Skip to contentCYBERINFO
TechnologicalControl 8.22

Segregation of Networks

Summary

Groups of information services, users and information systems should be segregated on networks. This limits the blast radius of a security incident by preventing an attacker from moving easily between different parts of the organization's infrastructure.

Applicability

In-Scope: Mandatory for protecting sensitive environments (like production or HR data) from general-purpose office traffic. It is a core component of a Zero Trust architecture.

Out-of-Scope: Only partially reducible in extremely small, flat networks, though logical segregation (e.g., Guest Wi-Fi) remains a requirement.

Implementation Guidance

Microsoft 365 / Entra ID

  • Virtual Segregation: Use Azure Virtual Networks (VNets) and Subnets to logically separate production workloads from development and testing environments.

  • Micro-segmentation: Implement Network Security Groups (NSGs) and Application Security Groups (ASGs) to restrict traffic between specific servers or services within a VNet.

  • Identity-Based Segregation: Utilize Entra ID Conditional Access to ensure that only authorized users on managed devices can access specific sensitive network segments or applications.

Evidence Checklist

  • Network Segmentation Diagram: A technical map showing the different network zones and the firewalls or filters that separate them.

  • Firewall/NSG Rules: Current configuration logs showing the deny-all or restricted rules between different network segments.

  • Access Logs: Evidence that users in one segment (e.g., Guest) are unable to communicate with sensitive internal resources.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How is the organization's production environment physically or logically isolated from the employee Wi-Fi or guest network?

  • What is the process for approving a new rule that allows traffic to flow between two previously segregated network zones?

  • Can you demonstrate that a compromised workstation in the general office area cannot initiate a connection to the primary database server?

  • How do you manage and monitor the point of entry between the internal network and the public internet?

Templates for this control

Downloadable ISO 27001:2022 templates relevant to this control. Use them as a starting point for your own documentation.

Network Segmentation Policydocx

Requires isolation of network segments to limit the blast radius of security incidents.

Download
Network Architecture Standardsdocx

Defines security requirements for network design patterns, segmentation, and perimeter controls.

Download

See all templates on the Templates page.