ISO 27001 Control 8.21: Security of Network Services
Network services are critical pathways for data flow—both internal and outsourced. Control 8.21 requires you to identify, implement, and continuously monitor security mechanisms and service levels across all network services to prevent unauthorized access and service degradation.
What this means
Control 8.21 mandates that your organization establish and maintain security for all network services, regardless of whether they're delivered internally or by third-party vendors. This includes defining service requirements, implementing protective mechanisms (encryption, access controls, monitoring), establishing service level agreements (SLAs) with security clauses, and actively monitoring compliance. The control recognizes that outsourced services carry the same risk as internal ones and must be governed with equal rigor.
How to comply
- 1.Inventory all network services (DNS, email, VPN, cloud services, etc.) and classify by sensitivity
- 2.Document security requirements for each service including encryption, authentication, and availability targets
- 3.Implement technical controls: TLS/SSL encryption, firewall rules, intrusion detection, and access logging
- 4.Establish or update SLAs with third-party service providers that explicitly cover security obligations and incident response
- 5.Configure automated monitoring and alerting for service availability, performance, and security events
- 6.Conduct quarterly reviews of service security posture and SLA compliance metrics
- 7.Maintain audit trails for all configuration changes and access to network services
Evidence auditors look for
- Network service inventory spreadsheet with security classification and responsible parties
- Service security requirements documentation (technical specifications for encryption, authentication)
- Third-party SLA agreements with security addendums and monitoring clauses
- Network monitoring tool dashboards showing real-time service health and security metrics
- Firewall and router configuration files with documented security rules
- Monthly SLA compliance reports from service providers
- Change management logs for network service modifications
- Incident response records tied to network service failures or security events
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates network service inventory tracking and SLA compliance monitoring, alerting you to gaps in security requirements and third-party obligations before audits flag them.
See how GRCWatch handles this control automatically
Start free trial