Annex A 8.20 verified ISO/IEC 27001:2022
Network and Network Devices Security
Secure and manage networks to prevent unauthorized access to your information.
record_voice_over
Plain language
Imagine your network like your home; if doors and windows are left open, intruders could easily get in and steal your valuables. This control is about making sure that your business's network and its devices are well-guarded. If not, unauthorised people could access sensitive information, potentially harming your reputation and causing financial loss.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.
verified ISO/IEC 27001:2022 Annex A 8.20
priority_high
Why it matters
Weak network and device security enables unauthorised access, traffic interception and lateral movement, leading to data breaches and reputational damage.
settings
Operational notes
Harden routers/switches/firewalls, restrict admin access (MFA, least privilege), patch firmware, segment networks, and monitor logs/traffic for anomalies.
02 — Implement
build
Implementation tips
- The IT Manager should classify the information passing through the network by identifying the types of data being handled and understanding their sensitivity. This can be done by conducting an information audit, which is a systematic examination of the data to see how it's used and who needs access.
- The IT Manager needs to maintain up-to-date documentation of the network setup, including diagrams and device configurations. This involves regularly updating network diagrams and keeping records of settings on each device like routers and switches, which helps in identifying gaps and changes in security.
- The Board should ensure policies are in place for managing network devices, by assigning clear responsibilities for updates and security monitoring. Implement procedures for regular system checks, including scheduling updates and defining emergency protocols for device issues.
- Procurement and IT departments should work together to ensure network devices are hardened by disabling unused services and applying security patches. This involves setting up a routine schedule for testing and applying updates, ensuring devices like routers cannot be easily exploited.
- The IT Manager should implement logging and monitoring systems to detect any unusual network activity. This can be done by setting up alerts for suspicious activities and keeping a historical record of network traffic flow to quickly spot and respond to threats.
03 — Audit
fact_check
Audit / evidence tips
-
Askthe network documentation, including diagrams and configuration files
-
Goodpolicy is one where all devices have clear ownership and update protocols are well-defined
-
Asklogs of network monitoring activities
-
Goodwill show detailed reports on security settings, updated regularly according to changes and threats
-
Askincident response records related to network security events
04 — Mappings
link
Cross-framework mappings
How Annex A 8.20 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML1.3 | E8-RA-ML1.3 requires privileged accounts to be blocked from internet, email and web services, typically enforced through network controls... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (58) expand_less | ||
| ISM-0245 | ISM-0245 requires that multifunction devices (MFDs) are not connected to digital telephone systems to remove an insecure or unnecessary c... | |
| ISM-0267 | ISM-0267 requires blocking access to non-approved webmail services to reduce data exfiltration and shadow IT use via external webmail | |
| ISM-0469 | ISM-0469 requires that an ASD-Approved Cryptographic Protocol (or high assurance cryptographic protocol) is used to protect data when it ... | |
| ISM-0494 | ISM-0494 requires organisations to use IPsec tunnel mode for IPsec connections, and if transport mode is used, to implement an IP tunnel ... | |
| ISM-0520 | ISM-0520 requires network access controls that block unauthorised network devices from connecting | |
| ISM-0530 | ISM-0530 requires that network devices used to manage VLANs are administered only from the most trusted security domain | |
| ISM-0551 | ISM-0551 focuses on securing IP telephony network access by authenticating endpoints to the call controller, preventing auto-registration... | |
| ISM-0558 | ISM-0558 requires public area IP phones to be configured so they cannot reach internal data networks or associated services like voicemai... | |
| ISM-0572 | ISM-0572 requires opportunistic TLS to be enabled on email servers for inbound and outbound connections over public network infrastructur... | |
