Segregate Critical Services to Prevent DoS Attacks
Critical online services are kept separate to reduce the risk of service disruption from attacks.
Plain language
This control is about keeping your most important online services separate from others to reduce the risk of them being disrupted by denial-of-service (DoS) attacks. These attacks can overwhelm your system, like a traffic jam clogging a road, preventing legitimate users from accessing your service. By segregating critical services, you minimise the chances of key parts of your business getting caught up in such disturbances.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingOfficial control statement
Critical online services are segregated from other online services that are more likely to be targeted as part of denial-of-service attacks.
Why it matters
Without segregation, DoS attacks on exposed services can also disrupt critical online services, causing outages.
Operational notes
Periodically validate segmentation rules so critical services remain isolated from DoS-prone public-facing systems.
Implementation tips
- The IT team should review all online services to identify which are critical for business operations. Start by listing every service you rely on digitally and assess which ones are essential for day-to-day activities. Those identified as critical need to be earmarked for segregation.
- The system administrator needs to set up separate networks for critical services. This can be done by configuring different network segments or using virtual local area networks (VLANs) to isolate them from less critical systems.
- Business managers should work with the IT team to establish clear priorities for the services. Define what services are most critical to everyday operations and ensure these are top of the list for protection and segregation.
- The IT team should implement monitoring to ensure that non-critical service disruptions do not affect critical services. Use basic monitoring tools to check if one part of your network is experiencing unusual traffic spikes that could indicate an attack.
- System owners should regularly review the separated setup to confirm it is effective. Schedule routine checks, perhaps monthly or quarterly, to ensure the critical services remain properly segregated and adjust setups as changes in service use occur.
Audit / evidence tips
-
Askthe network diagram: Request a visual map showing how the organisation's network is divided, particularly focusing on critical and non-critical services. Look to see that critical services are clearly segmented from less essential ones
Goodis a clear diagram with labelled segments distinguishing between critical and non-critical services
-
Goodis a well-documented list with justification notes from business leaders or system owners
-
Askto see the security configurations: Request evidence of security settings that ensure separate critical pathways
Goodis records showing specific settings that prevent non-critical service disruptions from spilling over
-
Askrecent reports from network monitoring tools that track current and past disruptions or significant traffic patterns
Goodis logs showing specific attention to critical services and historical records of traffic
-
Askto review policy documents: Request the policy or procedure documents that describe how services are categorised and segregated
Goodincludes detailed processes and named staff or teams responsible for maintaining segregation
Cross-framework mappings
How ISM-1436 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.22 | ISM-1436 requires critical online services to be segregated from other online services that are more likely to be targeted by denial-of-s... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.