The basics
ISO 27001 control A.8.22 Segregation of networks requires companies to separate groups of users and information into separate parts of the network. This way the chances of access by unauthorized users is decreased.
Documentation
ISO 27001 control A.8.22 Segregation of networks can be documented:
- for smaller and mid-sized companies by writing a Security Procedures for IT Department
- for larger companies by writing a Procedure for Segregation of Networks
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.22 Segregation of networks you might implement the following:
- Technology — the technology to enable segregation of networks (physical and wireless) could include software (e.g., virtual private networks and authentication) and hardware (e.g., different network devices, like firewalls and routers).
- Organization/processes — you should set up a process for defining criteria for network segregation, and manage access to and between segregated networks. You can document those processes through Security Procedures for IT Department or a Procedure for Segregation of Networks.
- People — make employees aware of why network segregation is needed, and train IT staff on how to identify what network traffic needs to be segregated and how to segregate the networks.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.22 Segregation of networks: if networks are segregated.