| ISM-0622 | ISM-0622 requires IT equipment to authenticate to other networks that are accessed via gateways, focusing on device-to-network identity a... | |
| ISM-0628 | ISM-0628 requires gateways between different security domains to enforce controlled and secure traffic flows across domain boundaries | |
| ISM-0631 | ISM-0631 requires gateways to only allow explicitly authorised data flows and to block all other transfers | |
| ISM-0643 | ISM-0643 requires organisations to use evaluated diodes to enforce one-way data flow in unidirectional gateways between internal networks... | |
| ISM-0874 | ISM-0874 requires mobile devices and desktop computers to access the internet via the organisation’s internet gateway rather than directly | |
| ISM-1158 | ISM-1158 requires that network diodes used to enforce one-way data flow in unidirectional gateways between SECRET/TOP SECRET networks and... | |
| ISM-1182 | ISM-1182 requires limiting the flow of network traffic within and between network segments to only what is required for business purposes | |
| ISM-1192 | ISM-1192 requires gateways to inspect and filter data flows at the transport layer and above to control what traverses network boundaries | |
| ISM-1270 | ISM-1270 requires a concrete network architecture outcome: database servers are separated onto a different network segment from user work... | |
| ISM-1271 | ISM-1271 requires network access controls that restrict database server communications to strictly defined network resources that need ac... | |
| ISM-1272 | ISM-1272 requires organisations to disable database networking or bind the DBMS listener to localhost when remote database access is not ... | |
| ISM-1297 | ISM-1297 requires organisations to change or disable default accounts on network devices to reduce the risk of unauthorised access using ... | |
| ISM-1304 | ISM-1304 requires default user accounts or credentials on network devices (including pre-configured accounts) to be changed, disabled or ... | |
| ISM-1311 | ISM-1311 requires organisations to prevent the use of insecure SNMP versions (SNMPv1 and SNMPv2) on networks | |
| ISM-1314 | ISM-1314 requires that all wireless devices used by the organisation are Wi‑Fi Alliance certified | |
| ISM-1315 | ISM-1315 requires organisations to disable the administrative interface on wireless access points for wireless network connections, preve... | |
| ISM-1317 | ISM-1317 requires that SSIDs for non-public wireless networks are named so they are not readily associated with the organisation, its loc... | |
| ISM-1318 | ISM-1318 requires organisations to harden wireless access points by disabling SSID broadcasting to reduce wireless network discoverability | |
| ISM-1319 | ISM-1319 requires organisations to avoid using static IP addressing for devices on wireless networks | |
| ISM-1320 | ISM-1320 requires that MAC address filtering is not used to restrict which devices can connect to wireless networks, because it is not an... | |
| ISM-1321 | ISM-1321 addresses securing wireless network access by requiring 802.1X EAP-TLS mutual authentication with X.509 certificates and disabli... | |
| ISM-1322 | ISM-1322 requires use of evaluated 802.1X ecosystem components to provide trustworthy authentication for wireless network access | |
| ISM-1323 | ISM-1323 requires that devices and users present certificates to access wireless networks, enforcing strong, credential-based network adm... | |
| ISM-1332 | ISM-1332 requires WPA3-Enterprise 192-bit mode to protect the confidentiality and integrity of all wireless network traffic | |
| ISM-1338 | ISM-1338 requires organisations to engineer Wi-Fi coverage using a greater number of lower-powered wireless access points rather than few... | |
| ISM-1364 | ISM-1364 addresses a specific network-device configuration requirement: VLANs for different security domains must terminate on separate p... | |
| ISM-1386 | ISM-1386 requires that network management traffic can only originate from authorised administrative infrastructure | |
| ISM-1416 | ISM-1416 requires software firewalls on workstations and servers to restrict inbound and outbound network connections to an organisation-... | |
| ISM-1427 | ISM-1427 requires gateways to perform ingress traffic filtering to detect and prevent IP source address spoofing | |
| ISM-1430 | ISM-1430 requires organisations to use DHCPv6 in a stateful mode to dynamically assign IPv6 addresses and store lease data in a centralis... | |
