Separate Network Segments for Database Servers
Databases should be on a different network than user computers to enhance security.
Plain language
This control is about keeping your database servers, which store important business information, on a separate computer network from the one your employees use for everyday tasks. This is like keeping your company's safe in a locked room with controlled access so outsiders and even some insiders can't easily get to it. If database servers are not separated, it increases the risk of unauthorised access, which could lead to data leaks, financial loss, or damage to your business's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Database servers are placed on a different network segment to user workstations.
Why it matters
Without separating database servers from user workstations, a compromised endpoint can reach databases directly, enabling unauthorised access, exfiltration, or tampering.
Operational notes
Place database servers in a separate VLAN/subnet from user networks; restrict inter-segment access with firewalls/ACLs to only required ports and source hosts.
Implementation tips
- The IT team should assess the current network layout to identify where database servers are located. They can do this by mapping out the existing network connections and identifying which devices are acting as database servers.
- An IT manager should work with a network specialist to create a new network segment specifically for the database servers. This involves setting up a virtual local area network (VLAN) or a separate physical network to isolate the servers from user workstations.
- The system administrator should configure network access controls to limit who and what can connect to the database network. This might involve setting up firewalls and access control lists that only allow specific devices or users to connect.
- The IT team should regularly test and monitor the network segmentation to ensure it's working effectively. They can use network monitoring tools to check that data flows are going through the designated segments and not crossing over into unauthorised areas.
- Management should ensure that all employees understand the importance of network segmentation. This can be done through regular training sessions that explain why keeping databases secure is crucial for protecting business data and maintaining customer trust.
Audit / evidence tips
-
Askthe network diagram: Request a current diagram of the organisation's network layout
Goodshows a clear, separate segment for the database servers, away from user computers
-
Goodincludes specifics on which devices or users are allowed access
-
Askrecent firewall configurations: Request the latest firewall settings overseeing the network. Look to see if the settings properly restrict traffic to the database segment
Goodshows restrictive access policies focused on protecting the database segment
-
Askrecent logs monitoring data flow within the network
Goodshows that data from user workstations doesn’t enter the database segment
-
Askstaff training records: Request documentation of recent training sessions about network security
Goodshows regular training sessions informing staff about the importance of network separation
Cross-framework mappings
How ISM-1270 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.20 | ISM-1270 requires a concrete network architecture outcome: database servers are separated onto a different network segment from user work... | |
| Annex A 8.22 | ISM-1270 requires database servers to be placed on a different network segment to user workstations to reduce exposure and limit lateral ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.