A single compromised endpoint is all it takes. Without network segmentation, an attacker who breaches one system can move laterally across your entire infrastructure — reaching databases, admin consoles, and backup systems before anyone notices. The consequences are severe: data exfiltration, regulatory penalties, and operational disruption that can take months to recover from. ISO 27001 Control 8.20 exists to prevent exactly this scenario by establishing the network security controls that keep attackers contained and data protected.
What 8.20 Requires
ISO 27001 Control 8.20 requires organizations to implement controls that secure networks and network devices — including firewalls and segmentation — to protect the confidentiality and integrity of data and prevent unauthorized network access. In practical terms, this means your organization must actively manage how data flows across its networks and who can access what.
The rationale is straightforward: networks are the transport layer for all organizational data. Email, file transfers, application traffic, authentication requests — everything traverses the network. If that network is compromised, every system connected to it is exposed. A single misconfigured firewall rule or an unhardened switch can become the entry point that undermines your entire security posture.
Control 8.20 addresses this through three pillars. First, device hardening: network equipment like routers, switches, and firewalls must be configured securely with default credentials changed, unnecessary services disabled, and firmware kept current. Second, traffic control: firewalls must enforce least-privilege rules, and network segmentation must isolate sensitive environments from general-purpose zones. Third, monitoring: organizations need visibility into network activity through intrusion detection systems, centralized logging, and alerting on anomalous traffic patterns.
Why 8.20 Matters
Consider this scenario: an attacker compromises a single employee workstation through a phishing email. The workstation sits on a flat network with no segmentation between the corporate environment and production systems. Within minutes, the attacker scans the network, discovers database servers with weak credentials, and begins exfiltrating customer records. Because there is no intrusion detection system in place, the breach goes undetected for weeks.
This is not hypothetical — it is the pattern behind the majority of network-based breaches. According to the CrowdStrike 2025 Global Threat Report, the average eCrime breakout time — the time it takes an attacker to move laterally from an initial compromise to other systems — was just 48 minutes in 2024, with the fastest recorded breakout at 51 seconds.
The business impact of inadequate network security extends well beyond the technical breach itself. Organizations face regulatory fines under GDPR, HIPAA, and other frameworks. ISO 27001 certification can be suspended or revoked. Customer trust erodes rapidly once a breach becomes public. And the operational cost of incident response, forensic investigation, and system rebuilding can consume months of productivity.
What Attackers Exploit
The most common network security weaknesses that attackers target include:
- Flat networks with no segmentation between production, development, and corporate environments, allowing unrestricted lateral movement
- Default credentials on network devices — routers, switches, and firewalls shipped with factory passwords that were never changed
- Unmonitored network traffic that allows lateral movement and data exfiltration to go undetected for weeks or months
- Missing or outdated network diagrams that prevent incident response teams from understanding the environment during a breach
- Overly permissive firewall rules accumulated over years of ad hoc changes without periodic review or cleanup
- Unsecured remote access — VPN without multi-factor authentication, management interfaces exposed directly to the internet
- Unencrypted data in transit between internal systems, making interception trivial for an attacker with network access
How to Implement 8.20
For Your Organization (First-Party)
Implementing 8.20 requires a structured approach that addresses network architecture, device security, traffic control, and ongoing monitoring. Follow these steps to build a compliant network security program:
1. Create and maintain network architecture diagrams. Document all network zones, device inventory, and traffic flows. This is your foundation — you cannot secure what you have not mapped. Include IP ranges, VLANs, firewall placement, and connections to external networks. Treat these diagrams as living documents, not one-time deliverables.
2. Implement network segmentation. Separate production, development, DMZ, and guest networks using VLANs or physical separation. Follow network segmentation best practices to define trust boundaries effectively, with controlled access points between each zone.
3. Harden network devices. Change all default credentials immediately. Disable unused ports and services. Enforce SSH or HTTPS for all management access. Establish a firmware patching schedule and maintain it.
4. Deploy firewalls with least-privilege rules. Start with a default-deny posture and allow only traffic that has a documented business justification. Every firewall rule should have an owner, a purpose, and a last-reviewed date.
5. Enforce access controls on management interfaces. Use dedicated management networks (out-of-band management where possible). Require multi-factor authentication for all administrative access. Implement role-based access control so that network engineers only have the permissions they need.
6. Implement monitoring and logging. Deploy intrusion detection and prevention systems (IDS/IPS) at network boundaries and between critical segments. Centralize logs in a SIEM platform. Establish alerting thresholds for anomalous traffic patterns such as unusual data volumes, connections to unexpected destinations, or access attempts outside business hours.
7. Establish change management. All network changes — firewall rule modifications, VLAN reconfigurations, new device deployments — require documented approval, implementation, and post-change verification.
8. Conduct regular reviews. Review firewall rules at least annually. Update network diagrams after every infrastructure change. Conduct penetration testing that specifically targets the network layer.
Common mistakes to avoid:
- Treating network diagrams as a one-time certification deliverable rather than a living document
- Allowing firewall rule accumulation without periodic cleanup — rules pile up, and no one knows which are still needed
- Segmenting production from corporate but leaving development environments wide open
- Excluding wireless networks from the scope of 8.20
- Using shared admin accounts for network device management, eliminating accountability
For Your Vendors (Third-Party Assessment)
When assessing vendors against 8.20, your questionnaire should include specific questions about their network security posture: “Describe your network segmentation architecture,” “How do you manage firewall rule changes?,” “What IDS/IPS do you operate?,” and “How is remote access to your network secured?”
