Requirement
Requirement lens
This control asks whether information services, users, and systems are separated into appropriate network groups or zones.
“Groups of information services, users and information systems shall be segregated in the organization’s networks.”
Plain-language meaning
Large flat networks are hard to defend. Network segregation divides users, systems, and services into smaller physical or logical zones so traffic between them can be controlled.
Segregation can use firewalls, VLANs, routing controls, security groups, wireless network separation, identity-aware access, or other logical boundaries.
Why this matters
If everything can talk to everything, one compromised endpoint can become a path to servers, databases, admin interfaces, backup systems, and sensitive services. Segregation reduces attack spread, limits unauthorized access, and makes monitoring more meaningful.
Segregation is not only about the internet perimeter. Internal business units, environments, wireless networks, administration networks, cloud networks, and sensitive systems may also need separation.
Implementation guidance
Implementer focus
Define zones from business need and risk. Then enforce only the connections that are required.
1. Define network zones
Use business analysis, architecture modelling, and Risk Assessment to define zones such as user network, server network, production, development, guest wireless, payment systems, management network, backup network, internet-facing services, and cloud environments.
2. Document zone relationships
Document which systems and network devices belong to each zone, what traffic is allowed between zones, who owns each zone, and what security level applies.
3. Control connections between zones
Use gateways, firewalls, routing restrictions, ACLs, security groups, and monitoring to control connections. Rules should be specific, justified, approved, and reviewed.
4. Include wireless networks
Wireless networks need risk assessment. Direct connection from wireless to the main network should be justified and protected using known good security standards.
5. Watch for performance-driven bypasses
Operational teams may weaken segregation for performance, convenience, troubleshooting, or legacy support. Such changes need security review and approval.
Audit guidance
Auditor focus
Enumerate the zones, verify why they exist, and test how traffic between zones is controlled.
Auditors should verify:
- network zones are defined and documented;
- zones match business and security requirements;
- systems, services, users, and network devices are assigned to zones;
- connections between zones are controlled;
- firewall, routing, ACL, and security group rules match the design;
- wireless network access to main networks is risk-assessed;
- performance changes have not weakened segregation;
- zone performance and availability are monitored where restrictions could affect service;
- exceptions are approved and reviewed.
The auditor should not assume that a diagram proves segregation. Sample actual configurations and, where appropriate, test connectivity.
Evidence examples
Evidence quality
Strong evidence proves network zones are designed, implemented, enforced, reviewed, and monitored.
| Evidence | What it proves |
|---|---|
| Network zoning standard | Zone model is defined |
| Zone and connection matrix | Allowed traffic is documented |
| Firewall/routing/security group rules | Segregation is technically enforced |
| Wireless risk assessment | Wireless connections are controlled |
| Segmentation test records | Controls work in practice |
| Change records | Zone changes are approved |
| Exception records | Temporary or broad access is risk-managed |
Strong evidence
- Network zones are defined from risk and architecture.
- Systems and services are assigned to zones.
- Inter-zone rules are justified, specific, and reviewed.
- Wireless networks are segregated or risk-assessed.
- Segmentation tests prove blocked and allowed paths.
- Performance-driven exceptions are documented and approved.
Weak evidence
- Flat network with informal access assumptions.
- Zones exist in diagrams but not in firewall/routing rules.
- Broad “any-any” rules between zones.
- Guest wireless can reach internal systems.
- Performance fixes bypass security controls without review.
- Cloud security groups are not included in segregation review.
Common failures
Implementation watchouts
A.8.22 fails when the organization believes a perimeter firewall is enough.
| Failure | Why it matters |
|---|---|
| No internal zones | Compromise spreads easily |
| Poor zone documentation | Rule reviews cannot be meaningful |
| Broad inter-zone rules | Segregation becomes cosmetic |
| Wireless connected to main network | Creates easy bypass path |
| Cloud networks excluded | Segregation gaps move to cloud |
| Performance exceptions unmanaged | Availability fixes create security exposure |
Exam traps
Exam focus
A.8.22 is specifically about segregating groups of services, users, and systems in networks.
| Trap | Correct interpretation |
|---|---|
| Perimeter firewall satisfies segregation | Internal zones and inter-zone controls may also be required |
| VLAN names prove segregation | Enforcement rules and routing controls matter |
| Wireless is separate by default | Wireless access to the main network must be risk-assessed and controlled |
| Segregation is only physical | Logical segregation can be acceptable if effective |
| Performance needs can override security informally | Security-impacting changes need approval and review |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.20 Networks Security
- A.8.21 Security of Network Services
- A.8.9 Configuration Management
- A.8.16 Monitoring Activities
- A.5.15 Access Control
- Risk Assessment
- Statement of Applicability
- Network Security Architecture and Zoning Standard
- Network Zone and Connection Matrix
- Network Segmentation Test Checklist
- Wireless Network Security Assessment
- A.8.22 Audit Evidence Pack
- A.8.22 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.22 limits network blast radius. Strong implementation proves zones are risk-based, documented, technically enforced, tested, reviewed, and protected from informal bypass.
- Define network zones from business and risk.
- Document systems, users, services, and allowed flows per zone.
- Enforce zone boundaries technically.
- Include wireless, cloud, management, and sensitive networks.
- Test and review segregation regularly.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Network security
- Segregation
- Audit
Note Metadata
Aliases: A.8.22, Segregation of Networks, Network Segregation
Source: 05 Annex A Technological Controls/A.8.22 Segregation of Networks.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.15 - Access Control
- A.8.22 Audit Evidence Pack
- ISO 27001 A.8.16 - Monitoring Activities
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.21 - Security of Network Services
- ISO 27001 A.8.27 - Secure System Architecture and Engineering Principles
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.22 Segregation of Networks
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-036 - Network Services, Segregation, and Web Filtering
- ISO 27002 Annex A Control Interpretation Map
- A.8.22 Audit Checklist
- Network Security Architecture and Zoning Standard
- Network Segmentation Test Checklist
- Network Zone and Connection Matrix
- Wireless Network Security Assessment
- Annex A Controls MOC