How to Implement ISO 27001 Annex A 8.22 Segregation of Networks

Implementing ISO 27001 Annex A 8.22 Segregation of Networks is the architecture of logical and physical traffic isolation to separate information services, users, and systems. It requires configuring VLANs, firewalls, and virtual networks to control data flows, preventing lateral movement and ensuring a breach in one zone does not compromise critical business assets.

ISO 27001 Annex A Segregation of Networks Implementation Checklist

Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.22. True network segregation requires verifiable logical or physical boundaries configured directly on switches, firewalls, and cloud infrastructure, not just a theoretical diagram uploaded to a GRC portal.

1. Define and Document Network Security Domains

Control Requirement: Networks must be segregated into groups of information services, users, and information systems. Required Implementation Step: create a network architecture document that explicitly labels “Trust Zones” (e.g., Corp-LAN, Guest-Wifi, Production-Db, DMZ-Public). Map every subnet (CIDR block) to a specific Trust Zone based on the data classification of the assets residing there.

Minimum Requirement: A complete network topology diagram showing ingress/egress points for each defined zone.

2. Implement VLAN Tagging on Access Switches

Control Requirement: Logical segregation must be enforced at the data link layer. Required Implementation Step: Log into your core and access switches. Configure IEEE 802.1Q VLAN tagging to separate broadcast domains. Assign specific ports to specific VLAN IDs (e.g., VLAN 10 for Finance, VLAN 20 for HR, VLAN 99 for Guests) to prevent casual sniffing and lateral movement at Layer 2.

Minimum Requirement: No workstation ports remain on the default VLAN 1.

3. Configure Strict Inter-Zone Firewall Rules

Control Requirement: Traffic between segregated domains must be controlled and filtered. Required Implementation Step: On your internal firewalls or Layer 3 switches, implement Access Control Lists (ACLs) that follow a “Default Deny” philosophy. Explicitly permit only necessary traffic ports and protocols between zones (e.g., Allow port 1433 only from App-Server-VLAN to DB-Server-VLAN).

Minimum Requirement: Any traffic not explicitly allowed between VLANs is dropped by default.

4. Establish a Demilitarised Zone (DMZ)

Control Requirement: Public-facing systems must be segregated from internal networks. Required Implementation Step: Place all web servers, mail gateways, and bastion hosts in a dedicated DMZ subnet. Configure firewall rules that allow inbound Internet traffic only to the DMZ, and block all traffic initiated from the DMZ to the internal “Trusted” network.

Minimum Requirement: Compromise of a public-facing server must not provide direct network routes to internal domain controllers.

5. Physically or Logically Isolate Guest Wi-Fi

Control Requirement: Guest access must be completely segregated from corporate resources. Required Implementation Step: Configure your Wireless Access Points (WAPs) to broadcast a separate “Guest” SSID mapped to a distinct VLAN. Apply Client Isolation to prevent guests from communicating with each other, and route all Guest VLAN traffic directly to the internet gateway, bypassing the internal LAN entirely.

Minimum Requirement: A “Ping” command from a device on Guest Wi-Fi to a corporate server IP must timeout.

6. Segregate Management Interfaces (Out-of-Band)

Control Requirement: Administrative access paths must be protected. Required Implementation Step: Remove management interfaces (SSH, RDP, Web Consoles) for switches, firewalls, and hypervisors from production user subnets. Place them on a dedicated “Management VLAN” accessible only via a specific Jump Host or Admin VPN profile.

Minimum Requirement: Admin portals are not accessible from standard user workstations.

7. Implement Cloud Virtual Private Cloud (VPC) Peering Rules

Control Requirement: Segregation principles must extend to cloud environments. Required Implementation Step: In AWS/Azure/GCP, ensure production and non-production workloads reside in separate VPCs or VNETs. If VPC Peering is required, configure Security Groups and Network ACLs (NACLs) to restrict traffic flow strictly to required service ports, avoiding “Allow All” peering configurations.

Minimum Requirement: Development environments cannot route traffic to Production databases.

8. Enforce Micro-Segmentation for Critical Assets

Control Requirement: Granular restrictions should protect high-value assets. Required Implementation Step: For critical servers (e.g., Swift payment gateways, PII databases), implement host-based firewalls (e.g., iptables, Windows Firewall) or hypervisor-level micro-segmentation. Ensure these assets only accept connections from specific, authorised IP addresses, effectively placing them in a “segment of one.”

Minimum Requirement: Lateral movement to critical assets is blocked even from within the same server subnet.

9. Segregate Third-Party Vendor Access

Control Requirement: External party access must be isolated. Required Implementation Step: Create a dedicated “Vendor VPN” pool or specific “Jump Box” that restricts third-party vendors to only the specific IP addresses and ports required for their maintenance tasks. Log all traffic crossing this boundary.

Minimum Requirement: Vendors cannot scan or access the wider network beyond their contracted scope.

10. Validate Segregation with Periodic Nmap Scans

Control Requirement: Segregation controls must be verified for effectiveness. Required Implementation Step: Schedule automated internal scans (using tools like Nmap or Nessus) from different network zones to verify that ACLs are working. Specifically, attempt to reach blocked ports on critical segments from the Guest and User zones to prove “unreachability.”

Minimum Requirement: Documented scan results proving that segregation rules are active and effective.

ISO 27001 Annex A 8.22 SaaS / GRC Platform Implementation Failure Checklist

Control Requirement	The ‘Checkbox Compliance’ Trap	The Reality Check
Network Domain Definition	GRC tool accepts a static PDF of a network diagram uploaded 2 years ago.	Fails if the diagram doesn’t match the live routing table. Auditors verify segregation by tracerouting packets, not reading PDFs.
Inter-Zone Traffic Filtering	SaaS platform checks if “Firewall is enabled” on endpoints.	Fails if the core switch allows “Any-Any” traffic between VLANs. Real compliance requires inspecting router ACL configs.
Guest Wi-Fi Isolation	Questionnaire asks: “Is Guest Wi-Fi separate?” (Yes/No).	Fails if a Guest user can access the printer or cast to the boardroom TV. Technical isolation verification is mandatory.
Cloud Segregation	Tool connects to API and checks if “VPCs exist”.	Fails if Security Groups allow 0.0.0.0/0 SSH access. Existence of VPCs proves nothing; route tables and rules define security.
Management Isolation	Not checked by standard GRC scanners.	Fails if an attacker on a compromised Reception PC can load the Firewall Login page. Management interfaces must be unreachable.
Legacy Flat Networks	SaaS tool ignores legacy infrastructure not running agents.	Fails if your mainframe or old ERP sits on the same subnet as employee laptops, allowing ransomware to spread instantly.
Verification	Tool provides a “Compliance Badge” based on policy documents.	Fails if you haven’t run a port scan (Nmap) to prove the walls actually exist. Policies don’t stop packets; firewalls do.

About the author