ISO 27001:2022 Annex A Control 8.22

Segregation of Networks

Book a demo

shutterstock 1410209846 scaled

When cyber-criminals infiltrate computing systems, services or devices, they don’t restrict themselves to those assets alone.

They make use of the first infiltration to penetrate a company’s whole network, obtain access to sensitive data, or to perform ransomware attacks.

Cyber crooks could pilfer the login details of HR staff at a hospital after a successful phishing attack, affording them access to HR systems.

Using their access point, the attackers can traverse the network and uncover networks containing confidential patient data. This intrusion could lead to the loss of data, cause disruption to operations, or even open the door to a ransomware attack.

The hospital could prevent unauthorised access to confidential data and reduce the consequences of a breach by using network segmentation techniques such as firewalls, virtual networks, or server isolation.

ISO 27001:2022 Annex A 8.22 outlines how companies can apply and preserve suitable network segregation methods to avert risks to the availability, integrity, and confidentiality of information assets.

Purpose of ISO 27001:2022 Annex A 8.22

ISO 27001:2022 Annex A 8.22 allows organisations to divide their IT networks into sub-networks dependent on the degree of sensitivity and importance, and to limit the transmission of information between those different sub-networks.

Organisations can use this to stop malware and viruses from travelling from infected networks to those containing sensitive data.

This guarantees that organisations secure the confidentiality, integrity and accessibility of data assets stored on essential sub-networks.

Ownership of Annex A 8.22

The Information Security Officer should be held accountable for adhering to ISO 27001:2022 Annex A 8.22, which requires the segmentation of networks, devices and systems according to risks and the application of network segregation techniques and procedures.

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

General Guidance on ISO 27001:2022 Annex A 8.22 Compliance

Organisations should strive to achieve equilibrium between operational necessities and security anxieties when instituting network segregation regulations.

ISO 27001:2022 Annex A Control 8.22 provides three recommendations to take into account when setting up network segregation.

How to Separate the Network Into Smaller Sub-Networks

When splitting the network into smaller sub-domains, organisations should consider the sensitivity and importance of each network domain. Depending on this assessment, network sub-domains may be labelled as ‘public domains’, ‘desktop domains’, ‘server domains’, or ‘high-risk systems’.

Organisations should take into account business departments such as HR, marketing, and finance in the process of segmenting their network.

Organisations can also amalgamate these two criteria, assigning network sub-domains into categories such as “server domain linking to the sales department”.

Security Perimeters and Access Control

Organisations must delineate the borders of each network sub-domain explicitly. If there is to be access between two different network domains, this connection should be limited at the perimetric level through the use of gateways like firewalls or filtering routers.

Organisations should evaluate the security needs for each domain when establishing network separation and when granting access through gateways.

This assessment must be conducted in line with the access control policy mandated by ISO 27001:2022 Annex A 5.15, taking into account the following:

  • The classification assigned to info assets is on what level.
  • The importance of the information is paramount.
  • Cost and practicality are major factors when deciding which gateway technology to use.

Wireless Networks

ISO 27001:2022 Annex A 8.22 recommends that organisations observe the following practices when creating network security parameters for wireless networks:

  • Evaluate the use of radio coverage adjustment methods to divide wireless networks.
  • For delicate networks, organisations can take all wireless access attempts as external connections and forbid access to internal networks until the gateway control gives approval.
  • Personnel should only use their own devices in line with the organisation’s policy; the network access provided to personnel and guests should be kept separate.
  • Visitors should be subject to the same regulations concerning Wi-Fi use as team members.

Supplementary Guidance on ISO 27001:2022 Annex A 8.22

Organisations should ensure that all business partnerships are subject to appropriate security measures. Annex A 8.22 advises organisations to implement measures to protect their network, IT devices, and other information facilities when engaging with business partners.

Networks that are sensitive can be exposed to a heightened risk of unauthorised access. To protect against this, organisations should take the appropriate steps.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.22 replaces ISO 27001:2013 Annex A 13.1.3 in the latest ISO revision.

In comparison to ISO 27001:2013, the ISO 27001:2022 revision necessitates the following of wireless networks:

  • If staff abide by the organisation’s policy and only use their own devices, then the wireless network access provided for personnel and visitors should be kept separate.
  • Guests should be subject to the same restrictions and controls concerning Wi-Fi as personnel.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

ISMS.Online facilitates you to:

  • Document processes easily with this user-friendly interface. No software installation is required on your computer or network.
  • Streamline your risk evaluation procedure by automating it.
  • Achieve compliance with ease by using online reports and checklists.
  • Maintain a record of your progression as you work towards certification.

ISMS.online provides a comprehensive set of functionalities to aid organisations and businesses in meeting the industry ISO 27002 and/or ISO 27001:2022 ISMS standard.

Get in touch with us to organise a demonstration.

See how we can help you

Book a tailored hands-on session
based on your needs and goals
Book your demo

100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo
Assured Results Method

Streamline your workflow with our new Jira integration! Learn more here.