UnixTime

Research Note

ISO 27001 A.8.22 - Segregation of Networks

Large flat networks are hard to defend. Network segregation divides users, systems, and services into smaller physical or logical zones so traffic between them can be controlled.

On this page

Requirement

Requirement lens

This control asks whether information services, users, and systems are separated into appropriate network groups or zones.

“Groups of information services, users and information systems shall be segregated in the organization’s networks.”

Plain-language meaning

Large flat networks are hard to defend. Network segregation divides users, systems, and services into smaller physical or logical zones so traffic between them can be controlled.

Segregation can use firewalls, VLANs, routing controls, security groups, wireless network separation, identity-aware access, or other logical boundaries.

Why this matters

If everything can talk to everything, one compromised endpoint can become a path to servers, databases, admin interfaces, backup systems, and sensitive services. Segregation reduces attack spread, limits unauthorized access, and makes monitoring more meaningful.

Segregation is not only about the internet perimeter. Internal business units, environments, wireless networks, administration networks, cloud networks, and sensitive systems may also need separation.

Implementation guidance

Implementer focus

Define zones from business need and risk. Then enforce only the connections that are required.

1. Define network zones

Use business analysis, architecture modelling, and Risk Assessment to define zones such as user network, server network, production, development, guest wireless, payment systems, management network, backup network, internet-facing services, and cloud environments.

2. Document zone relationships

Document which systems and network devices belong to each zone, what traffic is allowed between zones, who owns each zone, and what security level applies.

3. Control connections between zones

Use gateways, firewalls, routing restrictions, ACLs, security groups, and monitoring to control connections. Rules should be specific, justified, approved, and reviewed.

4. Include wireless networks

Wireless networks need risk assessment. Direct connection from wireless to the main network should be justified and protected using known good security standards.

5. Watch for performance-driven bypasses

Operational teams may weaken segregation for performance, convenience, troubleshooting, or legacy support. Such changes need security review and approval.

Audit guidance

Auditor focus

Enumerate the zones, verify why they exist, and test how traffic between zones is controlled.

Auditors should verify:

  • network zones are defined and documented;
  • zones match business and security requirements;
  • systems, services, users, and network devices are assigned to zones;
  • connections between zones are controlled;
  • firewall, routing, ACL, and security group rules match the design;
  • wireless network access to main networks is risk-assessed;
  • performance changes have not weakened segregation;
  • zone performance and availability are monitored where restrictions could affect service;
  • exceptions are approved and reviewed.

The auditor should not assume that a diagram proves segregation. Sample actual configurations and, where appropriate, test connectivity.

Evidence examples

Evidence quality

Strong evidence proves network zones are designed, implemented, enforced, reviewed, and monitored.

Evidence What it proves
Network zoning standard Zone model is defined
Zone and connection matrix Allowed traffic is documented
Firewall/routing/security group rules Segregation is technically enforced
Wireless risk assessment Wireless connections are controlled
Segmentation test records Controls work in practice
Change records Zone changes are approved
Exception records Temporary or broad access is risk-managed

Strong evidence

  • Network zones are defined from risk and architecture.
  • Systems and services are assigned to zones.
  • Inter-zone rules are justified, specific, and reviewed.
  • Wireless networks are segregated or risk-assessed.
  • Segmentation tests prove blocked and allowed paths.
  • Performance-driven exceptions are documented and approved.

Weak evidence

  • Flat network with informal access assumptions.
  • Zones exist in diagrams but not in firewall/routing rules.
  • Broad “any-any” rules between zones.
  • Guest wireless can reach internal systems.
  • Performance fixes bypass security controls without review.
  • Cloud security groups are not included in segregation review.

Common failures

Implementation watchouts

A.8.22 fails when the organization believes a perimeter firewall is enough.

Failure Why it matters
No internal zones Compromise spreads easily
Poor zone documentation Rule reviews cannot be meaningful
Broad inter-zone rules Segregation becomes cosmetic
Wireless connected to main network Creates easy bypass path
Cloud networks excluded Segregation gaps move to cloud
Performance exceptions unmanaged Availability fixes create security exposure

Exam traps

Exam focus

A.8.22 is specifically about segregating groups of services, users, and systems in networks.

Trap Correct interpretation
Perimeter firewall satisfies segregation Internal zones and inter-zone controls may also be required
VLAN names prove segregation Enforcement rules and routing controls matter
Wireless is separate by default Wireless access to the main network must be risk-assessed and controlled
Segregation is only physical Logical segregation can be acceptable if effective
Performance needs can override security informally Security-impacting changes need approval and review

KB-ready summary

Mentor takeaway

A.8.22 limits network blast radius. Strong implementation proves zones are risk-based, documented, technically enforced, tested, reviewed, and protected from informal bypass.

  • Define network zones from business and risk.
  • Document systems, users, services, and allowed flows per zone.
  • Enforce zone boundaries technically.
  • Include wireless, cloud, management, and sensitive networks.
  • Test and review segregation regularly.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Network security
  • Segregation
  • Audit

Note Metadata

Aliases: A.8.22, Segregation of Networks, Network Segregation

Source: 05 Annex A Technological Controls/A.8.22 Segregation of Networks.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

12

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.