ISO 27001 Control 8.21: Security of Network Services

How to Make Your Network Services Secure by Design

ISO 27001 Control 8.21 Security of network services is about making sure that the networks you depend on – internet access, WAN links, VPNs, cloud connectivity, managed firewalls, SD-WAN, and so on – are securely specified, delivered and monitored.

In most organisations, critical services now run over networks you don’t fully own or control. You might be relying on an ISP, a cloud provider, a managed security provider, or all three. If those network services aren’t properly secured and governed, you’re effectively handing them the keys to your information.

This control expects you to be intentional about network services: what you buy, how you configure them, how you control access, and how you check that they stay secure over time.

This guide walks through what ISO 27001 Control 8.21 is really asking for, and how to implement security of network services in a practical, risk-based way.

What ISO 27001 Control 8.21 Actually Requires

In plain English, ISO 27001 Control 8.21 – Security of network services expects you to:

  • Identify the network services you rely on (internal and external).
  • Define the security requirements for those services up front (confidentiality, integrity, availability, monitoring, support).
  • Make sure those requirements are reflected in contracts, SLAs and technical configurations.
  • Control who can access which network services and how.
  • Monitor and review network services so that they remain secure as things change.

The goal is to ensure that the security of network services is not an accident or an afterthought – it’s designed, documented and actively managed.

Step 1 – Map Your Network Services and What They Support

Before you can secure network services, you need a clear picture of what you’re actually using.

For ISO 27001 Control 8.21, list out:

  • Core connectivity services
    – Internet connections (primary and backup)
    – Site-to-site links (MPLS, SD-WAN, VPNs)
    – Remote access VPN or zero-trust network access (ZTNA) solutions
  • Hosted and cloud services with network dependencies
    – IaaS, PaaS, SaaS platforms (cloud environments, productivity suites, CRM, etc.)
    – Private links or peering (e.g. direct connections into cloud platforms)
  • Managed network services
    – Managed firewalls and IDS/IPS
    – Managed SD-WAN or WAN optimisation
    – Managed DDoS protection or secure web gateways
  • Internal network services
    – Internal routing, switching, Wi-Fi, DNS, DHCP, NTP and directory services

For each, note:

  • What information or services it carries.
  • Which business processes depend on it.
  • Which provider (internal or external) is responsible.

This mapping becomes the foundation for your security and SLA requirements under ISO 27001 Control 8.21.

Step 2 – Define Security Requirements and SLAs Before You Buy (or Change) Services

Instead of accepting whatever an ISP or cloud provider happens to offer, ISO 27001 Control 8.21 expects you to define what you need first, then choose or configure services to match.

Consider security requirements such as:

  • Confidentiality
    – Encryption in transit (TLS, IPSec VPNs, encrypted Wi-Fi).
    – Isolation of your traffic from other tenants (e.g. VLANs, virtual networks, private links).
  • Integrity
    – Protection against tampering (e.g. VPNs, strong authentication between endpoints).
    – Controls around routing updates and network device configuration.
  • Availability
    – Uptime service levels for critical links.
    – Time to respond and time to fix (SLAs).
    – Redundancy and failover design.
  • Monitoring and logging
    – What logs will be captured (firewall logs, VPN logs, access logs).
    – Who can view them and how long they are retained.
    – How incidents will be notified and escalated.

Capture these requirements in a standard template (e.g. “Network Service Security Requirements”) and use it:

  • When procuring new network services.
  • When renewing contracts.
  • When designing internal network changes.

That’s exactly the kind of structured approach ISO 27001 Control 8.21 is aiming for.

Step 3 – Build Security into Contracts and Relationships with Network Service Providers

Most organisations rely heavily on external network service providers (ISPs, telcos, cloud, managed security providers). ISO 27001 Control 8.21 expects you to treat them as part of your security posture, not just a utility.

Key elements to include in contracts and due diligence:

  • Security obligations and controls
    – Clear statements about how traffic is protected, how devices are hardened, and how access to your environment is controlled.
    – Alignment with recognised frameworks (e.g. ISO 27001 certification, SOC 2 reports).
  • SLAs and performance criteria
    – Availability targets, response times, and escalation paths.
    – Specific security SLAs (e.g. time to apply critical security updates on managed firewalls).
  • Audit and assurance rights
    – Rights to receive security reports, penetration test summaries, or attestation letters.
    – Where appropriate, the right to perform audits or have a third party audit on your behalf.
  • Incident handling and communication
    – How and when the provider will notify you about security incidents or service issues.
    – Specific points of contact and procedures for joint investigations.
  • Termination and change
    – How data, configurations and logs will be handed over or securely removed at the end of the contract.
    – How significant changes to network services will be communicated and approved.

Keep evidence of your provider assessments and reviews – that’s strong support for ISO 27001 Control 8.21 during an audit.

Step 4 – Establish Clear Rules for Network Access

A large part of securing network services is controlling who can access what, from where, and how.

