Ensure Network Segregation from Service Providers
Ensure that an organisation's network is kept separate from its service providers' networks for better security.
Plain language
This control is about making sure your organisation's network, the system your computers and data use to communicate, is kept separate from the networks of any external service providers you work with. This matters because if your networks are mixed, a security issue or attack on the service provider could spill over and affect your business, putting your data and operations at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
An organisation's networks are segregated from their service providers' networks.
Why it matters
A breach in a service provider's network could pivot into yours, causing unauthorised access, data theft, or outages if links aren’t segregated.
Operational notes
Review and test segregation of provider connections (VLAN/VRF/ACLs, VPNs, routing, and firewall rules) and remediate any drift detected.
Implementation tips
- The IT team should create separate network segments for your organisation and your service providers. They can do this by setting up different virtual networks and using firewalls to control the flow of information between them.
- Managers should ensure that any service agreements with providers include clauses about network segregation. This means when you're negotiating contracts, check that there is a clear statement that your networks will remain separate.
- System owners should run tests to confirm network segregation is working. This means they should periodically try to send simple data between the networks to ensure it doesn’t get through unless it’s supposed to.
- Procurement staff should check that any new service providers can meet the requirement of network segregation. They can do this by asking potential providers how they plan to keep the networks separate and by checking if they have had security audits.
- HR should provide training sessions for employees on why network segregation from service providers is important. This could include workshops or online training to help staff understand how segregation works and why it protects the organisation.
Audit / evidence tips
- AskThe network architecture document: Request a diagram showing the organisation's and service providers' network setup GoodIncludes clear demarcations with labelled segments or firewalls separating different networks
- AskThe service agreement documentation: Request the contracts or agreements with service providers GoodIncludes specific provisions ensuring network separation
- AskThe latest network security test reports: Request the results of any security tests or audits that have been conducted GoodShows no major issues reported regarding network mixing
- AskFirewall configuration settings: Request access to documentation on current firewall setups GoodShows rules that block unnecessary data flow between different networks
- AskEmployee training records: Request logs of recent training sessions related to network security GoodShows regular training sessions with high participation from relevant staff
Cross-framework mappings
How ISM-1577 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 8.21 | Annex A 8.21 requires an organisation to identify, implement and monitor security mechanisms and service requirements for network services | |
| Annex A 8.22 | Annex A 8.22 requires segregation of groups of services, users, and systems within organisational networks | |
| handshake Supports (1) expand_less | ||
| Annex A 5.19 | ISM-1577 requires an organisation’s networks to be segregated from their service providers’ networks as a concrete technical risk treatme... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.