Segregate Public Wireless Networks from Organisation Networks
Public Wi-Fi must be separate from other organisation networks to ensure security.
Plain language
Imagine you’re running a café that offers free Wi-Fi to customers. This control is about making sure your café's customer Wi-Fi is kept completely separate from the systems you use to run the café, like your sales and inventory software. If you don’t do this, a hacker could use the public Wi-Fi to access and mess with your business systems, leading to data theft or service disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Public wireless networks provided for general public use are segregated from all other organisation networks.
Why it matters
Without segregation of public Wi‑Fi, attackers can pivot from guest access into internal networks, enabling data theft or service disruption.
Operational notes
Regularly audit configs so public Wi‑Fi uses separate SSIDs/VLANs; enforce firewall deny rules and block routing to internal subnets.
Implementation tips
- The IT team should create distinct and separate networks for public Wi-Fi and internal business operations. They can do this by using different routers or setting up virtual separation within a single device. The main goal is to make sure there’s no overlap between the public and private networks.
- Managers should communicate to staff about the importance of connecting business devices only to the secure internal network. This can be done through a simple presentation or a printed guide that explains which network to use for business systems.
- System owners should regularly review the network configurations to ensure the separation remains intact. This can involve periodic system checks and using network management software to alert if any unauthorised connections are made between networks.
- Procurement should ensure any new network equipment purchased is capable of supporting separate networks. This might involve buying routers that can handle multiple networks and have strong security features built in.
- The IT team should implement a firewall to manage traffic between the public and private networks. This can be done by setting up rules that block any attempts to access the business network from the public Wi-Fi, ensuring no data can accidentally cross between the two.
Audit / evidence tips
- AskThe network configuration document: Request detailed diagrams or settings that show how the networks are separated GoodIs seeing completely different ranges without shared access points
- AskTo see the network traffic logs: Request logs that show recent network traffic to ensure no cross-network activity. Check the origin and destination points in the logs GoodIs logs showing only permissible traffic within each network's bounds
- AskIncident reports involving network access issues: Request records of any security incidents or breaches GoodIs no reported incidents of cross-network access
- AskTo review the policy document on network use: Request the policy that outlines network usage rules for staff and public users GoodIs a well-documented policy with clear, enforced guidelines
- AskRecords of staff training on network use: Request evidence of any training sessions or materials provided to employees regarding network use GoodIs documented training sessions with confirmed participant lists
Cross-framework mappings
How ISM-0536 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.22 | ISM-0536 requires that public wireless networks provided for general public use are segregated from all other organisation networks | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.