In this ultimate how to implement guide to ISO 27001 Annex A 8.22 Segregation of Networks, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A Segregation of Networks Implementation Checklist
- 1. Define and Document Network Security Domains
- 2. Implement VLAN Tagging on Access Switches
- 3. Configure Strict Inter-Zone Firewall Rules
- 4. Establish a Demilitarised Zone (DMZ)
- 5. Physically or Logically Isolate Guest Wi-Fi
- 6. Segregate Management Interfaces (Out-of-Band)
- 7. Implement Cloud Virtual Private Cloud (VPC) Peering Rules
- 8. Enforce Micro-Segmentation for Critical Assets
- 9. Segregate Third-Party Vendor Access
- 10. Validate Segregation with Periodic Nmap Scans
- ISO 27001 Annex A 8.22 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 8.22 Segregation of Networks is the architecture of logical and physical traffic isolation to separate information services, users, and systems. It requires configuring VLANs, firewalls, and virtual networks to control data flows, preventing lateral movement and ensuring a breach in one zone does not compromise critical business assets.
ISO 27001 Annex A Segregation of Networks Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.22. True network segregation requires verifiable logical or physical boundaries configured directly on switches, firewalls, and cloud infrastructure, not just a theoretical diagram uploaded to a GRC portal.
1. Define and Document Network Security Domains
Control Requirement: Networks must be segregated into groups of information services, users, and information systems. Required Implementation Step: create a network architecture document that explicitly labels “Trust Zones” (e.g., Corp-LAN, Guest-Wifi, Production-Db, DMZ-Public). Map every subnet (CIDR block) to a specific Trust Zone based on the data classification of the assets residing there.
Minimum Requirement: A complete network topology diagram showing ingress/egress points for each defined zone.
2. Implement VLAN Tagging on Access Switches
Control Requirement: Logical segregation must be enforced at the data link layer. Required Implementation Step: Log into your core and access switches. Configure IEEE 802.1Q VLAN tagging to separate broadcast domains. Assign specific ports to specific VLAN IDs (e.g., VLAN 10 for Finance, VLAN 20 for HR, VLAN 99 for Guests) to prevent casual sniffing and lateral movement at Layer 2.
Minimum Requirement: No workstation ports remain on the default VLAN 1.
3. Configure Strict Inter-Zone Firewall Rules
Control Requirement: Traffic between segregated domains must be controlled and filtered. Required Implementation Step: On your internal firewalls or Layer 3 switches, implement Access Control Lists (ACLs) that follow a “Default Deny” philosophy. Explicitly permit only necessary traffic ports and protocols between zones (e.g., Allow port 1433 only from App-Server-VLAN to DB-Server-VLAN).
Minimum Requirement: Any traffic not explicitly allowed between VLANs is dropped by default.
