{"id":9909,"date":"2016-06-27T18:28:00","date_gmt":"2016-06-27T18:28:00","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=9909"},"modified":"2025-04-04T13:05:50","modified_gmt":"2025-04-04T13:05:50","slug":"how-to-manage-network-security-according-to-iso-27001-a-13-1","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2016\/06\/27\/how-to-manage-network-security-according-to-iso-27001-a-13-1\/","title":{"rendered":"How to manage network security according to ISO 27001 A.13.1"},"content":{"rendered":"<p>As more and more people and organizations become interconnected, more and more information is exchanged, from that considered trivial and disposable to that most sensitive and necessary for people\u2019s lives and business survival.<\/p>\n<p>That\u2019s why today\u2019s network infrastructure is so important, and so attractive to wrongdoers. So, to ensure the network\u2019s performance and to avoid or minimize situations where the information it carries is compromised, it is necessary to take security safeguards.<\/p>\n<p>In this article we\u2019ll see a little about network security management and how\u00a0<a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a> and\u00a0<a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/iso-27001-vs-iso-27002\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27002<\/a> controls, like securing network services and network segregation, can help increase network infrastructure security and resilience, and how these features can be used to add value to your business.<\/p>\n<h2>What is network security management?<\/h2>\n<p>We can define network security management as the process designed to protect a network and the data that flows through it from risks like unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, while allowing authorized computers, users, and applications to perform their activities. And, by \u201cnetwork,\u201d we mean both internal and external networks (e.g., when organizations use the Internet infrastructure to transfer information between offices located in different cities).<\/p>\n<p>Through administrative, physical, and technological\u00a0<a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=risk-management&amp;doc=statement-of-applicability\" target=\"_blank\" rel=\"noopener\">controls<\/a>, the network security management seeks to create a secure environment based on layers of protective components that support and complement each other to increase the overall security.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>Common threats to networks and data in transit<\/h2>\n<p>By its nature, a network infrastructure is susceptible to two types of attacks:<\/p>\n<p><strong>Passive attacks:<\/strong> when a network attacker only intercepts data traveling through the network. Examples of this type of attack are wiretapping (interception through network cabling), wardriving (mapping of wireless access points), and port scan (probe for open server or host ports). Often, passive attacks are used at the beginning of more elaborate attacks, as a means to gather information.<\/p>\n<p><strong>Active attacks:<\/strong> when a network attacker actively works to change data in transit, or network components. Examples of this type of attack are Denial-of-Service (intentional attempts to negate legitimate user access), DNS spoofing (alteration of DNS entries to misroute traffic), and man-in-the-middle (the attacker effectively stays between legitimate users\u2019 communication).<\/p>\n<p style=\"margin-top: -10px; margin-bottom: -10px;\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-21710\" src=\"\/wp-content\/uploads\/\/sites\/5\/2016\/06\/network-attacks.jpg\" alt=\"ISO 27001 network security A.13.1 - How to organize it\" width=\"1000\" height=\"628\" srcset=\"\/wp-content\/uploads\/sites\/5\/2016\/06\/network-attacks.jpg 1000w, \/wp-content\/uploads\/sites\/5\/2016\/06\/network-attacks-300x188.jpg 300w, \/wp-content\/uploads\/sites\/5\/2016\/06\/network-attacks-768x482.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<h2>Network management according to ISO 27001 and ISO 27002<\/h2>\n<p>Like any ISO management system, ISO 27001 is based on the PDCA model, which perfectly integrates with a network security management approach (planning, implementation, verification, and adjustment of network controls). See this article: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/04\/13\/has-the-pdca-cycle-been-removed-from-the-new-iso-standards\/\" target=\"_blank\" rel=\"noopener noreferrer\">Has the PDCA Cycle been removed from the new ISO standards?<\/a><\/p>\n<p>Regarding network management planning activities, it is necessary to define network security objectives to be protected and managed. Some examples are usability, reliability, and integrity of network and data. Once network security objectives are defined, it is necessary to define the controls to be implemented, based on the most relevant\u00a0<a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=risk-management&amp;doc=risk-assessment-table\" target=\"_blank\" rel=\"noopener\">risks<\/a>\u00a0the organization has in its context.<\/p>\n<p>The implementation of network security controls may use the same <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=risk-management&amp;doc=risk-treatment-plan\" target=\"_blank\" rel=\"noopener\">Risk Treatment Plan<\/a>\u00a0defined for the implementation of all controls in the ISMS. According to ISO 27002, the following network security management controls must be considered:<\/p>\n<p><strong>Network controls (A.13.1.1):<\/strong> A set of general controls should be implemented, like definition of responsibilities and procedures for network equipment management, segregation of duties between networks and computers activities, use of cryptographic solutions to protect data in transit and interconnected systems (e.g., VPN), monitoring and logging of network activities performed (e.g., by using an Intrusion Detection systems &#8211; IDS), authentication and other means to restrict access and use of networked resources. See this article: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2015\/05\/25\/how-to-use-firewalls-in-iso-27001-and-iso-27002-implementation\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to use firewalls in ISO 27001 and ISO 27002 implementation<\/a>.