Administer VLANs from Trusted Security Domains
VLANs must be managed from the most secure and trusted part of the network.
Plain language
When managing Virtual Local Area Networks (VLANs), it's important they are controlled from the safest part of your network. If not done correctly, hackers or unauthorised people could change your network setup, leading to data theft or disruptions in your business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
Network devices managing VLANs are administered from the most trusted security domain.
Why it matters
If VLANs are administered from less-trusted domains, attackers can alter VLAN configs or intercept management traffic, causing outages and breaches.
Operational notes
Administer VLAN changes only from the most trusted domain via a dedicated management network/jump host, and alert on unauthorised access.
Implementation tips
- Business owners should ensure that VLAN administration is limited to the most secure area of their network. This might involve consulting with IT professionals to identify which network areas have the strongest protections and setting up VLAN management to only occur there.
- IT managers need to configure network devices so that administrative actions can only be performed from trusted locations. This includes using security measures like firewalls and encryption to guard against unauthorised access.
- Network administrators should regularly update the security measures on devices used to manage VLANs. This can be done by applying patches, updating passwords, and ensuring only selected individuals have administrative permissions.
- Managers should perform routine checks to confirm that only authorised personnel have access to VLAN management tools. This involves reviewing access logs and permissions to ensure they are up to date and appropriately restricted.
- Organisational security leads should collaborate with IT teams to create policies that enforce strong security practices for VLAN management. These policies should include guidelines on access controls and procedures for monitoring and responding to potential security breaches.
Audit / evidence tips
-
Aska network map showing VLAN management zones: Request documentation that maps out the network and highlights the sections from where VLAN administration is performed
Goodshows administrative actions being clearly restricted to these secured zones
-
Goodlimits access to highly secure locations or devices
-
Askthe configuration settings of the devices managing VLANs: Request documented settings or screenshots
Goodwill have these settings actively applied
-
Asklogs of administrative access to VLAN management: Logs should capture details about who accessed the management tools and when
Goodshows logs reviewed regularly for anomalies
-
Goodincludes thorough procedures that align with security best practices
Cross-framework mappings
How ISM-0530 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | ISM-0530 requires a specific access rule: VLAN-managing network devices must be administered from the most trusted security domain | |
| Annex A 8.3 | ISM-0530 requires restricting VLAN administrative access so that management occurs only from the most trusted security domain | |
| Annex A 8.20 | ISM-0530 requires that network devices used to manage VLANs are administered only from the most trusted security domain | |
| handshake Supports (3) expand_less | ||
| Annex A 8.9 | ISM-0530 requires VLAN administration to occur from the most trusted security domain, effectively defining a security configuration requi... | |
| Annex A 8.21 | ISM-0530 requires that administration of VLAN-managing network devices is performed only from the most trusted security domain | |
| Annex A 8.22 | ISM-0530 requires VLAN management interfaces and activities to be administered from the most trusted security domain | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.