ISO 27001:2022 Annex A 8.20 Networks security

In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.20 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.20 requires organizations to secure, manage, and control their networks and network devices. Its primary purpose is to protect the information within applications and systems from being compromised via the network. This involves a combination of up-to-date documentation, strict access controls, and technical hardening of network infrastructure.

Core requirements for compliance include:

Up-to-Date Documentation: You must maintain current network diagrams and device configuration files. These aren’t just technical aids; they are essential audit artifacts that must be version-controlled and classified (usually as “Confidential”).
Network Hardening: Default settings are a security risk. You must remove default passwords, disable unnecessary services/protocols, and ensure all network devices (routers, switches, firewalls) are patched and securely configured.
Segregated Management: Administrative access to network devices should be separated from standard user traffic. This prevents an attacker on the general network from easily targeting the “keys to the kingdom.”
Monitoring & Logging: You must implement logging for all security-relevant network events. This allows you to not only detect active threats but also provide a “forensic trail” if a compromise occurs.

Audit Focus: Auditors will look for “The Big Three” types of evidence:

Visibility: “Show me your network diagram. Is it accurate to what is actually plugged in today?”
Configuration Control: “Show me the logs for the last time a firewall rule was changed. Who authorized it?”
Authentication: “How do you manage administrative access to your switches? Are you still using the factory default ‘admin’ password?”

Network Security Best Practices:

Technical Measure	Description	Why it matters
Encryption	Use TLS/SSL for all data in transit.	Prevents “man-in-the-middle” eavesdropping.
Device Hardening	Disable Telnet, use SSH, change defaults.	Reduces the attack surface of your hardware.
Access Control	Implement MFA for network admin portals.	Stops credential theft from granting full network control.
Logging	Send logs to a central, secure SIEM/Log Server.	Ensures logs cannot be deleted by an attacker to hide their tracks.

Key Takeaways: ISO 27001 Annex A 8.20 Network Security
What is ISO 27001 Annex A 8.20?
ISO 27001 Annex A 8.20 Free Training Video
ISO 27001 Annex A 8.20 Explainer Video
ISO 27001 Annex A 8.20 Podcast
ISO 27001 Annex A 8.20 Implementation Guide
How to implement ISO 27001 Annex A 8.20
What will an auditor check?
Applicability of ISO 27001 Annex A 8.20 across different business models.
Fast Track ISO 27001 Annex A 8.20 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 8.20 FAQ
Related ISO 27001 Controls
Further Reading

What is ISO 27001 Annex A 8.20?

ISO 27001 Annex A 8.20 is about network security which means you need to secure and manage your networks.

ISO 27001 Annex A 8.20 Network Security is an ISO 27001 control that requires us to secure our networks and document that we are doing so.

ISO 27001 Annex A 8.20 Purpose

ISO 27001 Annex A 8.20 is a preventive control and a detective control to protect information in networks and its supporting information processing facilities from compromise via the network..

ISO 27001 Annex A 8.20 Definition

The ISO 27001 standard defines ISO 27001 Annex A 8.20 as:

Networks and network devices should be secured, managed and controlled to protect information in
systems and applications.
ISO27001:2022 Annex A 8.20 Network Security

ISO 27001 Annex A 8.20 Free Training Video

In the video ISO 27001 Network Security Explained – ISO27001:2022 Annex A 8.20 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 8.20 Explainer Video

In this beginner’s guide to ISO 27001 Annex A 8.20 Network Security, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.

ISO 27001 Annex A 8.20 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001:2022 Annex A 8.20 Network Security. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 8.20 Implementation Guide

This control is looking for us to have control over our networks. We are going to ensure the information security in networks and protect connected services from un authorised access. The are a few things to consider so lets go through them.

Documentation

Documentation plays a large part in the standard and that is equally true of networks. This is usually an area where organisations struggle. Keeping up to date network documentation. But it is key to this control and passing the audit.

The documentation that is expected includes network diagrams and configuration files of devices. This documentation is also expected to have the document hygiene that includes document classification and version control. Again, this can often be overlooked.

Included in the documentation would be the classification level of the data that is carried over the network. As a rule, to simplify it, all organisation networks would be classed as confidential and public access / guest networks would be classified as public.