For ISO 27001 Control 8.21, you should define and document:

  • Allowed networks and services
    – Which internal networks, cloud environments and external services different roles can access.
    – Separation of environments (e.g. production vs test, corporate vs guest Wi-Fi).
  • Authentication requirements
    – Multi-factor authentication (MFA) for remote access and admin access to network services.
    – Strong identity management for VPNs, ZTNA and management consoles.
  • Authorisation model
    – Role-based access control (RBAC) for network devices, cloud consoles and security platforms.
    – Clear approvals for granting and changing access.
  • Access methods and conditions
    – Approved methods for remote access (VPN clients, ZTNA, secure web gateways).
    – Device and context restrictions (e.g. trusted devices only, time-of-day rules, geolocation limits).
  • Network segmentation and filtering
    – Internal segmentation to limit lateral movement (VLANs, firewalls, micro-segmentation).
    – Controlled access between segments based on business need.

These rules should be reflected in your policies and technical configurations, not just written down.

Step 5 – Implement Core Security Features for Network Services

ISO 27001 Control 8.21 expects the technical configuration of network services to align with your security requirements. Typical features include:

  • Authentication and encryption
    – VPNs with strong encryption for site-to-site and remote access.
    – TLS everywhere for web-based services and APIs.
    – Strong authentication for admin access (unique accounts, MFA).
  • Firewalls and security gateways
    – Stateful firewalls at key boundaries (internet edge, site edges, high-value segments).
    – Default-deny rulesets with explicit allow rules.
    – Regular review and clean-up of firewall and security rules.
  • Intrusion detection and prevention
    – IDS/IPS for critical network paths or internet edges.
    – Web application firewalls (WAF) for exposed applications where appropriate.
  • Technical security parameters
    – Hardened configurations (secure protocols only, restricted ports, minimal services).
    – Consistent baseline templates for routers, switches, firewalls and cloud network components.
  • Caching and privacy
    – Sensible caching controls for web proxies and CDNs (so sensitive data isn’t cached inappropriately).
    – DNS and web filtering configured to balance privacy, performance and security.

None of this has to be exotic – the key is that the security of network services is designed, documented and justified, not accidental.

Step 6 – Monitor and Log Network Services Continuously

You can’t secure network services without paying attention to how they’re being used in real time.

To satisfy ISO 27001 Control 8.21:

  • Collect and retain relevant logs
    – Firewall and VPN logs (connections, blocks, admin actions).
    – Cloud and network device configuration change logs.
    – Remote access and authentication logs.
  • Use central monitoring where practical
    – Feed logs into a SIEM or equivalent platform.
    – Set up alerts for suspicious activity (e.g. unusual remote access, repeated failures, unexpected configuration changes).
  • Monitor service health and performance
    – Uptime and latency monitoring for key links and services.
    – Capacity and utilisation monitoring (to spot developing issues before they become outages).
  • Review regularly
    – Periodic review of logs and reports for trends, anomalies and recurring issues.
    – Use findings to improve firewall rules, access controls and network design.

Monitoring is what turns network service security from a static design into a living control.

Step 7 – Test, Review and Build for Resilience

Finally, network services change over time – new sites, new cloud platforms, new providers. ISO 27001 Control 8.21 expects your security approach to keep up.

That means:

  • Regular testing
    – Vulnerability scanning and, where appropriate, penetration testing focused on network services and exposed interfaces.
    – Testing failover and resilience (e.g. switching to backup links, simulating outages).
  • Periodic reviews
    – Check that SLAs and contractual arrangements still meet your needs.
    – Reassess risks when you make significant changes (new provider, major redesign, merger, or migration to cloud).
  • Resilience planning
    – Design redundancy (multiple links, diverse routes, backup providers) for critical network services.
    – Include network failures and provider outages in your business continuity and incident response plans.
  • User awareness and training
    – Train admins and support teams on secure configuration and management of network services.
    – Educate users on safe use of remote access, Wi-Fi, and other network-based services.

The combination of design, monitoring, testing and review is what really delivers on the intent of ISO 27001 Control 8.21.

Quick Implementation Checklist for ISO 27001 Control 8.21

Use this checklist to gauge where you are with security of network services:

  • ISO 27001 Control 8.21 (Security of network services) is covered in your network and supplier security procedures.
  • You have an up-to-date view of all key network services (internal and external) and what they support.
  • Security requirements (confidentiality, integrity, availability, logging) are defined up front for network services.
  • Contracts and SLAs with network service providers include clear security obligations, SLAs and incident handling arrangements.
  • There are documented rules for network access (who can access what, how, and under what conditions).
  • Core technical controls are implemented: encryption, firewalls, segmentation, secure configs, strong authentication.
  • Network service usage and administration are logged and monitored, with alerts for suspicious activity.
  • Network services are subject to security testing and periodic review (including after major changes).
  • Network resilience (redundancy, failover) is designed and linked to your business continuity planning.
  • Admins and relevant staff are trained on secure management and use of network services.

Bringing It All Together

ISO 27001 Control 8.21 – Security of network services – is about treating your network connections and managed services as critical security components, not just technical plumbing.

If you:

  • Know which network services you rely on,
  • Define and contract for the security you actually need,
  • Implement strong access control and technical safeguards, and
  • Monitor and review those services over time,

you’ll be in a strong position to protect confidentiality, integrity and availability – and to show any auditor that the security of network services is built into your ISMS, not bolted on afterwards.

Explore the ISO 27001 Control Group Purposes

Organisational Controls
People Controls
Physical Controls
Technological Controls

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG