requirement: Physical ports in reception or meeting rooms immediately reject unauthenticated devices.
