ISO 27001 Control 8.22: Segregation of Networks
Network segregation limits the blast radius of a security breach by isolating critical systems and user groups. Control 8.22 requires you to deliberately compartmentalize your network architecture so that a compromise in one zone doesn't cascade across your entire infrastructure.
What this means
This control mandates that your organization segment networks to separate information services, users, and systems based on risk and criticality. By creating logical or physical boundaries between network zones, you prevent unauthorized lateral movement and contain the impact of potential breaches. The goal is to ensure that an attacker gaining access to one part of your network cannot easily reach sensitive systems or data in another.
How to comply
- 1.Map all information systems, services, and user groups in your organization
- 2.Classify assets by sensitivity level and business criticality
- 3.Design network zones that separate high-risk, medium-risk, and low-risk systems
- 4.Implement firewalls, VLANs, or air-gapped networks between zones as appropriate
- 5.Document network architecture and segregation rules in your network design policy
- 6.Restrict inter-zone communication to only necessary connections with explicit rules
- 7.Monitor and log network traffic between zones for suspicious activity
- 8.Review and test network segregation controls at least annually
Evidence auditors look for
- Network architecture diagram showing segregated zones and trust boundaries
- Firewall rules and access control lists limiting inter-zone traffic
- VLAN configuration documentation with zone assignments
- Network segmentation policy describing classification criteria and controls
- Logs showing allowed and blocked traffic between network segments
- Annual network segregation testing and validation reports
- Change management records for firewall rule updates
- Risk assessments identifying systems requiring enhanced isolation
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically maps your network architecture and validates segregation controls against your firewall configurations, eliminating manual documentation errors and reducing audit prep time for ISO 27001.
See how GRCWatch handles this control automatically
Start free trial