Annex A 8.22 ISO/IEC 27001:2022
Network Segregation for Security
Separate network groups to limit risks and control access between services, users, and systems.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Technological controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 Maturity levels
N/A
Groups of information services, users and information systems shall be segregated in the organization’s networks.
Source: ISO/IEC 27001:2022
Plain language
Network segregation for security means dividing up a company's network into smaller, isolated parts to keep different activities and data separate. This is important because it limits what can go wrong if one part of the network is breached, ensuring that problems like cyber attacks don't spread throughout the entire organisation.
Why it matters
Without network segregation, attackers can move laterally between services and systems, escalating access and exposing sensitive data.
Operational notes
Review segmentation rules as services change; validate firewalls/ACLs restrict traffic between segments to only approved flows.
Implementation tips
- The IT manager should identify different groups or departments within the organisation that need separate network segments. They can do this by assessing the kinds of data used and the level of access different employees need, ensuring that sensitive information is kept on more secure, isolated sections.
- The IT team should configure network devices like firewalls to establish clear boundaries between these network segments. They can do so by setting rules that control the flow of information, allowing only necessary connections between the parts of the network while keeping other traffic out.
- The security team should implement access control policies to ensure only authorised personnel can access parts of the network relevant to their work. This could involve using password protections and user authentication systems aligned with Australia's Privacy Act 1988.
- The procurement team should ensure that any new network equipment purchased supports network segmentation. This might include routers and switches that facilitate virtual local area networks (VLANs), which help to logically separate network traffic.
- The IT manager should regularly review and update network segmentation practices to accommodate organisational changes and evolving security threats. They should use guidance from the ISO 27002:2022 and align with local regulations like OAIC requirements.
- The IT support staff should conduct regular training for employees about the importance of network segregation. They can explain how it protects information security and why certain access restrictions are in place.
Audit / evidence tips
-
Ask: Request a network diagram showing segmented domains.
-
Ask: Request the network access control policy.
-
Ask: Ask for records of firewall configurations and rules.
-
Ask: Request logs or audit trails for access attempts to network segments.
-
Ask: Request evidence of employee training and awareness programs on network security.
Cross-framework mappings
How Annex A 8.22 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Supports (2) | ||
| E8-RA-ML1.4 | E8-RA-ML1.4 requires limiting privileged accounts’ online service access to only what is required for duties | |
| E8-RA-ML1.6 | E8-RA-ML1.6 requires that unprivileged accounts cannot logon to privileged operating environments | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (21) | ||
| ISM-0529 | ISM-0529 requires that VLANs are not used to separate network traffic between networks belonging to different security domains | |
| ISM-0535 | ISM-0535 requires organisations to prevent VLAN trunks from being shared between VLANs belonging to different security domains, to mainta... | |
| ISM-0536 | ISM-0536 requires that public wireless networks provided for general public use are segregated from all other organisation networks | |
| ISM-0549 | ISM-0549 requires video conferencing and IP telephony traffic to be separated physically or logically from other data traffic | |
| ISM-0556 | ISM-0556 requires organisations to keep video conferencing and IP telephony traffic separated from other workstation/data traffic using V... | |
| ISM-0558 | ISM-0558 requires that IP phones located in public areas are technically restricted so they cannot access data networks, voicemail, or di... | |
| ISM-0626 | ISM-0626 requires organisations to implement Cross Domain Solutions (CDSs) between SECRET or TOP SECRET networks and any other networks i... | |
| ISM-0628 | ISM-0628 requires gateways to be implemented between networks belonging to different security domains to control and mediate inter-domain... | |
| ISM-0635 | ISM-0635 requires CDSs to implement isolated upward and downward network paths to separate data flows by direction and reduce the risk of... | |
| ISM-0637 | ISM-0637 requires gateways to implement a demilitarised zone (DMZ) when external parties need access to an organisation’s services | |
| ISM-0645 | ISM-0645 requires high assurance evaluation of evaluated diodes used in unidirectional gateways at SECRET/TOP SECRET to public network bo... | |
| ISM-1269 | ISM-1269 requires database servers and web servers to be functionally separated to reduce exposure and limit compromise paths | |
| ISM-1270 | ISM-1270 requires database servers to be placed on a different network segment to user workstations to reduce exposure and limit lateral ... | |
