Implement Network Traffic Control Measures
Restrict network traffic flow to ensure it only supports business needs.
Plain language
This control is about making sure network traffic in your organisation is limited to only what is necessary for your business. By restricting unnecessary network connections, you protect your business from cyber threats and data breaches, keeping sensitive information safe.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationTopic
Network Access ControlsOfficial control statement
Network access controls are implemented to limit the flow of network traffic within and between network segments to only that required for business purposes.
Why it matters
Without network access controls between segments, unnecessary traffic paths enable lateral movement and data exfiltration across internal networks.
Operational notes
Maintain allow-listed inter-segment rules (deny by default), review firewall/ACL changes, and monitor east-west flows to confirm only business-required traffic is permitted.
Implementation tips
- IT team should map out all current network traffic: Make a list of systems that connect to each other across the network to understand what is needed for daily operations. To do this, check what applications are running and identify which network connections are essential for your business activities.
- Business manager and IT team should work together: Determine the business priorities that require network connectivity. They should outline what traffic is necessary and what connections could be reduced or removed entirely to achieve a more secure network environment.
- IT team should establish network segmentation: Divide your network into smaller segments and limit the flow of traffic between them. Install proper security devices, like firewalls, at key points and set rules about which segments can talk to each other, ensuring only critical business traffic is permitted.
- System owner should regularly review network access: Conduct regular reviews, like every quarter, to ensure network traffic rules remain aligned with current business needs. Document any changes in traffic patterns and update access rules as necessary.
- IT team should monitor network activities: Put in place a system for monitoring ongoing network traffic to detect and manage unusual or unauthorised access attempts. Use alerts to notify the team of unexpected traffic patterns or potential intrusions that need immediate investigation.
Audit / evidence tips
- AskA network diagram: Request the current map showing all network segments and connections GoodA clear diagram showing segmented network paths with justifications for each connection
- AskA list of network access rules: Request documentation of current network controls in place GoodA detailed list showing segment access rules with business justification
- AskRecent network access reviews: Request records of the latest reviews of network traffic control measures GoodDated reviews showing analysis of traffic patterns and documented changes made for business alignment
- AskIncident reports related to network traffic: Request reports of any security incidents related to network access GoodCompleted incident reports showing response measures and preventive actions taken
- AskMonitoring logs or alerts: Request samples of logs from network monitoring activities GoodLogs showing proactive monitoring with documented response to anomalies
Cross-framework mappings
How ISM-1182 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1182 requires limiting the flow of network traffic within and between network segments to only what is required for business purposes | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 8.21 | Annex A 8.21 requires organisations to implement and monitor security mechanisms for network services and ensure they meet defined requir... | |
| Annex A 8.22 | Annex A 8.22 requires segregating groups of information services, users, and information systems within organisation networks to limit ri... | |
| link Related (1) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires rules to control logical and physical access to information and assets based on business need | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.