Comprehensive Network Diagrams for Critical Components
Create network diagrams showing connections, critical servers, and security devices for proper documentation.
Plain language
Creating network diagrams is like drawing a map of how your computers and important equipment are connected. This helps you see where security might be weak and ensures that all important devices are accounted for in case of an incident, preventing potential data breaches or system downtime.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationTopic
Network DocumentationOfficial control statement
Network documentation includes high-level network diagrams showing all connections into networks and logical network diagrams showing all critical servers, high-value servers, network devices and network security appliances.
Why it matters
Without up-to-date high-level and logical network diagrams, critical servers, devices and connections can be missed, delaying response and increasing breach risk.
Operational notes
Update high-level ingress/egress and logical diagrams after changes; include all critical/high-value servers, network devices and security appliances.
Implementation tips
- The IT team should create an initial high-level network diagram. Use simple drawing tools to map out how all the computers, servers, and security tools like firewalls are connected, showing the big picture in general terms.
- IT staff should update the logical network diagram regularly. Every time a new critical server or security device is added or removed, mark it on your detailed network map. This ensures the diagram remains accurate and useful.
- Managers should facilitate regular review meetings. Once every quarter, bring together IT staff and key stakeholders to go through the diagrams and identify any changes or risks. This helps maintain alignment across departments.
- Business owners should allocate resources for detailed network documentation. Encourage investing in tools or software that make diagramming easier and more comprehensive, improving clarity and accessibility.
- Managers should ensure secure storage of network diagrams. Print or save these diagrams in a secure but easily accessible format in a centralised location to protect the information while ensuring that it's available when needed.
Audit / evidence tips
-
Askthe most recent network diagrams: Request both the high-level and detailed logical network diagrams
Goodis diagrams updated within the last three months
-
Askdocumentation of changes: Request records of updates or changes to the network
Goodshows consistent updates reflecting recent network alterations
-
Askhow diagrams are reviewed: Inquire about the process for regular diagram reviews
Goodincludes meeting minutes or notes demonstrating regular reviews
-
Askaccess controls on diagrams: Request information about who can view and edit the network diagrams
Goodincludes a list of authorised users and their roles
-
Askabout storage solutions: Inquire where the diagrams are kept
Goodinvolves secure digital storage with backup protocols in place
Cross-framework mappings
How ISM-0516 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| Annex A 8.9 | ISM-0516 requires network documentation to include high-level and logical network diagrams showing all connections and all critical compo... | |
| Annex A 8.20 | ISM-0516 requires organisations to maintain comprehensive network diagrams that show inbound/outbound connections and the placement of cr... | |
| Annex A 8.22 | ISM-0516 requires high-level and logical network diagrams that show connections, critical servers, high-value servers, and security appli... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.