Article

Network Segmentation for ISO 27001 — Practical Implementation Guide

·9 min read·VantagePoint Networks

ISO 27001 audits live or die on documentation. The Annex A controls covering network security (most of A.8 and A.13 in the 2022 revision) require evidence of segmentation, access control, and traffic monitoring — not just a firewall and a hope.

This guide walks through how to design network segmentation that satisfies ISO 27001 cleanly, including the specific control mappings auditors look for and the documentation artefacts that survive scrutiny.

The ISO 27001 controls that require segmentation evidence

In the 2022 revision of ISO 27001, the network-relevant controls cluster around access control, communications security, and operational security. Specifically:

  • A.8.20 — Networks security: Networks shall be managed and controlled to protect information.
  • A.8.21 — Security of network services: Security mechanisms, service levels, and management requirements of all network services shall be identified and included in agreements.
  • A.8.22 — Segregation of networks: Information services, users, and information systems shall be segregated on networks.
  • A.8.23 — Web filtering: Access to external websites shall be managed to reduce exposure to malicious content.
  • A.5.15 / A.5.16 — Access control and identity management.

A baseline four-zone model

Most UK SMBs and mid-market businesses can satisfy ISO 27001 with a four-zone segmentation model. It is auditable, defensible, and matches typical operational realities.

  • Zone 1 — Trusted internal: corporate users, file servers, internal apps, MDM-managed endpoints.
  • Zone 2 — Sensitive: finance systems, HR data, customer PII databases, regulated workloads. Tighter ACLs, MFA mandatory.
  • Zone 3 — DMZ: internet-facing services (mail relays, public web, reverse proxies, partner integration endpoints).
  • Zone 4 — Untrusted: guest Wi-Fi, BYOD, IoT devices, contractor access. No route into Zones 1 or 2 except via published service.

Mapping zones to controls — the auditor view

Auditors are looking for three things: a defined model, evidence the model is implemented, and evidence it stays implemented. The artefacts that satisfy this are:

Topology diagrams showing zones and their boundaries (firewalls, ACLs, VLAN IDs). Editable formats — draw.io, Visio, Mermaid — score better than screenshots because they prove the diagram is maintained.

A zone register listing every zone, its purpose, the systems within it, and the rules governing ingress and egress. This is your single source of truth.

Firewall rule reviews on a defined cadence (typically quarterly). The review log itself is evidence — date, reviewer, changes made, justification.

Network change-control records linking each rule change to a ticket, request, or risk decision.

Common gaps that fail audits

Auditors regularly flag these issues — fix them before submitting evidence rather than after.

  • Flat networks dressed up as segmented: VLANs exist but inter-VLAN routing is unrestricted. Without ACLs, segmentation is decorative.
  • Undocumented vendor remote-access tunnels: each vendor with a "temporary" VPN that became permanent. Document them or close them.
  • Guest Wi-Fi that can reach the corporate network. The most common finding. Test it before audit.
  • Outdated topology diagrams that no longer match reality. Auditors compare your diagram to what they observe — drift is an immediate finding.
  • No firewall rule review evidence. Rules accumulate; reviews catch the cruft.

Bringing it together — the deliverable pack

For an ISO 27001 audit (initial or surveillance), produce a single network-segmentation pack containing the topology diagram, zone register, IP addressing plan, firewall summary (zones × zones with allowed services), recent change-control log, and the latest firewall-rule review record. Keep it in version control or a documentation system that timestamps changes — auditors love evidence of currency.

Frequently asked

Is microsegmentation required by ISO 27001?

No — microsegmentation is not specifically required. ISO 27001 requires segregation of networks (A.8.22), which can be satisfied with VLAN-based zone separation. Microsegmentation is a stronger control (typically required by Zero Trust architectures) but not mandatory for ISO 27001 unless your risk assessment specifically identifies it.

How often should we review firewall rules for ISO 27001?

Quarterly reviews are the most common cadence and the easiest to defend in audit. Monthly is overkill for most organisations; annual is too infrequent for fast-changing environments. The review should be documented — who reviewed, what changed, what the justification was.

Can we satisfy ISO 27001 with just one firewall?

Yes, technically. ISO 27001 doesn't mandate redundancy. But your business continuity controls (A.5.30) and risk assessment will usually drive an HA pair. A single-firewall design fails the BCP review even when it passes the segmentation review.

Do we need network access control (NAC / 802.1X) for ISO 27001?

Not strictly required, but increasingly expected. NAC satisfies several controls cleanly — A.5.15 (access control), A.8.22 (network segregation), A.8.5 (secure authentication). If you have one, document it. If you don't, justify the alternative in your risk assessment.

What about Zero Trust — does it satisfy ISO 27001?

Yes, easily — Zero Trust architectures generally exceed ISO 27001 requirements. Identity-based access satisfies A.5.15 / A.5.16. Microsegmentation exceeds A.8.22. Continuous verification supports A.8.16 (monitoring activities). The challenge is documenting the Zero Trust controls in language auditors recognise.

Related reading

Compliance Network ArchitectureZero Trust ImplementationZero Trust Architecture

Design your own network

VP Compass is a free interactive topology designer. Pick a template, customise, export.

Open VP Compass →
← Back to Blog