| ISM-1439 | ISM-1439 focuses on protecting origin servers behind CDNs by preventing IP disclosure and enforcing network access restrictions to only t... | |
| ISM-1521 | ISM-1521 requires CDSs to implement protocol breaks at each network layer to enforce strong separation of data flows between layers | |
| ISM-1532 | ISM-1532 requires organisations to avoid using VLANs as the separation mechanism between internal networks and public network infrastruct... | |
| ISM-1553 | ISM-1553 requires TLS compression to be disabled for TLS connections to reduce protocol-level cryptographic risk | |
| ISM-1562 | ISM-1562 requires video conferencing and IP telephony infrastructure to be hardened to reduce exposure to compromise | |
| ISM-1628 | ISM-1628 requires organisations to block outbound network connections to anonymity networks (e.g | |
| ISM-1753 | ISM-1753 requires that internet-facing network devices that are no longer vendor-supported are replaced | |
| ISM-1774 | ISM-1774 requires gateways to be managed via a secure management path that is isolated from all connected networks | |
| ISM-1781 | ISM-1781 requires all data communicated over network infrastructure to be encrypted to protect confidentiality and reduce interception risk | |
| ISM-1782 | ISM-1782 requires implementing protective DNS to block resolution of known malicious domains, reducing exposure to malicious infrastructure | |
| ISM-1800 | ISM-1800 requires network devices to be flashed with trusted firmware before they are used for the first time, reducing the risk of compr... | |
| ISM-1862 | ISM-1862 requires securing web hosting behind a WAF by avoiding disclosure of origin server IP addresses and restricting inbound connecti... | |
| ISM-1863 | ISM-1863 requires that networked management interfaces for IT equipment are not directly exposed to the internet | |
| ISM-1899 | ISM-1899 requires that non-administrative network devices cannot initiate connections to administrative infrastructure, enforcing strong ... | |
| ISM-1929 | ISM-1929 requires LDAP signing to be enabled on Microsoft AD DS domain controllers to protect directory authentication/integrity against ... | |
| ISM-1964 | ISM-1964 requires central logging of security-relevant events from non-internet-facing network devices | |
| ISM-1981 | ISM-1981 requires a specific action: replacing non-internet-facing network devices that are no longer vendor-supported | |
| ISM-2017 | ISM-2017 requires DNS traffic to be encrypted between clients and servers wherever supported to protect DNS queries and responses from in... | |
| ISM-2097 | ISM-2097 requires mobile devices to be configured with always on VPN so their network traffic is protected in transit regardless of the n... | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1296 | ISM-1296 requires physical protections for network devices in public areas to prevent physical damage or unauthorised physical access | |
| handshake Supports (21) expand_less | ||
| ISM-0467 | ISM-0467 requires HACE for SECRET and TOP SECRET data on insecure networks | |
| ISM-0516 | ISM-0516 requires organisations to maintain comprehensive network diagrams that show inbound/outbound connections and the placement of cr... | |
| ISM-0518 | ISM-0518 requires organisations to develop, implement and maintain network documentation to support effective network management | |
| ISM-0529 | ISM-0529 requires that VLANs are not used to separate network traffic between different security domains, pushing organisations to use st... | |
| ISM-0548 | ISM-0548 requires video conferencing and IP telephony calls to be established using a secure session initiation protocol to protect call ... | |
| ISM-0629 | ISM-0629 requires that for gateways between different security domains, any shared components are administered by the higher security dom... | |
| ISM-0639 | ISM-0639 addresses high-assurance evaluation and use of firewalls/diode gateways between different security domains | |
| ISM-0694 | ISM-0694 requires preventing privately-owned devices from accessing SECRET and TOP SECRET systems or data | |
| ISM-1085 | ISM-1085 requires mobile devices to encrypt sensitive or classified data when it is communicated over public network infrastructure | |
| ISM-1284 | ISM-1284 requires that organisations validate the content of files entering or leaving via gateways/CDSs to reduce the risk of malicious ... | |
| ISM-1286 | ISM-1286 requires that files imported or exported via gateways or CDSs undergo content conversion to reduce the risk of unsafe or incompa... | |
| ISM-1289 | ISM-1289 requires gateways or CDSs to unpack archive files so content filtering can be applied to the extracted files during import/export | |
