A.8.20 — Networks Security

The network was designed five years ago. Since then, the company has added cloud services, a VPN for remote workers and an IoT system for building management. Nobody updated the network diagram. The firewall has 2,000 rules — 800 of which reference decommissioned servers. A.8.20 requires that networks are managed, controlled and secured to protect the information flowing through them.

Network security is a broad control covering architecture, device hardening, traffic monitoring and encryption. It serves as the umbrella for the more specific network controls A.8.21 (network services) and A.8.22 (network segregation).

Purpose: Protect information in networks and supporting information processing facilities from compromise via the network.
Control type: Preventive, Detective
Security objectives: Confidentiality, Integrity, Availability
Theme: Technological
BSI modules: NET.1.1, NET.1.2, NET.2.1, NET.2.2, NET.3.1, NET.3.2, NET.3.3, NET.3.4
KPI: Percentage of network segments with implemented security controls per policy

Responsible	IT Administrator
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, HR Manager, Head of IT, IT Administrator, IT Security Officer, Incident Response Team, Information Security Officer / (C)ISO, Supply Chain Manager
Informed	Asset Owner, Department Head, Facility Manager, Head of IT, IT Administrator, Information Security Officer / (C)ISO, Internal Auditor, Legal Counsel

What does the standard require?

Document the network. Maintain current network diagrams showing all segments, connections and security boundaries.
Separate management traffic. Network management activities should be separated from normal system operations.
Apply security controls. Implement firewalls, encryption for data in transit, authentication of network devices and access controls.
Monitor network activity. Log and monitor network traffic to detect anomalies and potential security incidents.
Harden network devices. Apply secure configurations to routers, switches, firewalls and wireless access points.
Secure virtualized networks. Apply equivalent security controls to software-defined and virtualized network environments.

In practice

Maintain up-to-date network documentation. Document all network segments, VLANs, firewall zones, VPN tunnels, cloud VPCs and interconnections. Include IP addressing schemes, routing information and security zone assignments.

Harden all network devices. Apply vendor security guides and CIS Benchmarks to routers, switches, firewalls and wireless controllers. Change default credentials, disable unused ports and services, enable logging and restrict management access.

Encrypt data in transit. Use TLS 1.2 or higher for all web traffic, IPSec or WireGuard for site-to-site VPNs, and SSH for remote administration. Disable legacy protocols (SSL, TLS 1.0, TLS 1.1, Telnet).

Review firewall rules regularly. Conduct semi-annual firewall rule reviews. Remove rules that reference decommissioned systems, tighten overly broad rules and document the business justification for every allow rule.

Typical audit evidence

Auditors typically expect the following evidence for A.8.20:

Network diagram — current, dated documentation of network architecture (see IT Operations Policy in the Starter Kit)
Firewall rule set — current rules with documented justifications
Device hardening evidence — configuration exports showing security settings
Network monitoring logs — evidence of traffic analysis and alerting
Encryption configuration — TLS/IPSec settings for data in transit

KPI

Percentage of network segments with implemented security controls per policy

Measured as a percentage: how many network segments have the required controls (firewall, monitoring, encryption, device hardening) in place? Target: 100%.

Supplementary KPIs:

Percentage of firewall rules reviewed within the last 12 months
Number of network devices with default credentials (target: zero)
Percentage of data in transit encrypted with TLS 1.2 or higher

BSI IT-Grundschutz

A.8.20 maps to a wide range of BSI network modules:

NET.1.1 (Network Architecture and Design) — requirements for network zoning, documentation and secure design.
NET.1.2 (Network Management) — secure administration of network infrastructure.
NET.3.1/NET.3.2 (Routers and Switches, Firewalls) — hardening and management of network devices.
NET.3.3/NET.3.4 (VPN, NAC) — VPN security and network access control.
NET.2.1/NET.2.2 (WLAN, Mobile Communications) — wireless network security.

A.8.21 — Security of Network Services: Security agreements for network services, whether internal or external.
A.8.22 — Segregation of Networks: Dividing the network into security zones.
A.8.24 — Use of Cryptography: Encryption for data in transit across networks.

Sources

ISO/IEC 27001:2022 Annex A, Control A.8.20 — Networks security
ISO/IEC 27002:2022 Section 8.20 — Implementation guidance for networks security
BSI IT-Grundschutz, NET.1.1 — Network Architecture and Design

Frequently asked questions

What does network security cover under A.8.20?

Everything from network architecture documentation and device hardening to traffic monitoring, authentication of network devices and encryption of data in transit. It is the broadest of the three network controls (A.8.20-A.8.22).

Do we need network monitoring for a small office?

The depth of monitoring should be proportionate to risk. A small office may start with firewall logging and basic alerting. As the environment grows, add network flow analysis and intrusion detection.

How does zero trust relate to A.8.20?

Zero trust assumes no implicit trust based on network location. Every access request is authenticated and authorized regardless of whether it originates from inside or outside the network perimeter. Implementing zero trust satisfies many A.8.20 requirements.