ISO 27001 Control 8.21 – Security of network services

The basics

ISO 27001 control A.8.21 Security of network services requires companies to define and monitor security requirements for the vendor that is providing such services. This is a key mechanism to define security expectations towards the vendor and a way to measure if those expectations are met.

Documentation

ISO 27001 control A.8.21 Security of network services can be documented:

for smaller and mid-sized companies by writing a Security Procedures for IT Department
for larger companies by writing a Procedure for Security of Network Services

These documents are not mandatory, but are recommended.

Implementation

In order to comply with control A.8.21 Security of network services you might implement the following:

Technology — the technology to enable secure network services could include software (e.g., authentication software, logging and monitoring tools, SSL, VPN, etc.), hardware (e.g., firewalls), and systems (e.g., intrusion detection systems).
Organization/processes — you should set up a process for identifying and including in network services agreements (established in-house or outsourced) clauses for enforcing necessary security mechanisms, service levels and management requirements, and how such requirements will be monitored and audited. You can document those processes through Security Procedures for IT Department or a Procedure for Security of Network Services.
People — make employees aware of why secure network services are needed, and train IT staff on how to identify, monitor and audit them.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.8.21 Security of network services: if the security of network services is managed.

Products by framework:

By Type

Where to Start

Other

Solutions for industries:

Dejan Kosutic

Products

Resources

Standards & Regulations

Advisera

Help