The basics
ISO 27001 control A.8.20 Networks security requires companies to handle networks and network devices in order to protect information that flows through them. This is important because if the network is compromised, the attacker will find it much easier to access sensitive information and other assets on the network.
Documentation
ISO 27001 control A.8.20 Networks security can be documented:
- for smaller and mid-sized companies by writing a Security Procedures for IT Department
- for larger companies by writing a Network Security Procedure
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.20 Networks security you might implement the following:
- Technology — the technology to enable secure networks could include software (e.g., authentication software, logging and monitoring tools, SSL, VPN, etc.) and hardware (e.g., devices like routers, firewalls, etc.).
- Organization/processes — you should set up a process for defining responsibilities and procedures for the management of network equipment, what needs to be monitored and monitored, how, and by whom. You can document those processes through Security Procedures for IT Department or a Network Security Procedure.
- People — make employees aware of the risks of insecure networks, and train IT staff on how to properly apply secure network configurations and monitor network performance.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.20 Networks security: if networks and network devices are handled properly to protect information that flows through them.
