ISO 27002:2022, Control 8.20 – Network Security

Ownership of Control 8.20

Control 8.20 deals primarily with the operation of back-end networking, maintenance and diagnostic tools and procedures, but its broad scope encompasses far more than day-to-day maintenance operations. As such, ownership should reside with the organisation’s CISO, or equivalent.

General Guidance on Compliance

Control 8.20 focused on two key aspects of network security across all its general guidance points:

• Information security
• Protection from unauthorised access (particularly in the case of connected services)

To achieve these two goals, Control 8.20 asks organisations to do the following:

1. Categorise information across a network by type and classification, for ease of management and maintenance.
2. Ensure that networking equipment is maintained by personnel with documented job roles and responsibilities.
3. Maintain up to date information (including version controlled documentation) on LAN and WAN network diagrams and firmware/configuration files of key network devices such as routers, firewalls, access points and network switches.
4. Segregate responsibilities for an organisation’s network from standard ICT system and application operations (see Control 5.3), including the separation of administrative traffic from standard network traffic.
5. Implement controls that facilitate the secure storage and transfer of data over all relevant networks (including third-party networks), and ensure the continued operation of all connected applications (see Controls 5.22, 8.24, 5.14 and 6.6).
6. Log and monitor any and all actions that directly impact information security as a whole across the network, or within individual elements (see Controls 8.16 and 8.15).
7. Coordinate network management duties to complement the organisation’s standard business processes.
8. Ensure that all systems and relevant applications require authentication prior to operation.
9. Filter traffic that flows through the network via a series of restrictions, content filtering guidelines and data rules.
10. Ensure that all devices that connect to the network are visible, authentic and are able to be managed by ICT staff.
11. Retain the ability to isolate business critical sub-networks in the event of a security incident.
12. Suspend or disable network protocols that are either compromised or have become unstable or vulnerable.

Supporting Controls

• 5.14
• 5.22
• 5.3
• 6.6
• 8.15
• 8.16
• 8.24

Changes and Differences from ISO 27002:2013

27002:2022-8.20 replaces 27002:2013-13.1.1 (Network controls).

27002:2022-8.20 advocates for a far more comprehensive approach to network security, and contains a number of additional guidance points that deal with several key elements of network security, including:

• Filtering traffic
• Suspending protocols
• Categorising network information
• Isolating sub-networks
• Maintaining visible devices
• Firmware records

How ISMS.online Helps

The ISMS.Online platform helps with all aspects of implementing ISO 27002, from managing risk assessment activities through to developing policies, procedures and guidelines for complying with the standard’s requirements.

It provides a way to document your findings and communicate them with your team members online. ISMS.Online also allows you to create and save checklists for all of the tasks involved in implementing ISO 27002, so that you can easily track the progress of your organisation’s security program.

With its automated tool-set, ISMS.Online makes it easy for organisations to demonstrate compliance with the ISO 27002 standard.

Contact us today to schedule a demo.