Roles and Responsibilities

Network management is a specialist activity that requires trained and experienced professionals. As a result you would document the roles and responsibilities including recording who is performing the role. Around this would be the usual access management processes of requesting, authorising and providing access as well as the segregation of duties to remove conflicts.

Logging and Monitoring

As part of the network implementation you will include appropriate logging and monitoring for actions that are relevant to information security.

Technical Considerations

Under advisement of your technical teams you will consider technical elements such as encryption of data in transit, restrictions and filtering of connections to the network and the use of firewalls, hardening of network devices, removal of default passwords and services, disabling vulnerable network protocols, authenticating systems on the network, segregating admin channels from other network channels.

Virtual Networks

Virtual networks can add an additional layer of security and appropriate security controls should be applied. There is a standard that covers Virtual Networks and it is ISO/IEC TS 23167.

How to implement ISO 27001 Annex A 8.20

Establishing robust network security is a cornerstone of ISO 27001 compliance, designed to protect the confidentiality, integrity, and availability of data as it moves across your infrastructure. By following these technical implementation steps, your organisation can effectively harden network boundaries and mitigate the risk of unauthorised access or lateral movement.

1. Formalise Network Security Policies and ROE

Draft a formal Network Security Policy that defines the baseline configurations, permitted protocols, and prohibited services across the estate.
Establish a Rules of Engagement (ROE) document for network administrators and third-party managed service providers (MSPs) to ensure clear accountability.
Result: A documented governance framework that serves as the legal and technical foundation for all network security controls.

2. Provision Network Segmentation and VLAN Isolation

Utilise Virtual Local Area Networks (VLANs) and subnets to logically separate distinct business functions, such as Finance, HR, and guest traffic.
Implement micro-segmentation for critical server environments to prevent lateral movement in the event of a single-host compromise.
Result: A reduced blast radius that ensures a security breach in one segment cannot easily migrate to sensitive data zones.

3. Enforce Perimeter Defences and TLS Inspection

Deploy Next-Generation Firewalls (NGFW) and Intrusion Prevention Systems (IPS) at all network entry and exit points to monitor for malicious patterns.
Enable TLS inspection on web gateways to scan encrypted traffic for hidden malware payloads and data exfiltration attempts.
Result: Real-time blocking of known threats and visibility into previously “blind” encrypted communication channels.

4. Restrict Administrative Access via IAM and MFA

Configure granular Identity and Access Management (IAM) roles for network infrastructure, ensuring only authorised personnel can modify device configurations.
Mandate Multi-Factor Authentication (MFA) for all administrative logins, particularly for remote access via VPN or cloud-based management consoles.
Result: Elimination of risks associated with credential theft and unauthorised infrastructure tampering.

5. Execute Continuous Vulnerability Scanning and Hashing

Schedule automated network vulnerability scans to identify open ports, insecure protocols (e.g. Telnet, FTP), and unpatched firmware.
Use cryptographic hashing to verify the integrity of router and switch configuration files, ensuring no unauthorised changes have occurred.
Result: Proactive identification of technical weaknesses and the ability to detect configuration drift in real time.

6. Implement Centralised Logging and SIEM Integration

Configure all network devices to export Syslog and NetFlow data to a centralised Security Information and Event Management (SIEM) platform.
Establish automated alerts for high-risk events, such as brute-force attempts on network gateways or unauthorised internal connection requests.
Result: Comprehensive situational awareness and a verifiable audit trail for ISO 27001 compliance reviews and forensic investigations.

What will an auditor check?

The audit is going to check a number of areas. Lets go through the main ones

1. That you have documentation

What this means is that you need to show that you have documented your network. Can you show network diagrams, a list of devices and their configurations, logs of configuration changes, roles and responsibilities?

2. That you have have implemented Network Security appropriately

They will look at systems to seek evidence of network security. They will question you on the process and seek evidence that you have followed it. They want to see evidence of network security and the process in operation.

3. That you have conducted internal audits

The audit will want to see that you have tested the controls and evidenced that they are operating. This is usually in the form of the required internal audits. They will check the records and outputs of those internal audits.

Applicability of ISO 27001 Annex A 8.20 across different business models.

