ISO 27001:2022 A 8.22 Segregation of networks

Audio version of the article


When cyber criminals compromise computing networks, services, or devices, they do not limit themselves to the compromised assets. They leverage the initial intrusion to infiltrate an organisation’s entire network, gain access to sensitive information assets, or to carry out ransomware attacks. Organisations can implement and maintain appropriate network segregation techniques to eliminate risks to the availability, integrity, and confidentiality of information assets.Network segregation is a process that separates critical network elements from the internet and other less sensitive networks. It allows IT teams to control traffic flow between various subnets based on granular policies. Organizations can leverage network segregation to improve network monitoring, performance, and security.Network segregation is the tool used for dividing a network into smaller parts which are called subnetworks or network segments. You can think of it as the division of rooms when constructing a new house. The most important things to spend time thinking about in this case are the spacing and positioning as well as purposes.



Groups of information services, users and information systems should be segregated in the organization’s networks.


To split the network in security boundaries and to control traffic between them based on business needs.

ISO 27002 Implementation Guidance

The organization should consider managing the security of large networks by dividing them into separate network domains and separating them from the public network (i.e. internet). The domains can be chosen based on levels of trust, criticality and sensitivity (e.g. public access domain, desktop domain, server domain, low- and high-risk systems), along organizational units (e.g. human resources, finance, marketing) or some combination (e.g. server domain connecting to multiple organizational units). The segregation can be done using either physically different networks or by using different logical networks. The perimeter of each domain should be well-defined. If access between network domains is allowed, it should be controlled at the perimeter using a gateway (e.g. firewall, filtering router). The criteria for segregation of networks into domains, and the access allowed through the gateways, should be based on an assessment of the security requirements of each domain. The assessment should be in accordance with the topic-specific policy on access control , access requirements, value and classification of information processed and take account of the relative cost and performance impact of incorporating suitable gateway technology. Wireless networks require special treatment due to the poorly-defined network perimeter. Radio coverage adjustment should be considered for segregation of wireless networks. For sensitive environments, consideration should be made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls before granting access to internal systems. Wireless access network for guests should be segregated from those for personnel if personnel only use controlled user endpoint devices compliant to the organization’s topic-specific policies. WiFi for guests should have at least the same restrictions as WiFi for personnel, in order to discourage the use of guest WiFi by personnel.

Other information

Networks often extend beyond organizational boundaries, as business partnerships are formed that require the interconnection or sharing of information processing and networking facilities. Such extensions can increase the risk of unauthorized access to the organization’s information systems that use the network, some of which require protection from other network users because of their sensitivity or criticality.


Groups of information services, users, and information systems should be segregated on networks. Wherever possible consider segregating duties of network operations and computer/system operations e.g. public domains, dept x or y domains. The network design and control must align to and support information classification policies and segregation requirements. One way to protect your confidential and/or critical systems is to segregate your networks along physical or logical lines. Using VLANs to separate your systems creates an additional layer of security between your regular network and your most sensitive systems. This method is often utilized in order to protect data centers, credit card processing systems covered by PCI DSS, SCADA systems, and other systems considered to be sensitive or mission-critical. In order to properly control access to your segregated networks, you should place a firewall or router at the perimeter of each network. That way, different networks can have different access control policies based on the sensitivity classification of the data that they create, transmit, and/or store. Special consideration should be given to wireless networks that allow anyone to connect for Internet access – if you offer an unsecured connection to your wireless network, you should take steps to ensure that wireless traffic is kept separate from the rest of your network or networks. Wireless users should not be able to access domain resources on your wired network without authenticating first, at least; most organizations now offer a secure wireless option (sometimes in addition to a separate, cordoned-off unsecured wireless option) to help maintain the confidentiality and integrity of their wired network. he segregation of networks is important, because you will not want anyone to reach your system and have access to your files – hostile or accidental. To minimize the impact of such network intrusion, it should be difficult for the intruder to move undetected around the network and to access your information. Segregation is about identifying which systems you use and determining which networks need isolating. For example, you may have sensitive data, such as your organization’s financial records and business process workflows. These files do not need to be stored in the location where you process customer inquiries. Instead, you place them in another room in the network, and you define access rules for devices that are used only by managers of related departments.Another scenario: Think of a hacker who wants to access your sensitive information, hosts, and services. This hacker may seek to create a remote connection to a server, use legitimate network admin tools, and execute a malicious code on that server. A well-planned network segmentation comes handy here, being a key security measure for preventing such activities from occurring. In this case, segregating the network and disallowing remote desktop connections or the use of admin tools from user computers, as well as configuring servers to limit the sharing of files, will be helpful.

Network segregation according to ISO 27001 also helps information security personnel with their jobs. With the rules determined, a segregated environment will allow them to establish better auditing and alerting strategies for attacks. They could identify a network intrusion and timely response to incidents.

