A.8.21 Security of Network Services

What is this control?

ISO 27001 control A.8.21 Security of Network Services ensures that security mechanisms, service levels, and management requirements of network services are identified, implemented, and monitored. The control covers both internally managed network services and externally provided services including cloud connectivity and internet access. Service Level Agreements must address security requirements, monitoring capabilities, and incident response procedures.

How to implement in Microsoft 365

Implement A.8.21 by documenting security requirements in network service contracts and SLAs covering encryption standards, access controls, monitoring capabilities, and incident notification. Configure FortiGate firewalls with IPS, anti-malware, and application control for all network traffic. Enable Microsoft Entra Global Secure Access for secure cloud connectivity with traffic inspection.

Monitor network service health via Azure Monitor and FortiAnalyzer with alerts configured for service degradation. Review ISP and network service provider security certifications annually. Document network service architecture and security controls in network security policy.

What an auditor looks for

Auditors will verify network service contracts include security requirements and SLAs. They will check FortiGate firewall configuration shows IPS, anti-malware, and application control are enabled. Auditors will verify Global Secure Access is configured for cloud traffic protection.

They will check network monitoring is configured via Azure Monitor or FortiAnalyzer with service health alerts. Auditors will review ISP and service provider security certifications dated within 12 months. They will verify network security policy documents architecture and security controls.

Related controls

• A.8.20
• A.8.22