A.8.22 Segregation of Networks
What is this control?
ISO 27001 control A.8.22 Segregation of Networks ensures that groups of information services, users, and information systems are segregated on networks to reduce the risk of unauthorised access and lateral movement. The control implements network segmentation through Azure Virtual Networks, Network Security Groups, and FortiGate firewall policies to contain breaches and protect sensitive systems from less trusted network zones.
How to implement in Microsoft 365
Implement A.8.22 by designing Azure Virtual Network topology with separate VNets or subnets for different trust levels including production, development, and DMZ. Deploy Azure Network Security Groups with inbound and outbound rules restricting traffic between segments based on least privilege. Configure FortiGate firewall policies to enforce inter-zone traffic restrictions and logging.
Implement Azure Private Endpoints for PaaS services to remove public internet exposure. Use Azure Bastion or Just-in-Time VM Access for administrative access to segmented networks. Document network segmentation architecture in network diagrams maintained in SharePoint.
What an auditor looks for
Auditors will verify Azure VNet topology shows network segmentation between trust levels. They will check Network Security Group rules restrict inter-subnet traffic appropriately. Auditors will verify FortiGate policies enforce inter-zone restrictions with logging enabled.
They will check Azure Private Endpoints are configured for PaaS services where applicable. Auditors will verify Azure Bastion or JIT VM Access is used for administrative access. They will check network segmentation architecture is documented in current network diagrams.