ISO 27001 Network Security Policy: How to Write (& Template)

Time needed: 1 hour and 30 minutes

How to write an ISO 27001 Network Security Management Policy

1. Create your version control and document mark-up

   ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.

2. Write the ISO 27001 Network Security Management Policy Contents Page

   Document Version Control
   Document Contents Page
   Network Security Management Policy
   Purpose
   Scope
   Principle
   Network Controls
   Security of Network Services
   Segregation in Networks
   Access to networks and network services
   Network locations
   Physical Network Devices
   Web Filtering
   Host Intrusion, Network Intrusion, Malware and Antivirus
   Policy Compliance
   Compliance Measurement
   Exceptions
   Non-Compliance
   Continual Improvement
   Areas of the ISO 27001 Standard Addressed

3. Write the ISO 27001 Network Security Management Policy purpose

   The purpose of this policy is to ensure the protection of information in networks and its supporting information processing facilities.

4. Write the ISO 27001 Network Security Management Policy principle

   The network is managed on the principle of least privilege with security by design and default.

5. Write the ISO 27001 Network Security Management Policy scope

   All company employees and external party users.
   All company networks, network services, network administration and management solutions and network devices.

6. Define the network controls

   Responsibilities and procedures for the management of networking equipment are established.
   Operational responsibility for networks is separated from computer operations where appropriate.
   Special controls are established to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications.
   Appropriate logging and monitoring are applied to enable recording and detection of actions that may affect, or are relevant to, information security.
   Management activities should be closely coordinated both to optimise the service to the organization and to ensure that controls are consistently applied across the information processing infrastructure.
   Systems on the network are authenticated.
   Systems connection to the network should be restricted.
   Perimeter firewalls are installed between all wireless networks and the cardholder data environment and configured to deny traffic. (Unless traffic is necessary for business purposes and documented and approved then permit only authorised traffic between the wireless environment and the cardholder data environment).
   Permit only “established” connections into the network.
   Do not disclose private IP addresses and routing information to unauthorised parties.

7. Describe the security of network services

   Security mechanisms, service levels and management requirements of all network services are identified and included in network services agreements, whether these services are provided in-house or outsourced.
   
   The ability of the network service provider to manage agreed services in a secure way are determined and regularly monitored, and the right to audit should be agreed.
   
   The security arrangements necessary for particular services, such as security features, service levels and management requirements, should be identified. The company should ensure that network service providers implement these measures.

8. Explain the segregation of networks

   Large networks are divided into separate network domains. The domains are chosen based on trust levels.
   Segregation can be done using either physically different networks or by using different logical networks (e.g., Virtual private networking).
   The perimeter of each domain is well defined.
   Access between network domains is allowed but is controlled at the perimeter using a gateway (e.g., firewall, filtering router).
   The criteria for segregation of networks into domains, and the access allowed through the gateways, is based on an assessment of the security requirements of each domain. The assessment is in accordance with the access control policy, access requirements, value and classification of information processed and takes account of the relative cost and performance impact of incorporating suitable gateway technology.
   Wireless networks require special treatment due to the poorly defined network perimeter. For sensitive environments, consideration is made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway before granting access to internal systems.

9. Set out access to networks and network services

   Users are only provided with access to the network and network services that they have been specifically authorized to use.
   
   Access to networks and network services is in line with the Access Control Policy.
   Before connecting to the network devices have:
   – Been registered in the asset register
   – Been patched to the latest security patch levels
   – Appropriate malware protection installed
   – Default passwords and accounts deleted or disabled
   – Been included where possible in the network management system
   – Ports, services, applications, and guest accounts removed or disabled that are not required.

10. Describe network locations

    In the order of preference, physical networks should be within these geographical boundaries:
    1. Within the UK boarders
    2. Within the European Economic Area (EEA) boarders
    3. Within countries with adequacy of the protection of personal data in non-EU countries as outlined by GDPR.
    Where standard contractual clauses are in place as outlined by GDPR. 

11. Explain the management of physical network devices

    Physical network devices are managed in line with the Physical and Environmental Security Policy and specifically the section on Network Access Control, Cabling Security, Equipment Siting and Protection.
    
    Physical network devices are destroyed in line with the Information Classification and Handling Policy specifically the section on the Destruction of Electronic Media / Devices.
    
    Physical networks devices are in line with the Asset Management Policy and subject to the asset management process.

12. Describe web filtering

    Access to websites containing illegal information or known to contain virus or phishing material is restricted.
    
    Access to the following types of websites where practicable is blocked:
    – Websites with an information upload function unless permitted for valid business reasons
    – Know or suspected malicious websites
    – Command and control servers
    – Malicious websites identified in threat intelligence
    – Websites sharing illegal content

13. Explain host intrusion, network intrusion, malware and antivirus

    Network services and devices are managed in line with theMalware and Antivirus Policyand specifically all sections of the policy.
    
    Host intrusion and network intrusion is deployed based on risk, business need and where practical to do so.