A.8.20 Networks Security

What is this control?

ISO 27001 control A.8.20 Networks Security protects information on networks and supporting information processing facilities from compromise. The control implements a Zero Trust architecture with three-layer defence-in-depth securing data in transit, segmenting networks, and filtering traffic. All networks are treated as untrusted, the perimeter is identity-defined, and all traffic is encrypted and inspected by default using FortiGate firewalls, Azure Network Security Groups, and Microsoft Entra Global Secure Access.

How to implement in Microsoft 365

Implement A.8.20 by deploying FortiGate Virtual and Physical Firewalls in Azure hub-and-spoke topology with all traffic routed through NVAs providing IPS, anti-malware, and advanced threat protection. Configure physical FortiGate Firewalls at branch locations with secure tunnels via SD-WAN or IPsec to Azure hub. Manage all firewall policies as code via Azure DevOps with version control and audit trails deployed through FortiManager.

Deploy Azure Network Security Groups for micro-segmentation controlling traffic between subnets. Enable Microsoft Entra Global Secure Access Microsoft Traffic Profile for all user device traffic to M365 and Azure resources.

What an auditor looks for

Auditors will verify GSA Microsoft Traffic Profile is enabled for M365 traffic routing. They will check GSA Internet Traffic Profile is enabled for Secure Web Gateway filtering. Auditors will verify at least one endpoint firewall profile is deployed via Intune.

They will check Windows device firewall compliance is 95% or higher with non-compliant devices categorised by failure reason. Auditors will verify Azure DevOps repository screenshots show firewall policies defined as code with version control. They will check Azure Portal NSG configuration shows micro-segmentation rules.