<\/p>\n<p><strong>Security of network services (A.13.1.2):<\/strong> The expected network solutions, and performance and security levels should be defined and included in service level agreements, as well the means by which the organization can verify if the service levels are being met (e.g., by report analysis or audits). These service agreements should be considered for both in-house and outsourced services.<\/p>\n<p><strong>Segregation in networks (A.13.1.3):<\/strong> Services, information systems, users, workstations, and servers should be separated into different networks, according to defined criteria like risk exposure and business value, and a strict control of data flowing between these networks should be established (e.g., by using firewalls and routers). See this article: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2015\/11\/02\/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3\/\" target=\"_blank\" rel=\"noopener noreferrer\">Requirements to implement network segregation according to ISO 27001 control A.13.1.3<\/a>.<\/p>\n<p>Network security management also may make use of other ISO 27002 controls to enhance its effectiveness, like <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=access-control-policy\" target=\"_blank\" rel=\"noopener\">Access Control Policy<\/a> (9.1.1), <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=change-management-policy\" target=\"_blank\" rel=\"noopener\">change management (12.1.2)<\/a>, protection from malware (12.2.1), and management of technical vulnerabilities (12.6.1). See this article: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2015\/07\/27\/how-to-handle-access-control-according-to-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to handle access control according to ISO 27001<\/a>.<\/p>\n<p>The checking of the network controls\u2019 suitability, adequacy, and effectiveness may be done by periodic <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=internal-audit&amp;doc=internal-audit-procedure\" target=\"_blank\" rel=\"noopener\">audits<\/a>\u00a0and\u00a0<a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&amp;doc=management-review-minutes\" target=\"_blank\" rel=\"noopener\">management reviews<\/a>, which may lead to controls\u2019 adjustments through\u00a0<a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&amp;doc=procedure-for-corrective-action\" target=\"_blank\" rel=\"noopener\">corrective actions<\/a>\u00a0or improvement plans.<\/p>\n<h2>Benefits from network security<\/h2>\n<p>There are many benefits an organization can achieve by adopting network security management:<\/p>\n<ul>\n<li>Increase in productivity, as a result of a more reliable network and fewer business disruptions<\/li>\n<li>Maintenance of regulatory compliance, because network security is a common point in many regulations, like PCI, SOX, etc.<\/li>\n<li>Reduction of risk of legal actions, because the efforts made to protect customers\u2019 data show the organization\u2019s due diligence and due care<\/li>\n<li>Increase in business reputation, because the efforts made to protect customers\u2019 data show the organization\u2019s commitment to security<\/li>\n<\/ul>\n<h2>Reliable communications lead to strong business<\/h2>\n<p>In a connected world, where business can be done between partners that are located in any part of the world, keeping network infrastructures up and running is not only an operational challenge, but a vital point in business competitiveness.<\/p>\n<p>By adopting a network security management approach, aligned with practices defined by ISO 27001 and ISO 27002, an organization can increase its chances not only to better plan and allocate its resources, but also to benefit from a more reliable and resilient infrastructure in terms of business competitiveness. Security managers will be thankful for higher security levels, and business managers will be happy with new business possibilities.<\/p>\n<p><em>To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses,<\/em>\u00a0<a href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener noreferrer\">sign up for a 14-day free trial<\/a><em> of Conformio, the leading ISO 27001 compliance software.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As more and more people and organizations become interconnected, more and more information is exchanged, from that considered trivial and disposable to that most sensitive and necessary for people\u2019s lives and business survival. That\u2019s why today\u2019s network infrastructure is so important, and so attractive to wrongdoers. So, to ensure the network\u2019s performance and to avoid &#8230;<\/p>\n","protected":false},"author":41,"featured_media":21710,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,403,1088],"class_list":["post-9909","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-network-security","tag-isms-controls"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/9909","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=9909"}],"version-history":[{"count":2,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/9909\/revisions"}],"predecessor-version":[{"id":103823,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/9909\/revisions\/103823"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/21710"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=9909"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=9909"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=9909"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}