An ISO 27001 Network Security Management Policy is your company’s rulebook for keeping your computer network safe. It’s like having a security guard for all the digital roads and paths that connect your computers. This policy makes sure only the right people and devices can get in and that your data is protected while it’s moving around.
Table of contents
- What is it?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- ISO 27001 Network Security Management Policy Template
- Why you need it
- When you need it
- Who needs it?
- Where you need it
- How to write it
- How to implement it
- Examples of Using It for Small Business
- Examples of Using It for Tech Startups
- Examples of Using It for AI Companies
- How the ISO 27001 toolkit can help
- Information security standards that need it
- List of relevant ISO 27001:2022 controls
- ISO 27001 Network Security Management Policy Example
- ISO 27001 Network Security Management Policy FAQ
What is it?
This policy is a set of guidelines that tells everyone how to protect your network. It covers things like using firewalls, setting up secure Wi-Fi, and making sure all your devices have the right security settings. The main goal is to prevent unauthorised access and protect your network from cyber threats like hackers or malware.
Applicability to Small Businesses, Tech Startups, and AI Companies
This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.
- Small Businesses: It helps you formalise how you protect your online store, customer data, and business files from hackers.
- Tech Startups: It’s crucial for managing access to your development environment, protecting your intellectual property, and ensuring your product is built on a secure foundation.
- AI Companies: It’s essential for protecting the data you use to train your models and ensuring secure connections to your cloud services and servers.
ISO 27001 Network Security Management Policy Template
The ISO 27001:2022 Network Security Management Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
Why you need it
You need this policy to keep your business safe from digital threats. A good network policy helps you avoid data breaches, protect customer information, and keep your systems running smoothly. It also shows customers and partners that you’re serious about security, which builds trust.
When you need it
You need a network security policy as soon as you start setting up your business’s network. It’s a foundational document that should be created early on. You’ll refer to it whenever you add a new device, change your network setup, or bring on new employees.
Who needs it?
Everyone who uses your company’s network needs to follow this policy. This includes employees, contractors, and even guests who use your Wi-Fi. The IT team or network administrator is usually in charge of writing and enforcing the policy.
Where you need it
This policy applies to all parts of your network, no matter where they are. This includes your office Wi-Fi, your cloud services, and any remote access tools your employees use. The rules apply everywhere your network traffic flows.
How to write it
Writing the policy should be easy to follow. Start by explaining the purpose of the policy. Then, create sections for different rules, like using strong passwords, connecting to a secure network, and what to do if you suspect a problem. Use simple, clear language so everyone can understand it.
Time needed: 1 hour and 30 minutes
How to write an ISO 27001 Network Security Management Policy
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the ISO 27001 Network Security Management Policy Contents Page
Document Version Control
Document Contents Page
Network Security Management Policy
Purpose
Scope
Principle
Network Controls
Security of Network Services
Segregation in Networks
Access to networks and network services
Network locations
Physical Network Devices
Web Filtering
Host Intrusion, Network Intrusion, Malware and Antivirus
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement
Areas of the ISO 27001 Standard Addressed - Write the ISO 27001 Network Security Management Policy purpose
The purpose of this policy is to ensure the protection of information in networks and its supporting information processing facilities.
- Write the ISO 27001 Network Security Management Policy principle
The network is managed on the principle of least privilege with security by design and default.
- Write the ISO 27001 Network Security Management Policy scope
All company employees and external party users.
All company networks, network services, network administration and management solutions and network devices. - Define the network controls
Responsibilities and procedures for the management of networking equipment are established.
Operational responsibility for networks is separated from computer operations where appropriate.
Special controls are established to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications.
Appropriate logging and monitoring are applied to enable recording and detection of actions that may affect, or are relevant to, information security.
Management activities should be closely coordinated both to optimise the service to the organisation and to ensure that controls are consistently applied across the information processing infrastructure.
Systems on the network are authenticated.
Systems connection to the network should be restricted.
Perimeter firewalls are installed between all wireless networks and the cardholder data environment and configured to deny traffic. (Unless traffic is necessary for business purposes and documented and approved then permit only authorised traffic between the wireless environment and the cardholder data environment).
Permit only “established” connections into the network.
Do not disclose private IP addresses and routing information to unauthorised parties. - Describe the security of network services
Security mechanisms, service levels and management requirements of all network services are identified and included in network services agreements, whether these services are provided in-house or outsourced.
The ability of the network service provider to manage agreed services in a secure way are determined and regularly monitored, and the right to audit should be agreed.
The security arrangements necessary for particular services, such as security features, service levels and management requirements, should be identified. The company should ensure that network service providers implement these measures. - Explain the segregation of networks
Large networks are divided into separate network domains. The domains are chosen based on trust levels.
