Network segmentation divides a corporate network into multiple isolated areas (segments or zones). Typical segments include DMZ, internal network, server network, guest network, and production network. Communication between segments is controlled by firewalls, allowing only explicitly permitted traffic to pass. If an attacker breaches one segment, segmentation significantly limits their ability to move laterally. ISO 27001 Annex A.8.22 requires network segregation. You can implement segmentation physically (separate switches) or logically (VLANs, software-defined networking). Document your zone model and the associated firewall rules carefully.