When implementing network segregation measures, organisations should try to strike a balance between operational needs and security concerns.When segregating the network into smaller network sub-domains, organisations should consider the level of sensitivity and criticality of each network domain. Depending on this analysis, network sub-domains may be assigned to ‘public domains’, ‘desktop domains’, ‘server domains’, or ‘high-risk systems’. Furthermore, organisations can also consider the business departments such as HR, marketing, and finance when segregating the network. It is also noted that organisations can combine these two criteria and assign network sub-domains into categories such as ‘server domain connecting to sales department’. Organisations should define the perimeter of each network sub-domain clearly. If there will be access between two different network domains, this access should be restricted at the perimeter level via the gateway such as firewalls or filtering routers. Organisations should assess the security requirements for each specific domain when implementing network segregation and when authorizing access via the gateways. This assessment should be carried out in compliance with the access control policy as required and should also consider the following:

  • Level of classification assigned to information assets.
  • Criticality of information.
  • Cost, and practical considerations for use of a particular gateway technology.

Considering that defining network security parameters for wireless networks is challenging, organisations can adhere to the following practices:

  • The use of radio coverage adjustment techniques to segregate wireless networks should be assessed.
  • For sensitive networks, organisations can assume all wireless access attempts as external connections and prevent access to internal networks until the gateway control approves access.
  • If personnel only use their own devices in accordance with the organisation’s policy, the wireless network access provided for personnel and for guests should be segregated.
  • Use of Wi-fi by guests should be subject to the same restrictions and controls imposed on the personnel.

Organisations often enter into various business partnerships with other businesses and share their network, IT devices, and other information facilities,therefore, sensitive networks may be exposed to a heightened risk of unauthorized access by other users and organisations should take appropriate measures to prevent this risk.


Benefits of Network Segregation
While traditional flat networks are simple to set up and manage, they don’t provide reliable protection. Segregated networks, on the other hand, require an extra amount of effort to set up. Once implemented, organizations can derive numerous benefits such as:

  • Enhancing operational performance. Network segregation allows IT teams to reduce network congestion. For example, IT teams can easily stop all the network traffic in one part of the network from reaching the other to enhance the overall operational performance.
  • Limiting the damage from cyberattacks. Network segregation enhances the organization’s overall security posture by restricting how far an attack spreads within the organization. For example, you can easily restrain malware from spreading and affecting other systems in the organization.
  • Protecting vulnerable endpoints. Segregating a network can prevent harmful traffic from reaching vulnerable devices. A segregated network isolates these endpoints, restricting the risk of exposure in an organization.
  • Minimizing the scope of compliance. A segregated network can help you reduce the expenses associated with regulatory compliance because it limits the number of in-scope systems. For example, you can separate systems that process payments from those that don’t. This way, you apply compliance requirements and audit processes only to the payment processes but not the rest of the network.

Best Practices of Network Segregation Implementation

  1. . Network Layers: It is highly recommended that you apply technologies at more than just the network layer. Each host and network has to be segregated and segmented. Even the smallest host and network should be segmented at the tiniest level, as long as it’s practically manageable. This type of strategy applies mostly to the data link layer up to (and including) the application layer. However, there are cases of sensitive information when physical isolation is suitable as well. Also, it should be noted that these types of protective network measures should be centrally monitored continuously.
  2. Always Use the Principle of Least Privilege. Implementing the principle of least privilege helps you complement the minimization of privileges and attack surfaces within the organization. You should assign users only the bare minimum privileges they require to access and use corporate resources. If the network does not need to communicate with another network or host, you shouldn’t allow it.
  3. Ensure You Isolate the Hosts from the Network. Separating networks from hosts based on the criticality of business operations is a wise move because it improves the overall network visibility. Depending on various security domains and classifications for particular networks or hosts, you can isolate different platforms to enhance visibility into the network infrastructure.
  4. Refine the Authorization Process. A well-defined authorization process is essential because it allows you to safeguard critical enterprise resources by permitting only authenticated and authorized users to the network. By restricting access to authorized users via rulesets, you can monitor those who bypass the network easily and disable them if necessary.
  5. Implement a Network Traffic Whitelisting Solution. You should allow only legitimate users to access specific enterprise resources rather than denying access to threat actors or blocking specific services. Such a framework is an effective security policy you can leverage to blacklist malicious actors because it enhances the company’s overall capacity to detect breaches while also improving productivity.

To fulfill the recommendations for network segregation, you can consider the following models for network segmentation:

  • Criteria-based segmentation: Pre-defined rules to establish perimeters and create new segments can reduce future administration efforts. Examples of criteria are trust level (e.g., external public segment, staff segment, server segment, database segment, suppliers segment, etc.), organizational unit (e.g., HR, Sales, Customer Service, etc.), and combinations (e.g., external public access to Sales and Customer Service).
  • Use of physical and logical segmentation: Depending upon the risk level indicated in the risk assessment, it may be necessary to use physically separated infrastructures to protect the organization’s information and assets (e.g., top-secret data flowing through a fiber dedicated to management staff), or you may use solutions based on logical segmentation like Virtual Private Network (VPN).
  • Access rules for traffic flowing: Traffic between segments, including those of allowed external parties, should be controlled according to the need to transmit/receive information. Gateways, like firewalls and routers, should be configured based on information classification and risk assessment. A specific case of access control applies to wireless networks, since they have poor perimeter definition. The recommendation is to treat wireless communication as an external connection until the traffic can reach a proper wired gateway before granting access to internal network segments.

Leave a Reply