Understanding ISO 27701 Clause 6.10: Communications Security

Communications security is the bread and butter of most privacy protection operations, including activities that both limit and monitor access to PII and privacy-related assets.

Organisations need to exercise tight control over who and what is able to access security and privacy-related ICT resources through widespread use of secure network controls, service management and segregation.

What’s Covered in ISO 27701 Clause 6.10

ISO 27701 contains three sub-clauses that deal with distinct areas of communication security:

  • ISO 27701 6.10.1.1 – Network controls (ISO 27002 Control 8.20)
  • ISO 27701 6.10.1.2 – Security in network services (ISO 27002 Control 8.21)
  • ISO 27701 6.10.1.3 – Segregation in networks (ISO 27002 Control 8.22)

Each clause contains adjoining information from ISO 27002, with a lengthy set of supporting clauses (particularly within sub-clause 6.10.1.1), as befitting the complex nature of the topic.

ISO offer no additional PIMS or PII-related guidance on the topic of communications security, nor are there any UK GDPR articles to take into account.




Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo



ISO 27701 Clause 6.10.1.1 – Network Controls

References ISO 27002 Control 8.20

ISO 27701 clause 6.10.1.1 focuses on two key aspects of network security:

  • Privacy protection
  • Protection from unauthorised access

Organisations should:

  1. Categorise data (including PII) by type and classification.
  2. Ensure that only qualified personnel are asked to maintain networking equipment, in accordance with a clear set of roles and responsibilities.
  3. Keep a record of network diagrams, firmware versions and configuration files of critical devices such as routers, firewalls, WAPs and network switches.
  4. Segregate network responsibilities (see ISO 27002 Control 5.3), including the separation of administrative traffic from standard network traffic.
  5. Adhere to controls that facilitate the safe storage and transfer of data, including all connected applications and systems (see ISO 27002 Controls 5.22, 8.24, 5.14 and 6.6).
  6. Maintain security logs for the whole system, and individual components, as is required (see ISO 27002 Controls 8.16 and 8.15).
  7. Perform network management and administration duties in harmony with other business processes.
  8. Ensure that proper authorisation is sought and granted prior to staff accessing relevant parts of the network.
  9. Utilise traffic restrictions, content filtering and data rules throughout the network, for both incoming and outgoing data.
  10. Ensure that any device that is connected to the network is able to be managed by administrative staff.
  11. Have the ability to segregate and partition critical areas of the network, to ensure business continuity following critical events, including the suspension of network protocols.

Relevant ISO 27002 Controls

  • ISO 27002 5.14
  • ISO 27002 5.22
  • ISO 27002 5.3
  • ISO 27002 6.6
  • ISO 27002 8.15
  • ISO 27002 8.16
  • ISO 27002 8.24

ISO 27701 Clause 6.10.1.2 – Security in Network Services

References ISO 27002 Control 8.21

When considering the broader concept of network service security, there are three main factors to keep in mind:

  • Security features.
  • Service levels.
  • Service requirements.

Organisations should ensure that service providers understand what is expected of them, and are fulfilling their stated obligations on a consistent basis.

Organisations should be able to refer to an unambiguous set of SLAs, and monitor adherence throughout the duration of a service agreement.

References should be sought and obtained from trusted sources, with the end goal of establishing a service provider’s ability to meet the commercial and operational requirements of the organisation.

Security rules should include:

  • Any network services that are allowed to be accessed – including a thorough list of authentication prerequisites.
  • Network management controls that safeguards PII and privacy-related assets against misuse and unauthorised access.
  • Remote and onsite access.
  • The logging of key information about network service access, including access time, access location and device data.
  • Monitoring activities.

Network Service Security

Organisations are presented with various additional security measures that further safeguard the integrity and availability of PII.

Organisations should:

  1. Consider security features such as authentication, encryption and connection controls.
  2. Establish clear guidelines that govern connections to network services.
  3. Allow users to choose the amount of data cached to increase performance and minimise the privacy risks associated with excessive storage.
  4. Restrict access to network services.



Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo



ISO 27701 Clause 6.10.1.3 – Segregation in Networks

References ISO 27002 Control 8.22

To improve the integrity and availability of PII and privacy-related assets, organisations should segregate services, users and systems across their entire network, based upon their unique security requirements and in accordance with a topic-specific approach (see ISO 27002 Control 5.15).

To achieve this, organisations should:

  • Separate domains from any public networks, including the Internet.
  • Segregate areas of the network based upon trust, criticality and sensitivity.
  • Consider distinct operational functions when segregating the network, such as HR, finance and marketing.
  • Segregate using a combination of physical and logical controls.
  • Operate with clearly-defined network perimeters and tightly-controlled gateways.
  • Consider WiFi access in accordance with what is often a loosely-defined network perimeter, with varying access requirements, and to ensure that external traffic passes through a gateway prior to internal access being granted (see ISO 27002 Control 8.20).
  • Segregate guest and employee WiFi access, and place heavy restrictions on guest access to discourage use by personnel.

Relevant ISO 27002 Controls

  • ISO 27002 5.15
  • ISO 27002 8.20

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause Identifier ISO 27701 Clause Name ISO 27002 Requirement Associated GDPR Articles
6.10.1.1 Network Controls
8.20 – Network Security for ISO 27002
None
6.10.1.2 Security in Network Services
8.21 – Security of Network Services for ISO 27002
None
6.10.1.3 Segregation in Networks
8.22 – Segregation of Networks for ISO 27002
None

How ISMS.online Help

ISO 27701 shows you how to build a Privacy Information Management System that complies with most privacy regulations, including the EU’s GDPR, BS 10012 and South Africa’s POPIA. Our simplified, secure, sustainable software helps you easily follow the approach outlined by the internationally recognised standard.

Our all-in-one-platform ensures your privacy work aligns with and meets the needs of each section of the ISO 27701 standard. And because it’s regulation agnostic, you can map it onto any regulation you need to.

Find out more by booking a demo.


Jump to topic

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Leader Winter 2025
Leader Winter 2025 United Kingdom
Best ROI Winter 2025
Fastest Implementation Winter 2025
Most Implementable Winter 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

DORA is here! Supercharge your digital resilience today with our powerful new solution!