Network security is a critical component of an organisation’s information security strategy.
It must be managed with care and accuracy to ensure the safety of all data.
ISO 27001:2022 Annex A 8.20 is a set of comprehensive protocols that cover network security as a governing concept in all its forms. It draws on guidance from many significant information security controls from ISO 27001:2022.
ISO 27001:2022 Annex A 8.20 is a preventive and detective control that keeps risk at bay by implementing controls that secure an organisation’s ICT network from the top down. This is done by making sure that network activity is logged, compartmentalised, and done by authorised personnel.
Annex A 8.20 covers more than just the daily operation of back-end networking, maintenance and diagnostic tools and procedures. The ownership of this control should be attributed to the organisation’s Chief Information Security Officer (CISO) or similar.
Book a 30 minute chat with us and we’ll show you how
Annex A 8.20 emphasises two fundamental aspects of network security in its general guidance:
Annex A 8.20 requires organisations to attain its two purposes (above) by carrying out the following:
ISO 27001:2022 Annex A 8.20 replaces ISO 27001:2013 Annex A 13.1.1 (Network Controls) in the revised 2022 standard.
Annex A 8.20 calls for a thorough approach to network security, offering several key pieces of advice to cover elements such as:
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
Organisational Controls | Annex A 5.1 | Annex A 5.1.1 Annex A 5.1.2 | Policies for Information Security |
Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
Organisational Controls | Annex A 5.8 | Annex A 6.1.5 Annex A 14.1.1 | Information Security in Project Management |
Organisational Controls | Annex A 5.9 | Annex A 8.1.1 Annex A 8.1.2 | Inventory of Information and Other Associated Assets |
Organisational Controls | Annex A 5.10 | Annex A 8.1.3 Annex A 8.2.3 | Acceptable Use of Information and Other Associated Assets |
Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
Organisational Controls | Annex A 5.14 | Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 | Information Transfer |
Organisational Controls | Annex A 5.15 | Annex A 9.1.1 Annex A 9.1.2 | Access Control |
Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
Organisational Controls | Annex A 5.17 | Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 | Authentication Information |
Organisational Controls | Annex A 5.18 | Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 | Access Rights |
Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
Organisational Controls | Annex A 5.22 | Annex A 15.2.1 Annex A 15.2.2 | Monitoring, Review and Change Management of Supplier Services |
Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
Organisational Controls | Annex A 5.29 | Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 | Information Security During Disruption |
Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
Organisational Controls | Annex A 5.31 | Annex A 18.1.1 Annex A 18.1.5 | Legal, Statutory, Regulatory and Contractual Requirements |
Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
Organisational Controls | Annex A 5.36 | Annex A 18.2.2 Annex A 18.2.3 | Compliance With Policies, Rules and Standards for Information Security |
Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
People Controls | Annex A 6.8 | Annex A 16.1.2 Annex A 16.1.3 | Information Security Event Reporting |
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
Physical Controls | Annex A 7.2 | Annex A 11.1.2 Annex A 11.1.6 | Physical Entry |
Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
Physical Controls | Annex A 7.10 | Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 | Storage Media |
Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
Technological Controls | Annex A 8.1 | Annex A 6.2.1 Annex A 11.2.8 | User Endpoint Devices |
Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
Technological Controls | Annex A 8.8 | Annex A 12.6.1 Annex A 18.2.3 | Management of Technical Vulnerabilities |
Technological Controls | Annex A 8.9 | NEW | Configuration Management |
Technological Controls | Annex A 8.10 | NEW | Information Deletion |
Technological Controls | Annex A 8.11 | NEW | Data Masking |
Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
Technological Controls | Annex A 8.15 | Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 | Logging |
Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility Programs |
Technological Controls | Annex A 8.19 | Annex A 12.5.1 Annex A 12.6.2 | Installation of Software on Operational Systems |
Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
Technological Controls | Annex A 8.23 | NEW | Web filtering |
Technological Controls | Annex A 8.24 | Annex A 10.1.1 Annex A 10.1.2 | Use of Cryptography |
Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
Technological Controls | Annex A 8.26 | Annex A 14.1.2 Annex A 14.1.3 | Application Security Requirements |
Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering Principles |
Technological Controls | Annex A 8.28 | NEW | Secure Coding |
Technological Controls | Annex A 8.29 | Annex A 14.2.8 Annex A 14.2.9 | Security Testing in Development and Acceptance |
Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
Technological Controls | Annex A 8.31 | Annex A 12.1.4 Annex A 14.2.6 | Separation of Development, Test and Production Environments |
Technological Controls | Annex A 8.32 | Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 | Change Management |
Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
The ISMS.online platform assists in all stages of ISO 27001:2022 implementation, from carrying out risk assessment activities to crafting policies, procedures, and instructions to meet the standard’s specifications.
ISMS.online offers a method to document discoveries and share them with team members online. Moreover, it provides the ability to generate and save checklists for all the activities related to ISO 27001, so you can easily monitor the development of your organisation’s security system.
ISMS.online simplifies the process of demonstrating adherence to the ISO 27001 criterion for organisations via its automated tool-set.
Get in touch today to organise a demonstration.
Our recent success achieving ISO 27001, 27017 & 27018 certification was in large part down to ISMS.online.