| ISM-1364 | ISM-1364 requires VLANs from different security domains to be terminated on separate physical network interfaces to prevent cross-domain ... | |
| ISM-1385 | ISM-1385 requires administrative infrastructure to be segregated from the wider network and the internet | |
| ISM-1436 | ISM-1436 requires critical online services to be segregated from other online services that are more likely to be targeted by denial-of-s... | |
| ISM-1439 | ISM-1439 requires organisations using CDNs to avoid disclosing origin server IP addresses and to restrict origin access to the CDN and au... | |
| ISM-1532 | ISM-1532 requires that VLANs are not used to separate traffic between an organisation’s networks and public network infrastructure | |
| ISM-1750 | ISM-1750 requires administrative infrastructure for critical, high-value, and regular servers to be segregated from each other | |
| ISM-1899 | ISM-1899 requires that devices outside administrative infrastructure are prevented from initiating connections into administrative infras... | |
| ISM-1970 | ISM-1970 specifies analysis of malicious code in a segregated environment to safeguard other systems | |
| Partially overlaps (8) | ||
| ISM-1182 | Annex A 8.22 requires segregating groups of information services, users, and information systems within organisation networks to limit ri... | |
| ISM-1271 | ISM-1271 requires organisations to restrict database server communications to only the network resources that require access | |
| ISM-1386 | ISM-1386 requires that network management traffic can only originate from administrative infrastructure | |
| ISM-1479 | ISM-1479 requires servers to minimise communications with other servers at both the network layer and file system level to reduce lateral... | |
| ISM-1562 | ISM-1562 mandates hardening of video conferencing and IP telephony infrastructure, often implementing network segregation as a technique | |
| ISM-1577 | Annex A 8.22 requires segregation of groups of services, users, and systems within organisational networks | |
| ISM-1774 | ISM-1774 requires gateways to be managed over a secure path isolated from networks the gateway connects to (i.e., separation of the manag... | |
| ISM-1862 | Annex A 8.22 requires segregating network groups to control access between services and systems | |
| Supports (20) | ||
| ISM-0385 | ISM-0385 requires servers to be functionally separated so each server can operate independently without interference from others | |
| ISM-0441 | ISM-0441 requires that temporary users' access is restricted data for their duties | |
| ISM-0516 | ISM-0516 requires high-level and logical network diagrams that show connections, critical servers, high-value servers, and security appli... | |
| ISM-0530 | ISM-0530 requires VLAN management interfaces and activities to be administered from the most trusted security domain | |
| ISM-0591 | ISM-0591 mandates that evaluated peripheral switches be used to prevent shared devices from bridging segregated systems, thereby supporti... | |
| ISM-0629 | ISM-0629 addresses governance of gateways that connect different security domains by mandating trusted administration of shared gateway c... | |
| ISM-0631 | ISM-0631 requires gateways to enforce explicitly authorised data flows and block all unauthorised transfers | |
| ISM-0639 | ISM-0639 requires the use of evaluated (high assurance) firewalls/diode gateway solutions when interconnecting networks in different secu... | |
| ISM-0643 | ISM-0643 requires evaluated diodes to enforce one-way data flow at a unidirectional gateway between organisational networks and public ne... | |
| ISM-0694 | ISM-0694 requires that privately-owned mobile devices and desktop computers do not access SECRET and TOP SECRET systems or data | |
| ISM-0874 | ISM-0874 requires endpoints to access the internet through a VPN to the organisation’s internet gateway, centralising egress and inspecti... | |
| ISM-1158 | ISM-1158 requires high assurance evaluated network diodes for unidirectional gateways separating SECRET/TOP SECRET networks from other ne... | |
| ISM-1277 | ISM-1277 requires that communications between web servers and database servers are encrypted, typically using secure channels such as TLS | |
| ISM-1315 | ISM-1315 requires organisations to prevent administration of wireless access points via wireless connections by disabling the wireless ad... | |
| ISM-1521 | ISM-1521 requires CDSs to implement protocol breaks at each network layer to prevent direct end-to-end protocol continuity and reduce cro... | |
| ISM-1522 | ISM-1522 requires CDSs to implement independent security-enforcing functions for both upward and downward data paths across network bound... | |
| ISM-1528 | ISM-1528 requires evaluated firewalls to be deployed between an organisation’s networks and public network infrastructure to control and ... | |
| ISM-1633 | ISM-1633 requires determining system boundaries and security objectives in line with impact of compromise | |
| ISM-1809 | Annex A 8.22 requires segregating groups within organisational networks to limit risk and lateral movement | |
| ISM-2068 | ISM-2068 requires organisations to strictly limit internet connectivity to only those networked devices that require access | |
| Related (2) | ||
| ISM-0213 | ISM-0213 requires SECRET and TOP SECRET network cables to be terminated on separate, dedicated patch panels to enforce physical segregati... | |
| ISM-1181 | ISM-1181 requires networks to be segregated into multiple zones based on the criticality of servers, services and data | |