Annex A 8.21 verified ISO/IEC 27001:2022
Security of Network Services
Ensure network services are secure, reliable, and meet agreed-upon standards.
record_voice_over
Plain language
This control is about making sure the network services your organisation uses are safe and reliable. If these services aren't protected, private data could be exposed, and services might become unavailable, causing disruptions and trust issues.
01 - Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
12 Apr 2026
Maturity levels
N/A
Official control statement
Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.
verified ISO/IEC 27001:2022 Annex A 8.21
priority_high
Why it matters
Without secure network services, sensitive data may be exposed or manipulated, leading to service outages and reputational damage.
settings
Operational notes
Define and review network service security mechanisms and SLAs; monitor availability, performance and security metrics with providers.
02 - Implement
build
Implementation tips
- The IT Manager should identify all network services the organisation uses, whether they're provided internally or by an external vendor. This means making a detailed list that includes the purpose and importance of each service.
- The Procurement team, when engaging network service providers, should ensure contracts include specific security requirements. This can be done by referencing guidelines from ISO 27002:2022 and Australian Privacy Act 1988 to ensure proper measures are included in agreements.
- The IT Support Team should implement security tools like firewalls and encryption for network services. For example, setting up encryption helps keep data safe when it's being sent across networks.
- The IT Security Officer should regularly check if all network service providers are meeting agreed-upon security standards. This involves setting up regular assessments and requesting security reports from providers.
- The Board should approve a policy that governs who can access network services and under what conditions. This includes setting up rules about using secure practices like VPNs (Virtual Private Networks) and monitoring access for compliance.
03 - Audit
fact_check
Audit / evidence tips
- AskContracts or agreements with network service providers GoodShould show clear commitments to security standards and audit rights agreed upon with providers
- AskA list of network security tools in use, like firewalls or encryption protocols GoodSetup will have clear documentation showing regular updates and threat assessments
- GoodPolicy will align with ISO 27002 guidance and show consideration of Australian standards
- AskAny third-party security attestations from network service providers
04 - Mappings
link
Cross-framework mappings
How Annex A 8.21 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-PO-ML1.5 | Annex A 8.21 requires organisations to implement and monitor security mechanisms for network services so they remain secure and reliable | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (7) expand_less | ||
| ISM-0558 | ISM-0558 mandates that IP phones in public areas are prevented from accessing data networks and sensitive telephony services such as voic... | |
| ISM-1186 | ISM-1186 requires IPv6 capable network security appliances to be used on IPv6 and dual-stack networks to maintain protective security con... | |
| ISM-1314 | ISM-1314 requires that all wireless devices are Wi‑Fi Alliance certified, effectively setting a minimum standard for wireless device capa... | |
| ISM-1323 | ISM-1323 mandates certificate-based authentication for wireless network access by users and devices | |
| ISM-1335 | ISM-1335 mandates enabling 802.11w to protect wireless management frames against manipulation | |
| ISM-1628 | ISM-1628 requires organisations to block outbound connections to anonymity networks to reduce exfiltration and command-and-control concea... | |
| ISM-1962 | ISM-1962 requires SMB version 1 to not be used on networks, reducing exposure to known weaknesses in legacy file-sharing services | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-1182 | Annex A 8.21 requires organisations to implement and monitor security mechanisms for network services and ensure they meet defined requir... | |
| ISM-1479 | ISM-1479 requires servers to minimise communications with other servers at the network and file system level | |
| ISM-1577 | Annex A 8.21 requires an organisation to identify, implement and monitor security mechanisms and service requirements for network services | |
| ISM-1579 | Annex A 8.21 focuses on defining and meeting security mechanisms and service levels for network services, including reliability and perfo... | |
| ISM-1581 | Annex A 8.21 requires security mechanisms, service levels and service requirements for network services to be identified, implemented and... | |
| handshake Supports (12) expand_less | ||
| ISM-0530 | ISM-0530 requires that administration of VLAN-managing network devices is performed only from the most trusted security domain | |
| ISM-1037 | Annex A 8.21 requires security mechanisms for network services to be implemented and monitored | |
| ISM-1271 | ISM-1271 requires restricting database server network communications to a strictly defined set of permitted network resources | |
| ISM-1284 | ISM-1284 requires content validation of files traversing gateways/CDSs to control what is permitted to pass between network domains | |
| ISM-1297 | ISM-1297 requires organisations to change or disable default accounts on network devices to prevent straightforward compromise via known ... | |
| ISM-1364 | ISM-1364 requires physical interface separation when terminating VLANs from different security domains to minimise unintended cross-domai... | |
| ISM-1428 | ISM-1428 reduces exposure by ensuring IPv6 tunnelling is not available on network devices unless there is an explicit business requirement | |
| ISM-1572 | Annex A 8.21 requires network service requirements and service levels to be identified and monitored so services meet agreed standards | |
| ISM-1738 | Annex A 8.21 requires that security requirements for network services are identified and that implemented mechanisms and service levels a... | |
| ISM-1912 | ISM-1912 requires network documentation to include device settings for critical and high-value servers and network/security devices | |
| ISM-1960 | ISM-1960 supports Annex A 8.21 by specifying a monitoring technique for internet-facing devices | |
| ISM-2068 | ISM-2068 requires organisations to strictly limit internet connectivity to only those networked devices that require access | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
school
Want to implement this control?
Mindset Cyber runs PECB-accredited ISO/IEC 27001 training that maps directly to the controls in this library.