Business Type	Applicability	Examples of Control Implementation
Small Businesses	Focuses on securing physical office hardware and basic internet connectivity. Ensuring that standard routers and Wi-Fi access points are hardened against common attacks.	Changing factory-default ‘admin’ passwords on all office routers and switches. Disabling unnecessary WPS and guest SSID features on office Wi-Fi routers. Maintaining a simple, up-to-date network diagram showing connected office devices.
Tech Startups	Critical for cloud-native infrastructures. Focuses on logical network control, managing Virtual Private Clouds (VPCs), and securing remote access for distributed teams.	Implementing strict Security Groups and Network ACLs in AWS/Azure to restrict traffic flow. Enforcing Multi-Factor Authentication (MFA) for all VPN and SSH administrative logins. Configuring centralized logging to an external SIEM to track all network configuration changes.
AI Companies	Vital for protecting massive datasets and high-value model IP. Focuses on high-speed data transfer security and isolating sensitive training environments.	Enforcing TLS 1.3 for high-speed data ingestion pipelines to prevent interception. Implementing micro-segmentation for GPU clusters to isolate training workloads from the public web. Disabling vulnerable network protocols (e.g., Telnet, FTP) on all high-performance computing nodes.

Fast Track ISO 27001 Annex A 8.20 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 8.20 (Network security), the requirement is to secure, manage, and control your networks and network devices. While SaaS platforms often try to sell you “network monitoring” or automated scanning, the auditor is primarily interested in your governance, the documentation of your network diagrams, device configurations, and roles and responsibilities.

Compliance Factor	SaaS Network Monitoring Platforms	High Table ISO 27001 Toolkit	Real-World Example
Data Ownership & Continuity	Acts as a middleman for compliance data. Storing diagrams and policies inside their system means “renting” your architectural history.	Permanent Ownership: You receive the “Network Security Policy” and “Management Guidelines” in editable Word/Excel formats to keep forever.	Maintaining a permanent audit trail and network documentation on your own infrastructure without a recurring monthly bill.
Simplicity & Workflow	Over-engineers the requirement with complex dashboards just to list switches or explain firewall rules.	Governance for Real-World Tech: Provides a “Network Security Framework” and “Device Configuration Templates” to document existing hardware.	Documenting current Cisco or Juniper configurations for an auditor using a template rather than learning new software.
Cost Structure	Often scales based on the number of “assets” or “network devices” tracked, leading to ballooning subscription fees as you grow.	One-Off Fee: A single payment covers the toolkit regardless of whether you manage one router or one hundred.	Scaling your network from 10 to 100 devices without increasing the cost of your compliance documentation.
Freedom & Infrastructure	Mandates specific documentation formats that may not fit hybrid cloud or specialized on-premise setups.	Technology Agnostic: Fully editable policies that adapt to Ubiquiti, AWS, Azure, or any custom networking stack you choose.	Evolving from on-premise servers to a hybrid AWS environment without having to reconfigure a rigid compliance tool.

Summary: For Annex A 8.20, the auditor wants to see that you have control over your networks and have documented your security measures. The High Table ISO 27001 Toolkit provides the governance framework to do exactly that. It is the most direct, cost-effective way to prove network security with permanent documentation that you own and control.

ISO 27001 Annex A 8.20 FAQ

What is ISO 27001 Annex A 8.20?

ISO 27001 Annex A 8.20 is a control dedicated to securing, managing, and controlling networks to protect information systems. Ideally, it serves as both a preventive and detective measure to safeguard data integrity, confidentiality, and availability across your network infrastructure.

Preventive: Implements controls like firewalls and access restrictions to stop unauthorized access.
Detective: Uses logging and monitoring to identify suspicious activities or breaches.
Scope: Covers all internal, external, and wireless networks, including network devices like routers and switches.

What are the primary requirements for implementing Annex A 8.20?

The primary requirements involve establishing governance, documentation, and technical hardening of your network infrastructure. Compliance requires a layered approach that moves beyond simple hardware installation to include strict management processes.

Network Documentation: Maintain up-to-date network diagrams and configuration files.
Device Hardening: Change default passwords, disable unused ports, and patch firmware regularly.
Segregated Management: Isolate administrative traffic from standard user traffic.
Access Control: Implement Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC).
Logging: enable comprehensive logging for security events and send them to a secure central server.

