Think of your network like a submarine. If a submarine has a hull breach, it doesn’t sink immediately because it is divided into watertight compartments. You can seal off the flooded section and keep the rest of the ship operational.
ISO 27001:2022 Annex A 8.22, “Segregation of networks,” brings this exact logic to your information security. It is about slicing your network into smaller, manageable chunks (sub-networks or domains) so that if a hacker gets into one area—like your guest Wi-Fi—they can’t simply walk straight into your financial server.
Table of contents
What is the Objective of Annex A 8.22?
The primary objective is to separate groups of information services, users, and information systems on networks. By segregating your network, you are effectively controlling the flow of traffic between different parts of your organisation based on trust and risk.
In the past, many companies operated a “flat” network where every computer could talk to every other computer. This is a hacker’s dream. Once they compromise a receptionist’s laptop, they can move laterally to the CEO’s device or the main database without resistance. Annex A 8.22 stops this lateral movement.
Step-by-Step Implementation Guide
Implementing network segregation doesn’t require you to rip out all your cabling and start again. In modern infrastructure, this is largely done via software configuration. Here is a practical way to approach it.
1. Map Your Network and Services
You cannot segregate what you don’t understand. Start by mapping out your current network. Identify which groups of users need access to which systems. Does the marketing team need access to the engineering code repository? Probably not. Does the smart toaster in the kitchen need access to the HR file server? Definitely not.
2. Define Your Trust Domains
Group your assets into zones based on their security requirements. Common examples of segregation include:
- Guest Network: For visitors. It should provide internet access only and be completely isolated from the corporate network.
- Corporate Network: For staff laptops and printers.
- Production/Server Network: For the servers hosting your critical applications.
- Development Network: A sandbox for developers to break things without affecting production (this also supports Annex A 8.31).
3. Choose Logical vs. Physical Separation
You can achieve segregation physically (using separate switches and cables) or logically (using software). For 99% of businesses, logical separation is the way to go.
As the experts at Hightable.io often emphasise, logical segregation using Virtual LANs (VLANs) or cloud-based subnets is typically sufficient for compliance. It is flexible, cost-effective, and easier to manage than maintaining separate physical hardware for every department.
4. Control the Traffic (The Gatekeepers)
Once you have your separate zones (VLANs), you need to police the traffic moving between them. This is usually done using a firewall or a router with Access Control Lists (ACLs).
The rule should be “deny by default.” Only allow traffic that is strictly necessary. For example, the Corporate Network might be allowed to talk to the Server Network on port 443 (web traffic), but not on port 22 (SSH).
5. Segregation in the Cloud
If you are using AWS, Azure, or Google Cloud, you don’t have cables to unplug. Here, segregation is achieved using Virtual Private Clouds (VPCs), Subnets, and Security Groups. Ensure that your database servers are in a private subnet with no direct route to the internet, while your load balancers sit in a public subnet.
DO IT YOURSELF
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
Common Challenges
Over-Segmentation: Creating too many zones can make the network unmanageable. If IT has to open a firewall rule every time someone wants to print a document, you have gone too far.
The “Flat” VPN: Many companies segregate their office network beautifully, but then give VPN users “full tunnel” access to everything. Ensure your remote access solution also respects your segregation rules.
A Quick Checklist for Annex A 8.22
To ensure you are compliant, check the following:
- Is the Guest Wi-Fi completely isolated from the internal corporate network?
- Are critical servers separated from standard user workstations?
- Do you use VLANs or subnets to separate different business functions?
- Are there firewall rules (or security groups) controlling traffic between these segments?
- Is the segregation reviewed regularly as the network changes?
Why This Control Matters
Implementing Annex A 8.22 is one of the most effective ways to limit the “blast radius” of a cyber attack. It turns a potential catastrophe into a contained incident. By following the pragmatic advice from resources like Hightable.io and keeping your architecture clean, you protect your critical assets even if your perimeter is breached.
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
