A.8.21 — Security of Network Services

Your internet provider guarantees 99.9% uptime in the contract — but the SLA says nothing about encryption, DDoS mitigation or incident notification. When a BGP hijack routes your traffic through an unintended country for six hours, the provider shrugs: availability was fine. A.8.21 requires that security requirements for network services are identified, agreed upon and monitored — whether those services are internal or external.

Network services include internet access, VPN, MPLS, DNS, CDN, load balancing and any other service that carries or routes your data. Each one needs defined security properties and a mechanism to verify they are met.

What does the standard require?

Identify security requirements. For each network service (internal and external), define the required security mechanisms: encryption, authentication, access control, availability.
Agree on security levels. Include security requirements in service agreements, SLAs or contracts with providers.
Monitor providers. Actively monitor whether providers meet agreed security levels. Exercise audit rights where applicable.
Obtain assurance. Seek third-party certifications or attestations as evidence of provider security.
Define responsibilities. Clearly document who is responsible for which security aspects — especially at the boundary between your organization and the provider.

In practice

Inventory all network services. List every network service your organization uses: ISP connections, VPN services, DNS providers, CDN, load balancers, managed firewalls, MPLS links. Include both external providers and internal teams that operate network services.

Define security requirements per service. For each service, specify: encryption standards (TLS 1.2+, IPSec), authentication methods, availability targets, logging requirements, incident notification timelines and data handling at contract end.

Include security clauses in contracts. Ensure contracts and SLAs explicitly cover security requirements. Standard availability SLAs alone are insufficient — add clauses for encryption, access control, incident response and audit rights.

Monitor and review regularly. Track provider SLA performance, review security certifications annually and conduct periodic assessments for critical network services. Escalate non-compliance through contractual mechanisms.

Typical audit evidence

Auditors typically expect the following evidence for A.8.21:

Network service inventory — list of all network services with providers (see IT Operations Policy in the Starter Kit)
Service agreements — contracts or SLAs with security clauses
Provider certifications — ISO 27001 certificates, SOC 2 reports
SLA monitoring reports — evidence of ongoing performance and security monitoring
Responsibility matrices — documented shared responsibility boundaries

KPI

Percentage of network services with documented and verified security agreements

Measured as a percentage: how many of your network services have a documented security agreement that has been verified within the last 12 months? Target: 100%.

Supplementary KPIs:

Percentage of network service providers with current security certifications
Number of SLA breaches per quarter
Mean time between provider incident and notification to your organization

BSI IT-Grundschutz

A.8.21 maps to BSI modules for network services and provider management:

NET.1.1 (Network Architecture and Design) — requirements for securing network services within the architecture.
NET.3.1–NET.3.4 (Routers, Firewalls, VPN, NAC) — security requirements for specific network service types.

A.8.20 — Networks Security: The overarching network security control that A.8.21 supplements for service-specific requirements.
A.5.19 — Information Security in Supplier Relationships: Supplier management framework applicable to network service providers.
A.8.22 — Segregation of Networks: Network segmentation that may be provided as a service.

Sources

ISO/IEC 27001:2022 Annex A, Control A.8.21 — Security of network services
ISO/IEC 27002:2022 Section 8.21 — Implementation guidance for security of network services
BSI IT-Grundschutz, NET.1.1 — Network Architecture and Design

Frequently asked questions

Does A.8.21 apply to cloud services?

Yes. Cloud networking services (VPCs, load balancers, CDNs, DNS) are network services. The security requirements, SLAs and monitoring obligations apply equally to cloud-based and on-premises network services.

What should a network service security agreement cover?

Encryption standards, authentication methods, access controls, availability SLAs, monitoring capabilities, incident notification procedures, audit rights and data handling at contract end.

How do we verify that a provider meets security requirements?

Request third-party certifications (ISO 27001, SOC 2), exercise audit rights, review provider security reports and monitor service performance against SLAs. For critical services, conduct periodic provider assessments.

Responsible	IT Administrator
Accountable	Information Security Officer / (C)ISO
Consulted	All Employees, Asset Owner, Department Head, IT Administrator, IT Security Officer, Incident Response Team, Supply Chain Manager
Informed	All Employees, Asset Owner, Data Protection Officer, HR Manager, Head of IT, Information Security Officer / (C)ISO