Segregate Networks by Server Criticality
Networks have separate zones based on the importance of servers, services, and data.
Plain language
This control is about splitting your computer network into separate parts based on how important the servers and data are. By doing this, you can protect the really important bits better, because if the weaker areas of your network are attacked, the attackers can't easily reach the crucial parts where sensitive data might be stored.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
Networks are segregated into multiple network zones according to the criticality of servers, services and data.
Why it matters
Without network segregation, a breach in one area could provide attackers seamless access to high-value servers, risking critical data exposure and significant damage.
Operational notes
Review server criticality regularly and adjust network zones, firewall rules and routing so high-value services and data remain isolated from lower-trust areas.
Implementation tips
- The IT team should identify critical servers and data: Start by making a list of all the servers and which ones hold the most important or sensitive information. This can be done by reviewing what data or services these servers handle and determining how essential they are to the business.
- IT managers should create distinct network zones: Once critical servers are identified, segment the network into zones. Put the most sensitive servers in a highly secure zone and apply stricter access controls by using network configuration tools or firewall rules.
- System administrators should control access between zones: Set rules about who can move between network zones. This could mean setting up permissions so only certain employees can access specific zones, using password protection or physical access controls.
- The IT team should regularly audit network segmentation: Conduct regular checks to make sure that the separation between network zones is maintained. Use tools that show network traffic to verify that data is only moving between zones as authorised.
- System owners should review the criticality of servers periodically: Every few months, have a meeting to review your list of critical servers and update any changes to server importance or data sensitivity. Document any changes and update network zones as necessary.
Audit / evidence tips
- AskThe network zoning plan: Request the document or map showing the network's different zones GoodIs a map showing clear separation and stricter rules for access to important servers
- AskTo see logs or reports showing who has accessed different zones in the network GoodIs logs showing access requests approved for legitimate reasons only
- GoodIs a comprehensive list that shows each server's importance and its corresponding network zone
- AskTo see network monitoring records: Request records or summaries from network monitoring tools GoodIs a report showing regular checks and an alert system for unusual activity between zones
- AskThe most recent audit of the network segmentation GoodIs a report detailing what was checked, who did it, and documented proof of any issues being rectified
Cross-framework mappings
How ISM-1181 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.22 | ISM-1181 requires networks to be segregated into multiple zones based on the criticality of servers, services and data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.