ISO 27001 Annex A 8.22 Explained: Lead Auditor’s Guide

Q: What is the difference between network segmentation and network segregation?

Segmentation is the structural division of a network (e.g., VLANs), while segregation is the enforcement of access controls between those divisions (e.g., Firewall rules).

ISO 27001 Annex A 8.22 is a security control that mandates the segregation of networks to restrict data flow between different trust zones. It requires organizations to implement logical or physical network boundaries, ensuring that a compromise in one segment (e.g., Guest Wi-Fi) cannot laterally spread to critical systems, thereby limiting the blast radius of cyberattacks.

In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.22 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.22 mandates that your network should not be one giant “flat” space where every device can talk to every other device. Instead, you must slice your network into smaller, isolated zones (segments) based on trust levels. This ensures that if one zone is compromised (e.g., Guest Wi-Fi), the attacker is trapped there and cannot reach your critical servers.

Core requirements for compliance include:

Limit the Blast Radius: The primary goal is containment. If a receptionist’s PC gets a virus, network segregation ensures the virus cannot automatically spread to the Finance Server.
The “Guest” Rule: This is the most common example. Guest Wi-Fi must be completely isolated from the Corporate Wi-Fi. Guests should only be able to see the Internet, not your internal printers or file shares.
Logical Separation (VLANs): You don’t need separate physical wires for every network. You can use VLANs (Virtual Local Area Networks) to logically chop up a single switch into multiple secure zones.
Access Control Lists (ACLs): Segregation isn’t just about splitting networks; it’s about controlling the traffic between them. You need firewall rules that say “Zone A can talk to Zone B, but ONLY on port 443.”

Audit Focus: Auditors will ask for your Network Diagram. They want to see:

The Boundaries: “Show me where the Guest Network ends and the Corporate Network begins.”
The Gateways: “Show me the firewall that sits between these two zones.”
The Evidence: They might ask you to try and “Ping” a critical server from a guest device. If it replies, you fail.

Common Network Segments (The “Zones” Model):

Zone Name	Who uses it?	Trust Level	Access Rules
Guest Wi-Fi	Visitors, Personal Phones.	Zero	Internet Only. No Internal Access.
Corporate LAN	Employee Laptops, Printers.	Medium	Access to standard file servers/email.
DMZ (Demilitarized Zone)	Public Web Servers.	Low	Exposed to the Internet, but isolated from internal DBs.
Management / Admin	IT Admins, Server Consoles.	High	Strictly locked down. Only accessible via VPN/Jumphost.

Key Takeaways: ISO 27001 Annex A 8.22 Segregation of Networks
What is ISO 27001 Annex A 8.22?
ISO 27001 Annex A 8.22 Explainer Video
ISO 27001 Annex A 8.22 Podcast
ISO 27001 Annex A 8.22 Implementation Guidance
How to implement ISO 27001 Annex A 8.22
What will an auditor check?
Fast Track ISO 27001 Annex A 8.22 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 8.22 FAQ
Related ISO 27001 Controls

What is ISO 27001 Annex A 8.22?

ISO 27001 Annex A 8.22 is about the segregation of networks which means you must seperate out logical groups of people and services onto separate networks.

ISO 27001 Annex A 8.22 Segregation of networks is an ISO 27001 control that requires us group information services and then put those groups on different networks. Ideally it wants information services, users and information systems on different networks but it is a little more nuanced than that, let’s take a look.

ISO 27001 Annex A 8.22 Purpose

ISO 27001 Annex A 8.22 is a preventive control to split the network in security boundaries and to control traffic between them based on business needs.

ISO 27001 Annex A 8.22 Definition

The ISO 27001 standard defines ISO 27001 Annex A 8.22 as:

Groups of information services, users and information systems should be segregated in the organisation’s networks.
ISO27001:2022 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.22 Explainer Video

In this beginner’s guide to ISO 27001 Annex A 8.22 Segregation of Networks , ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training. https://youtu.be/example1

ISO 27001 Annex A 8.22 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001:2022 Annex A 8.22 Segregation of Networks. The podcast explores what it is, why it is important and the path to compliance. https://youtu.be/example2

ISO 27001 Annex A 8.22 Implementation Guidance

This control is really looking at large and complex networks. On the most part for small organisations you are going to have your main office network, possibly a public network, potentially a wifi network that ideally will be treated as public and operational networks will be handled by cloud service providers who you no doubt use. Still, let’s look at little more at the guidance.