What evidence will an ISO 27001 auditor check for Network Security?

Auditors primarily verify compliance by examining your network documentation, configuration logs, and access control records. They will look for proof that your documented policies match the actual configuration of your live environment.

Network Diagrams: Must be current, dated, and accurately reflect physical and logical topologies.
Configuration Logs: Evidence of who changed firewall rules or device settings and when.
Access Reviews: Records showing regular reviews of who has administrative access to network gear.
Asset Inventory: A complete list of network devices (switches, routers, WAPs) and their owners.

Does ISO 27001 Annex A 8.20 require network segmentation?

Yes, network segmentation is a critical component of securing networks under Annex A 8.20. While often detailed further in Annex A 8.22 (Segregation of Networks), control 8.20 requires you to manage and control the flow of information to prevent unauthorized access.

Guest Networks: Must be completely isolated from corporate production networks.
Admin Segregation: Management interfaces should not be accessible from the general user network.
Traffic Filtering: Use VLANs and firewalls to restrict traffic between different business units or security zones.

How has Network Security changed in the ISO 27001:2022 update?

The 2022 update consolidated the previous ISO 27001:2013 control 13.1.1 into the new Annex A 8.20. The new control is broader and places a heavier emphasis on “managing” and “controlling” networks rather than just implementing specific technical controls.

Consolidation: Replaces the old 13.1.1 (Network Controls).
Attribute Changes: categorized under “Technological” controls with attributes for “Protect,” “Detect,” and “Prevent.”
Focus Shift: increased focus on virtual networks, cloud environments, and the governance of network changes.

Who is responsible for ISO 27001 Network Security?

Responsibility usually lies with the IT or Network Security team, specifically those with specialist training. However, the standard requires clear segregation of duties to prevent conflicts of interest.

Network Administrators: Responsible for day-to-day configuration and maintenance.
Security Officers: Responsible for monitoring logs and auditing configurations.
Authorization: A separate role should authorize significant changes (e.g., opening a firewall port) before implementation.

Is encryption required for ISO 27001 Annex A 8.20 compliance?

Yes, encryption is a standard technical measure required to protect information in transit across networks. You must ensure that data moving between systems or over public networks is protected against interception.

Protocols: Use secure protocols like TLS/SSL for web traffic and IPsec for VPNs.
Management: Ensure management interfaces (e.g., SSH, HTTPS) are encrypted to protect admin credentials.
Policy: Define encryption standards in your Network Security Policy.

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Key Takeaways: ISO 27001 Annex A 8.20 Network Security

Table of contents

What is ISO 27001 Annex A 8.20?

ISO 27001 Annex A 8.20 Purpose

ISO 27001 Annex A 8.20 Definition

ISO 27001 Annex A 8.20 Free Training Video

ISO 27001 Annex A 8.20 Explainer Video

ISO 27001 Annex A 8.20 Podcast

ISO 27001 Annex A 8.20 Implementation Guide

Documentation

Roles and Responsibilities

Logging and Monitoring

Technical Considerations

Virtual Networks

How to implement ISO 27001 Annex A 8.20

1. Formalise Network Security Policies and ROE

2. Provision Network Segmentation and VLAN Isolation

3. Enforce Perimeter Defences and TLS Inspection

4. Restrict Administrative Access via IAM and MFA

5. Execute Continuous Vulnerability Scanning and Hashing

6. Implement Centralised Logging and SIEM Integration

What will an auditor check?

1. That you have documentation

2. That you have have implemented Network Security appropriately

3. That you have conducted internal audits

Applicability of ISO 27001 Annex A 8.20 across different business models.

Fast Track ISO 27001 Annex A 8.20 Compliance with the ISO 27001 Toolkit

ISO 27001 Annex A 8.20 FAQ

What is ISO 27001 Annex A 8.20?

What are the primary requirements for implementing Annex A 8.20?

What evidence will an ISO 27001 auditor check for Network Security?

Does ISO 27001 Annex A 8.20 require network segmentation?

How has Network Security changed in the ISO 27001:2022 update?

Who is responsible for ISO 27001 Network Security?

Is encryption required for ISO 27001 Annex A 8.20 compliance?

Related ISO 27001 Controls

Further Reading

Stuart Barker