| ISM-1522 | ISM-1522 requires CDSs to enforce security independently on upward and downward transfer paths to prevent cross-domain leakage or backflow | |
| ISM-1604 | ISM-1604 requires hardening the virtualisation/isolation mechanism and restricting administrative interface access, which often includes ... | |
| ISM-1646 | ISM-1646 requires floor plan diagrams to document cabling paths (including inter-floor ingress/egress), conduit/reticulation, and the loc... | |
| ISM-1809 | ISM-1809 requires compensating controls to manage risk from systems that cannot be patched or replaced due to vendor support ending | |
| ISM-1912 | ISM-1912 requires organisations to document device settings for critical and high-value servers, network devices and security appliances | |
| ISM-1963 | ISM-1963 requires security-relevant events for internet-facing network devices to be centrally logged | |
| ISM-1970 | ISM-1970 necessitates segregated environments for malware analysis, supporting the concept in ISO/IEC 27001:2022 Annex A 8.20, which ensu... | |
| ISM-1982 | ISM-1982 requires replacement of unsupported networked IT equipment to avoid operating network infrastructure that can no longer be secur... | |
| ISM-1984 | ISM-1984 requires encryption in transit for event logs sent over networks to a centralised event logging facility, directly reducing the ... | |
| link Related (20) expand_less | ||
| ISM-0263 | Annex A 8.20 requires secure control of networks, including the use of security devices and controls that protect information traversing ... | |
| ISM-0484 | Annex A 8.20 requires network devices and the services used to manage them to be secured to prevent unauthorised access and protect infor... | |
| ISM-0521 | Annex A 8.20 requires networks and network devices to be securely configured and controlled to protect information and reduce attack surface | |
| ISM-0534 | Annex A 8.20 requires network devices to be secured and controlled to prevent unauthorised access to information and services | |
| ISM-0569 | Annex A 8.20 requires secure management and control of network architecture and traffic handling to protect information in systems and ap... | |
| ISM-1006 | Annex A 8.20 requires networks and network devices to be secured and controlled, including protection of administrative and management pl... | |
| ISM-1028 | Annex A 8.20 addresses securing and controlling networks and network devices across the environment to protect information in systems and... | |
| ISM-1030 | Annex A 8.20 requires networks to be secured, managed and controlled, which includes monitoring and detecting unauthorised or policy-viol... | |
| ISM-1312 | Annex A 8.20 requires organisations to secure and control network devices to prevent unauthorised access and protect information flows | |
| ISM-1316 | Annex A 8.20 requires organisations to secure and control networks and network devices, including configuration management of access tech... | |
| ISM-1330 | Annex A 8.20 requires networks (including wireless) and network devices to be secured and controlled to protect information in connected ... | |
| ISM-1334 | Annex A 8.20 requires networks to be secured and controlled, which includes resilient and interference-aware wireless design where relevant | |
| ISM-1335 | Annex A 8.20 requires secure management and control of networks and network devices to protect information from unauthorised access or in... | |
| ISM-1428 | Annex A 8.20 requires secure management of networks and network devices to reduce opportunities for unauthorised access and data compromise | |
| ISM-1506 | Annex A 8.20 requires secure control and management of network services and device access methods to protect information | |
| ISM-1710 | Annex A 8.20 sets the expectation that network devices are secured, managed and controlled to protect information handled by systems and ... | |
| ISM-1772 | Annex A 8.20 requires networks to be secured, including the protection of communications and inter-network connections | |
| ISM-1783 | Annex A 8.20 requires networks to be secured and controlled, including the integrity of routing where it affects information delivery and... | |
| ISM-1962 | Annex A 8.20 requires networks and network devices to be secured, managed and controlled to protect information in systems and applications | |
| ISM-2018 | Annex A 8.20 requires secure management and control of networks to protect information and maintain trusted connectivity | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.