How to manage network security according to ISO 27001 A.13.1

As more and more people and organizations become interconnected, more and more information is exchanged, from that considered trivial and disposable to that most sensitive and necessary for people’s lives and business survival.

That’s why today’s network infrastructure is so important, and so attractive to wrongdoers. So, to ensure the network’s performance and to avoid or minimize situations where the information it carries is compromised, it is necessary to take security safeguards.

In this article we’ll see a little about network security management and how ISO 27001 and ISO 27002 controls, like securing network services and network segregation, can help increase network infrastructure security and resilience, and how these features can be used to add value to your business.

What is network security management?

We can define network security management as the process designed to protect a network and the data that flows through it from risks like unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, while allowing authorized computers, users, and applications to perform their activities. And, by “network,” we mean both internal and external networks (e.g., when organizations use the Internet infrastructure to transfer information between offices located in different cities).

Through administrative, physical, and technological controls, the network security management seeks to create a secure environment based on layers of protective components that support and complement each other to increase the overall security.

Common threats to networks and data in transit

By its nature, a network infrastructure is susceptible to two types of attacks:

Passive attacks: when a network attacker only intercepts data traveling through the network. Examples of this type of attack are wiretapping (interception through network cabling), wardriving (mapping of wireless access points), and port scan (probe for open server or host ports). Often, passive attacks are used at the beginning of more elaborate attacks, as a means to gather information.

Active attacks: when a network attacker actively works to change data in transit, or network components. Examples of this type of attack are Denial-of-Service (intentional attempts to negate legitimate user access), DNS spoofing (alteration of DNS entries to misroute traffic), and man-in-the-middle (the attacker effectively stays between legitimate users’ communication).

ISO 27001 network security A.13.1 - How to organize it

Network management according to ISO 27001 and ISO 27002

Like any ISO management system, ISO 27001 is based on the PDCA model, which perfectly integrates with a network security management approach (planning, implementation, verification, and adjustment of network controls). See this article: Has the PDCA Cycle been removed from the new ISO standards?

Regarding network management planning activities, it is necessary to define network security objectives to be protected and managed. Some examples are usability, reliability, and integrity of network and data. Once network security objectives are defined, it is necessary to define the controls to be implemented, based on the most relevant risks the organization has in its context.

The implementation of network security controls may use the same Risk Treatment Plan defined for the implementation of all controls in the ISMS. According to ISO 27002, the following network security management controls must be considered:

Network controls (A.13.1.1): A set of general controls should be implemented, like definition of responsibilities and procedures for network equipment management, segregation of duties between networks and computers activities, use of cryptographic solutions to protect data in transit and interconnected systems (e.g., VPN), monitoring and logging of network activities performed (e.g., by using an Intrusion Detection systems – IDS), authentication and other means to restrict access and use of networked resources. See this article: How to use firewalls in ISO 27001 and ISO 27002 implementation.

Security of network services (A.13.1.2): The expected network solutions, and performance and security levels should be defined and included in service level agreements, as well the means by which the organization can verify if the service levels are being met (e.g., by report analysis or audits). These service agreements should be considered for both in-house and outsourced services.

Segregation in networks (A.13.1.3): Services, information systems, users, workstations, and servers should be separated into different networks, according to defined criteria like risk exposure and business value, and a strict control of data flowing between these networks should be established (e.g., by using firewalls and routers). See this article: Requirements to implement network segregation according to ISO 27001 control A.13.1.3.

Network security management also may make use of other ISO 27002 controls to enhance its effectiveness, like Access Control Policy (9.1.1), change management (12.1.2), protection from malware (12.2.1), and management of technical vulnerabilities (12.6.1). See this article: How to handle access control according to ISO 27001.

The checking of the network controls’ suitability, adequacy, and effectiveness may be done by periodic audits and management reviews, which may lead to controls’ adjustments through corrective actions or improvement plans.

Benefits from network security

There are many benefits an organization can achieve by adopting network security management:

  • Increase in productivity, as a result of a more reliable network and fewer business disruptions
  • Maintenance of regulatory compliance, because network security is a common point in many regulations, like PCI, SOX, etc.
  • Reduction of risk of legal actions, because the efforts made to protect customers’ data show the organization’s due diligence and due care
  • Increase in business reputation, because the efforts made to protect customers’ data show the organization’s commitment to security

Reliable communications lead to strong business

In a connected world, where business can be done between partners that are located in any part of the world, keeping network infrastructures up and running is not only an operational challenge, but a vital point in business competitiveness.

By adopting a network security management approach, aligned with practices defined by ISO 27001 and ISO 27002, an organization can increase its chances not only to better plan and allocate its resources, but also to benefit from a more reliable and resilient infrastructure in terms of business competitiveness. Security managers will be thankful for higher security levels, and business managers will be happy with new business possibilities.

To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.