4. Network Device Hardening Consistency Verified

Verification Criteria: Routers, switches, and firewalls are hardened according to an established baseline, including the removal of default credentials and unused services. Required Evidence: Hardening checklist sign-offs or configuration comparison reports against CIS Benchmarks.

5. Encryption for Data in Transit Confirmed

Verification Criteria: Technical controls enforce the encryption of data traversing public or untrusted networks using modern protocols (TLS 1.2+ or IPsec VPNs). Required Evidence: SSL/TLS certificate reports and VPN configuration settings for remote access and site-to-site tunnels.

6. Intrusion Detection and Prevention (IDS/IPS) Presence Validated

Verification Criteria: Active monitoring and prevention systems are deployed at network boundaries to detect and block malicious traffic patterns. Required Evidence: IDS/IPS dashboard screenshots and recent alert logs showing blocked attack signatures.

7. Remote Access Security Enforcement Confirmed

Verification Criteria: All remote network access is authenticated via Multi-Factor Authentication (MFA) and restricted to managed or authorised endpoints. Required Evidence: VPN configuration logs and MFA provider reports showing 100% enforcement for remote users.

8. Firewall Rule Base Integrity Verified

Verification Criteria: Firewall rules follow the "Deny All" principle, with only specifically authorised traffic permitted via the rule base. Required Evidence: Firewall rule base export showing a "Cleanup" rule (Deny Any/Any) at the bottom of the list.

9. Network Management Tool Access Restricted

Verification Criteria: Access to network management consoles and monitoring tools is restricted to authorised IT personnel using dedicated administrative accounts. Required Evidence: Access Control Lists (ACLs) for management subnets and RBAC logs from the network management platform.

10. Wireless Network Security Validated

Verification Criteria: Corporate wireless networks use robust authentication (e.g., WPA3 or WPA2-Enterprise with 802.1X) to prevent unauthorised association. Required Evidence: Wireless Controller (WLC) configuration showing the authentication method and active client certificates.

ISO 27001 Annex A 8.20 Audit Checklist [+ Templates]

Q: 1. Network Security Policy Formalisation Verified

Verification Criteria: A documented policy exists defining the security requirements for network management, including baseline configurations and restricted protocols. Required Evidence: Approved Network Security Policy or Infrastructure Hardening Standard with explicit version control.

Q: 2. Network Segmentation and Segregation Confirmed

Verification Criteria: Technical controls (VLANs, Subnets, or Micro-segmentation) separate the network into logical zones based on sensitivity and function (e.g., DMZ, Corporate, Guest). Required Evidence: Current network topology diagram and firewall configuration logs showing active traffic isolation between zones.

Q: 3. Restricted Use of Insecure Protocols Validated

Verification Criteria: Legacy or insecure protocols (e.g., Telnet, FTP, HTTP, SMBv1) are disabled across all network devices in favour of secure alternatives (SSH, SFTP, HTTPS). Required Evidence: Port scan results (Nmap) or device configuration exports showing specific port closures.

In this ultimate how to audit guide to ISO 27001 Annex A 8.20 Network Security, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

ISO 27001 Annex A 8.20 Network Security Audit Checklist

ISO 27001 Annex A 8.20 Network Security Audit Checklist

Auditing ISO 27001 Annex A 8.20 Network Security is the technical verification of infrastructure hardening and traffic segregation protocols. The Primary Implementation Requirement is the logical separation of network zones and encryption of data in transit, providing the Business Benefit of preventing lateral movement and ensuring secure communications integrity.

This technical verification tool is designed for lead auditors to establish the security posture of network infrastructure and data in transit. Use this checklist to validate compliance with ISO 27001 Annex A 8.20.

1. Network Security Policy Formalisation Verified

Verification Criteria: A documented policy exists defining the security requirements for network management, including baseline configurations and restricted protocols.

Required Evidence: Approved Network Security Policy or Infrastructure Hardening Standard with explicit version control.

Pass/Fail Test: If the organisation cannot produce a formal policy specifying the mandatory security controls for network equipment, mark as Non-Compliant.

2. Network Segmentation and Segregation Confirmed

Verification Criteria: Technical controls (VLANs, Subnets, or Micro-segmentation) separate the network into logical zones based on sensitivity and function (e.g., DMZ, Corporate, Guest).

Required Evidence: Current network topology diagram and firewall configuration logs showing active traffic isolation between zones.

Pass/Fail Test: If the Guest Wi-Fi or a low-security zone has direct, unfirewalled routing to the production database environment, mark as Non-Compliant.

3. Restricted Use of Insecure Protocols Validated

Verification Criteria: Legacy or insecure protocols (e.g., Telnet, FTP, HTTP, SMBv1) are disabled across all network devices in favour of secure alternatives (SSH, SFTP, HTTPS).

Required Evidence: Port scan results (Nmap) or device configuration exports showing specific port closures.

Pass/Fail Test: If any network management interface is accessible via unencrypted Telnet or HTTP, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

How to Audit ISO 27001 Annex A 8.20: Network Security

Table of contents

ISO 27001 Annex A 8.20 Network Security Audit Checklist

1. Network Security Policy Formalisation Verified

2. Network Segmentation and Segregation Confirmed

3. Restricted Use of Insecure Protocols Validated