Request concrete evidence rather than accepting self-attestation alone — a structured vendor risk assessment should validate each claim. Ask for current network architecture diagrams, firewall rule review records, IDS/IPS alert configuration documentation, network-layer penetration test reports from an independent third party, and VPN configuration documentation.
Watch for red flags during the assessment: a vendor that cannot produce a current network diagram, no evidence of firewall rule reviews, flat network architecture with no segmentation, management interfaces accessible from the internet, or no IDS/IPS in place. Any of these indicates a fundamental gap in network security controls.
For higher-assurance verification aligned with ISO 27001 third-party risk requirements, request SOC 2 Type II reports that specifically cover network controls, review penetration test results from an independent assessor, and validate findings through your vendor risk management platform.
Audit Evidence for 8.20
Auditors assessing Control 8.20 will expect specific, documented evidence that your network security controls are implemented and actively maintained. Understanding the ISO 27001 audit process helps you prepare effectively. The following table outlines the key evidence types:
| Evidence Type | Example Artifact |
|---|---|
| Network Security Policy | Policy document defining segmentation strategy, firewall management procedures, and device hardening standards |
| Network Architecture Diagrams | Version-controlled diagrams showing all zones, VLANs, and traffic flows (classified as Confidential) |
| Firewall Rule Sets | Exported rule sets with documented business justification and last review date for each rule |
| Device Hardening Checklist | Completed checklists confirming default credentials changed, unused services disabled, and firmware current |
| IDS/IPS Configuration | Configuration exports and sample alert reports demonstrating active monitoring and tuned detection rules |
| Change Management Records | Tickets or workflow records showing approval, implementation, and post-change verification for network changes |
| Penetration Test Reports | Network-layer assessment reports from qualified testers, including findings and remediation evidence |
| Access Control Records | MFA enrollment evidence and RBAC configuration for network device management interfaces |
Cross-Framework Mapping
Control 8.20 aligns with network security requirements across multiple compliance frameworks. The table below maps 8.20 to its equivalents, helping organizations that maintain multiple certifications identify overlap and reduce duplicate effort.
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| NIST 800-53 | AC-03 (Access Enforcement) | Full |
| NIST 800-53 | AC-18 (Wireless Access) | Full |
| NIST 800-53 | AC-20 (Use of External Systems) | Full |
| NIST 800-53 | SC-07 (Boundary Protection) | Full |
| NIST 800-53 | SC-08 (Transmission Confidentiality and Integrity) | Full |
| NIST 800-53 | SC-10 (Network Disconnect) | Full |
| SOC 2 | CC6.1 (Logical and Physical Access Controls), CC6.6 (System Boundaries) | Partial |
| CIS Controls v8.1 | Control 12 (Network Infrastructure Management), Control 13 (Network Monitoring and Defense) | Full |
| NIST CSF 2.0 | PR.DS (Data Security), PR.AC (Access Control), DE.CM (Continuous Monitoring) | Partial |
| DORA (EU) | Article 9 (ICT risk management framework — network security requirements) | Partial |
Related ISO 27001 Controls
Control 8.20 does not operate in isolation. It connects to several other Annex A controls that collectively secure the network layer and its dependencies:
| Control ID | Control Name | Relationship |
|---|---|---|
| 8.21 | Security of network services | Extends 8.20 to third-party network service agreements and SLAs |
| 8.22 | Segregation of networks | Provides specific segmentation requirements that complement 8.20’s broader scope |
| 8.23 | Web filtering | Controls web traffic flowing through networks secured under 8.20 |
| 8.1 | User endpoint devices | Endpoints connect to the network; device security directly affects network security posture |
| 8.5 | Secure authentication | Authentication mechanisms protect network access points and management interfaces |
| 8.15 | Logging | Network event logs feed into the monitoring and detection capabilities required by 8.20 |
| 8.16 | Monitoring activities | Operational monitoring of the network infrastructure secured under 8.20 |
| 5.15 | Access control | Organizational policy governing who can access network resources and under what conditions |
Frequently Asked Questions
What is ISO 27001 8.20?
ISO 27001 Control 8.20 (Networks Security) requires organizations to implement controls that secure networks and network devices — including firewalls and segmentation — to protect data confidentiality and integrity and prevent unauthorized access. The control covers device hardening, traffic control through firewalls and network segmentation, and continuous monitoring through intrusion detection systems and centralized logging.
What happens if 8.20 is not implemented?
Without the controls specified in 8.20, networks remain flat and unsegmented, allowing an attacker who compromises a single endpoint to move laterally across the entire infrastructure. This leads to data exfiltration, extended dwell times, and significantly higher breach costs. From a compliance perspective, failing to implement 8.20 will result in a nonconformity during your ISO 27001 audit, potentially jeopardizing your certification. Use an ISO 27001 implementation checklist to ensure no controls are overlooked.
How do you audit 8.20?
Auditing 8.20 focuses on documented evidence that network security controls are both implemented and maintained. Auditors will request network architecture diagrams, firewall rule sets with business justifications, IDS/IPS configuration and alert samples, device hardening checklists, change management records for network modifications, and penetration test reports covering the network layer. They will also verify that these artifacts are current — not historical documents created only for the certification audit.
How UpGuard Helps
Monitor network security posture across your entire vendor ecosystem. UpGuard continuously assesses the network security controls of your third-party vendors, identifying exposed management interfaces, missing encryption, and other network-level risks before they become audit findings. Learn more about UpGuard User Risk →