At no point would this guide look to tell you how to implement a network and at all times I would say that you clearly need the services of a trained, experienced, network professional whose advice you should follow. As long as they adhere to the principles, you will be fine.

Choosing Network Domains

Breaking a network into domains is not something to do lightly. Every time you introduce a new domain you introduce a management overhead which you counter balance against the risk. Consider for the network domains things like trust levels, use, criticality, geography. There are many ways to crack an egg.

Take your time and think about this logically.

Network Perimeter

The area to focus on is the network boundary, this is the perimeter of the network. This is the part that protects the access into the main network. Like the door to a house. It should be secured. Where doors have keys you will consider firewalls, filtering, routing.

Who can gain access through the perimeter will take into consideration Access Control and the topic specific policy on Access Control.

Wireless Networks

Where ever possible I would recommend that wireless networks are only ever used for public services, non critical data and traffic. It may be the case that you have to use them but they do come with a lot of disadvantages and challenges. You can potentially overcome them with compensating controls such as VPN, encrypted traffic and such like but they really want separating from the main networks. Take care when implementing wireless networks but do keep them segregated.

How to implement ISO 27001 Annex A 8.22

Implementing network segregation is a fundamental security control designed to contain potential breaches and limit lateral movement within an infrastructure. By following these technical implementation steps, your organisation can satisfy ISO 27001 Annex A 8.22 requirements and ensure that sensitive data remains isolated from less secure network zones.

1. Categorise Network Services and Asset Groups

Identify and group information assets based on their sensitivity, criticality, and functional requirements, such as separating guest Wi-Fi from internal corporate traffic.
Define the “Rules of Engagement” (ROE) for traffic flow between these groups, documenting which services are permitted to communicate across boundaries.
Result: A structured network map that serves as the blueprint for all logical and physical segregation efforts.

2. Provision Logical Segregation via VLANs and VRFs

Configure Virtual Local Area Networks (VLANs) to create distinct broadcast domains, preventing unauthorised devices from sniffing internal traffic.
Utilise Virtual Routing and Forwarding (VRF) instances for high-security environments to maintain separate routing tables on the same physical hardware.
Result: Logical isolation that ensures data packets remain within their designated security zones unless explicitly routed elsewhere.

3. Formalise Gateway Controls and Access Control Lists (ACLs)

Deploy stateful firewalls at the perimeter of each network segment to inspect all incoming and outgoing traffic for malicious patterns.
Implement granular Access Control Lists (ACLs) on switches and routers to enforce the Principle of Least Privilege at the network layer.
Result: Technical enforcement of segregation policies that drops non-compliant or unauthorised connection attempts automatically.

4. Establish De-militarised Zones (DMZs) for Public Services

Provision a DMZ to host all public-facing services, such as web servers and email gateways, acting as a buffer between the internet and the internal network.
Ensure that no direct connections are allowed from the DMZ to the internal “Trusted” zone without passing through an application-layer proxy or deep-packet inspection.
Result: Protection of core business databases and internal systems from direct exposure to internet-borne threats.

5. Revoke Flat Network Access with Zero Trust Micro-segmentation

Transition from a flat network architecture to micro-segmentation, where security policies are applied to individual workloads or virtual machines.
Integrate Identity and Access Management (IAM) roles with network access policies, requiring Multi-Factor Authentication (MFA) for administrative access to restricted segments.
Result: A significantly reduced blast radius during a security incident, as attackers cannot move laterally between compromised hosts.

6. Implement Centralised Logging and Continuous Monitoring

Configure all network boundaries to export logs to a centralised Security Information and Event Management (SIEM) system.
Establish automated alerts for “Cross-Zone Violation” events, where traffic attempts to bypass defined segregation boundaries.
Result: Real-time visibility into the health and integrity of the segregated network, facilitating rapid incident response.