Segregation can be done using either physically different networks or by using different logical networks (e.g., Virtual private networking).
The perimeter of each domain is well defined.
Access between network domains is allowed but is controlled at the perimeter using a gateway (e.g., firewall, filtering router).
The criteria for segregation of networks into domains, and the access allowed through the gateways, is based on an assessment of the security requirements of each domain. The assessment is in accordance with the access control policy, access requirements, value and classification of information processed and takes account of the relative cost and performance impact of incorporating suitable gateway technology.
Wireless networks require special treatment due to the poorly defined network perimeter. For sensitive environments, consideration is made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway before granting access to internal systems. - Set out access to networks and network services
Users are only provided with access to the network and network services that they have been specifically authorised to use.
Access to networks and network services is in line with the Access Control Policy.
Before connecting to the network devices have:
– Been registered in the asset register
– Been patched to the latest security patch levels
– Appropriate malware protection installed
– Default passwords and accounts deleted or disabled
– Been included where possible in the network management system
– Ports, services, applications, and guest accounts removed or disabled that are not required. - Describe network locations
In the order of preference, physical networks should be within these geographical boundaries:
1. Within the UK boarders
2. Within the European Economic Area (EEA) boarders
3. Within countries with adequacy of the protection of personal data in non-EU countries as outlined by GDPR.
Where standard contractual clauses are in place as outlined by GDPR. - Explain the management of physical network devices
Physical network devices are managed in line with the Physical and Environmental Security Policy and specifically the section on Network Access Control, Cabling Security, Equipment Siting and Protection.
Physical network devices are destroyed in line with the Information Classification and Handling Policy specifically the section on the Destruction of Electronic Media / Devices.
Physical networks devices are in line with the Asset Management Policy and subject to the asset management process. - Describe web filtering
Access to websites containing illegal information or known to contain virus or phishing material is restricted.
Access to the following types of websites where practicable is blocked:
– Websites with an information upload function unless permitted for valid business reasons
– Know or suspected malicious websites
– Command and control servers
– Malicious websites identified in threat intelligence
– Websites sharing illegal content - Explain host intrusion, network intrusion, malware and antivirus
Network services and devices are managed in line with theMalware and Antivirus Policyand specifically all sections of the policy.
Host intrusion and network intrusion is deployed based on risk, business need and where practical to do so.
How to implement it
To put the policy into action, first share it with everyone in the company. You can hold a brief training session to explain the key rules. Then, you’ll set up your network to follow the policy, for example, by configuring firewalls and access controls. Finally, you’ll regularly check to make sure the rules are being followed.
Examples of Using It for Small Business
A small accounting firm’s policy might state that all staff must use a VPN when connecting to the office network from home and that the Wi-Fi password must be changed every month.
Examples of Using It for Tech Startups
A startup creating a new app might have a policy that requires all developers to use multi-factor authentication to access the code repository and prohibits them from using public Wi-Fi without a secure tunnel.
Examples of Using It for AI Companies
An AI company’s policy might include rules for segmenting its network so that the AI training data is kept separate from the public-facing website. It would also require all cloud connections to be encrypted.
How the ISO 27001 toolkit can help
An ISO 27001 toolkit is a great shortcut. It often includes pre-written policies, procedures, and forms that you can use right away. It saves you the hassle of writing everything from scratch and helps you make sure you don’t miss any important details.
Information security standards that need it
This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
List of relevant ISO 27001:2022 controls
The ISO 27001:2022 standard has several controls related to network security:
- ISO 27001:2022 Annex A 8.20 Network Security
- ISO 27001:2022 Annex A 8.21 Security of Network Services
- ISO 27001:2022 Annex A 8.22 Segregation of Networks
- ISO 27001:2022 Annex A 8.23 Web Filtering
ISO 27001 Network Security Management Policy Example
An example ISO 27001 Network Security Management Policy:
ISO 27001 Network Security Management Policy FAQ
To protect your computer network from threats.
No, it’s for any size company that has a network.
No, but it helps to have someone from your IT team involved.
You should review it at least once a year.
It can lead to security breaches, lost data, and a damaged reputation.
No, it’s a living document that you should continually use and update.
Yes, it should cover all parts of your network, including wireless connections.
A firewall is a tool that blocks unwanted traffic from entering your network.
No, it works with your software to provide a full security plan.
It provides clear evidence that you are managing your network correctly, which is crucial for audits.
Yes, having a network security policy is required.
It’s the process of dividing your network into smaller, more secure parts.
Decide who will be in charge of writing it and find a good template to start with.
