Ransomware compromises one workstation through a phishing email. Within 20 minutes, it has encrypted file servers, the ERP system and the backup server — all reachable directly from the workstation VLAN. A.8.22 limits this blast radius by dividing the network into zones with controlled traffic between them.
Network segregation is one of the most effective security measures available. By placing systems with different trust levels or sensitivity into separate zones and controlling the traffic between zones through gateways, you contain breaches and protect high-value assets.
What does the standard require?
- Divide the network into zones. Segment based on trust levels, data sensitivity, organizational units or functional roles.
- Control inter-zone traffic. Route traffic between zones through gateways (firewalls, packet filters) that enforce access rules.
- Use physical or logical methods. Segregation can be achieved through physical separation (separate infrastructure) or logical means (VLANs with firewall rules).
- Treat wireless as external. Wireless networks should be treated as external connections until traffic passes through appropriate security gateways.
- Review segmentation regularly. Verify that zone assignments remain appropriate as the network evolves.
In practice
Design a zone model. Define your zones: DMZ (internet-facing services), internal server zone, user workstation zone, management zone, guest zone, IoT zone, high-security zone. Document the purpose and trust level of each zone.
Implement firewall rules between zones. For every zone pair, define allowed traffic flows. Apply the principle of least privilege: deny all by default, allow only documented, justified flows. A user workstation in the office zone should not have direct access to the database zone.
Isolate management traffic. Place management interfaces (switch consoles, firewall admin, hypervisor management) in a separate management zone accessible only from privileged access workstations.
Segment IoT and OT devices. IoT and operational technology devices often have weak security controls and cannot be patched. Place them in isolated zones with strictly controlled gateway access to prevent them from becoming a lateral movement path.
Typical audit evidence
Auditors typically expect the following evidence for A.8.22:
- Network zone diagram — documented zones with security classifications (see IT Operations Policy in the Starter Kit)
- Firewall rule sets — inter-zone rules with documented justifications
- VLAN configuration — evidence of logical segmentation
- Wireless configuration — evidence that Wi-Fi is treated as external
- Segmentation review records — periodic reviews of zone assignments and rules
KPI
Percentage of network zones properly segmented per security classification
Measured as a percentage: how many of your defined zones have firewall-enforced boundaries with documented access rules? Target: 100%.
Supplementary KPIs:
- Number of overly permissive inter-zone rules (target: decreasing)
- Percentage of IoT/OT devices in isolated segments
- Number of segmentation violations detected by monitoring
BSI IT-Grundschutz
A.8.22 maps to BSI network architecture modules:
- NET.1.1 (Network Architecture and Design) — the core module. Requires zone-based network architecture with controlled gateways between zones.
- NET.1.2 (Network Management) — requires a separate management zone for administrative access.
Related controls
- A.8.20 — Networks Security: The overarching network security control; segmentation is a core implementation measure.
- A.8.23 — Web Filtering: Filtering controls applied at zone boundaries.
- A.8.16 — Monitoring Activities: Monitoring inter-zone traffic for anomalies.
Sources
- ISO/IEC 27001:2022 Annex A, Control A.8.22 — Segregation of networks
- ISO/IEC 27002:2022 Section 8.22 — Implementation guidance for segregation of networks
- BSI IT-Grundschutz, NET.1.1 — Network Architecture and Design