What will an auditor check?

The audit is going to check a number of areas. Lets go through the main ones:

That you have documentation: What this means is that you need to show that you have documented your network architecture and segregation rules.
Network Diagram: They will ask to see a high-level network diagram showing the different zones (Corporate, Guest, DMZ) and the gateways between them.
Evidence of Controls: They will check firewall rules to ensure that traffic is actually restricted as per your policy (e.g., Guest VLAN cannot access HR VLAN).

Fast Track ISO 27001 Annex A 8.22 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 8.22 (Segregation of networks), the requirement is to split your network into security boundaries to control traffic between different groups of users and systems. This is an architectural and procedural control, not a software subscription problem.

Compliance Factor	SaaS Network Monitoring	High Table ISO 27001 Toolkit	Real-World Example
Data Ownership & Continuity	Stores network diagrams and segregation policies on their servers. Stopping payment risks losing the documentation proving your network is secure.	Permanent Ownership: You receive the “Network Security Policy” and “Segregation Guidelines” in Word/Excel formats that are yours forever.	Keeping your network architecture definitions and audit history on your own systems without paying “rent” to access them.
Simplicity & Workflow	Pushes “continuous monitoring” dashboards or complex asset tagging that confuses the simple requirement of defining boundaries.	Focus on Boundaries: Formalizes the work your engineers already do (in Visio/draw.io) with a clear “Network Security Management Policy.”	Documenting the separation of Guest Wi-Fi from Production networks without forcing engineers to learn new compliance software.
Cost Structure	Often charges based on network complexity or “assets” tracked, causing the compliance bill to grow alongside your infrastructure.	One-Off Fee: A single payment covers the documentation regardless of whether you manage one flat network or 50 cloud VPCs.	Saving budget for actual network hardware and firewalls rather than spending it on a platform to describe them.
Freedom & Tech Agnostic	Mandates specific documentation models that may struggle with modern micro-segmentation or hybrid architectures.	No Vendor Lock-In: Fully editable policies allow you to define boundaries for Zero Trust, micro-segmentation, or legacy setups freely.	Defining the security boundaries for a complex hybrid cloud environment without fighting against a rigid “legacy network” tool template.

Summary: For Annex A 8.22, the auditor wants to see that you have logically grouped your services and segregated them with controls. The High Table ISO 27001 Toolkit provides the governance framework to document this immediately. It is the most direct, cost-effective way to prove network segregation with permanent documentation that you own and control.

ISO 27001 Annex A 8.22 FAQ

What is ISO 27001 Annex A 8.22?

ISO 27001 Annex A 8.22 is a preventive information security control that requires organizations to separate their networks into distinct logical groups. This control mandates that information services, users, and information systems are segregated based on trust levels and business needs. Its primary function is to limit the “blast radius” of a cyber attack, ensuring that a breach in one area (such as a Guest Wi-Fi network) cannot spread laterally to critical systems (like financial servers).

What is the difference between network segmentation and network segregation?

Segmentation is the structural division of a network, while segregation is the enforcement of access controls between those divisions.

Network Segmentation: The act of slicing a larger network into smaller subnetworks (e.g., creating VLANs for HR, Sales, and Guests). It is the “architecture.”
Network Segregation: The application of security rules that isolate these segments from one another (e.g., firewall rules that block the Guest VLAN from accessing the HR VLAN). It is the “policy.”

Does ISO 27001 Annex A 8.22 require physical network separation?

No, physical separation is not explicitly required; logical separation is fully acceptable and industry standard. While you can use separate physical cabling and switches for high-security environments, most organizations comply using logical isolation technologies. Accepted methods include VLANs (Virtual Local Area Networks) and VRFs (Virtual Routing and Forwarding) to effectively separate traffic on the same physical hardware.

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001:2022 Annex A 8.22 Segregation of Networks: The Lead Auditor’s Guide.

Key Takeaways: ISO 27001 Annex A 8.22 Segregation of Networks

Table of contents