Ensure Servers Operate Independently Through Separation
Servers are set up to work independently without interference from others.
Plain language
This control is about making sure servers are set up so they don't interfere with each other. This is important because if servers aren't kept separate, a problem on one server could cause issues on others, potentially leading to data breaches, loss of service, or security vulnerabilities.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
Servers maintain effective functional separation with other servers allowing them to operate independently.
Why it matters
Without functional separation between servers, a compromise or fault on one can propagate to others, causing service outages, broader breaches and data leakage.
Operational notes
Design server roles to be independent: separate admin planes, networks and storage; restrict inter-server traffic to required ports only; regularly validate segmentation rules.
Implementation tips
- The IT manager should coordinate with the IT team to ensure each server is dedicated to specific tasks. They can do this by reviewing and documenting which applications run on each server and ensuring no server is overloaded with multiple critical roles.
- The IT team should set up network configurations to keep server traffic separate. They can configure firewalls or virtual networks to make sure that communication between servers is limited to what is necessary for operations and no server can access another server's data unnecessarily.
- The system administrator should regularly review server configurations for unnecessary connections. They can create a checklist to go through all servers' configurations, ensuring they adhere to the principle of least privilege-meaning servers only have access to exactly what they need to function.
- Procurement should ensure that newly acquired servers meet the company's separation requirements. This involves specifying requirements during purchase that support functional separation, like virtualization capabilities or dedicated hardware firewalls.
- The security officer should organise training sessions for staff to understand the importance of server separation. This can be done by preparing a presentation that explains how separation supports security and operational stability and what each staff member's role is in maintaining it.
Audit / evidence tips
- AskThe server configuration documents: Request detailed diagrams or records for each server that show their roles and connected systems GoodShows clear separation with no overlapping tasks between servers
- AskHow they ensure servers operate independently and the steps they take if a server needs to connect to another temporarily GoodIncludes specific steps taken to temporarily allow access and how it's reverted
- GoodDemonstration shows active monitoring with clear logs of allowed and denied traffic
- AskRecords of server audits or reviews: Request recent audit reports that include an assessment of server separation GoodRecord shows regular audits with corrective actions and updates being performed
- GoodRecord shows dates of trainings, topics covered, and employee participation
Cross-framework mappings
How ISM-0385 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.31 | ISM-0385 requires servers to maintain effective functional separation from other servers so they can operate independently | |
| handshake Supports (1) expand_less | ||
| Annex A 8.22 | ISM-0385 requires servers to be functionally separated so each server can operate independently without interference from others | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.