Can you rapidly isolate a compromised network segment without taking down the entire business?
Demonstrate that the organization has documented, tested, and technically implemented network segmentation capabilities that enable rapid isolation of compromised segments while maintaining operations for unaffected business functions.
Description
What this control does
This control ensures the organization can perform rapid network segmentation to contain compromised systems or segments without causing business-wide outages. It relies on pre-defined network isolation procedures, software-defined networking (SDN) or VLAN controls, and segmentation architectures that separate critical business functions from potentially compromised zones. Effective implementation requires both technical capability (automated isolation mechanisms, firewall rules, access control lists) and documented procedures that balance incident containment with business continuity.
Control objective
What auditing this proves
Demonstrate that the organization has documented, tested, and technically implemented network segmentation capabilities that enable rapid isolation of compromised segments while maintaining operations for unaffected business functions.
Associated risks
Risks this control addresses
- Lateral movement of attackers across the network from an initially compromised endpoint or segment to critical assets
- Ransomware propagation spreading from patient-zero systems to entire production environments before containment
- Business-wide outages caused by overly aggressive or poorly designed isolation responses that disable critical dependencies
- Delayed incident response due to lack of pre-configured isolation procedures or unclear network segmentation boundaries
- Inability to contain data exfiltration when attackers pivot from low-value to high-value network segments
- Service disruption to customers or partners when incident responders cannot selectively isolate threat vectors
- Extended dwell time for threat actors exploiting flat network architectures without segmentation controls
Testing procedure
How an auditor verifies this control
- Obtain and review the current network architecture diagram including all segmentation boundaries, VLANs, security zones, and isolation points.
- Retrieve documented network isolation procedures, playbooks, or runbooks that define triggers, authorization workflows, and execution steps for segment isolation.
- Interview network engineering and security operations personnel to confirm understanding of isolation procedures and authority to execute them.
- Review firewall, router, and switch configurations to identify pre-configured isolation rules, access control lists, or automation scripts ready for activation.
- Examine evidence of tabletop exercises or live drills testing network isolation capabilities within the past 12 months, including after-action reports.
- Identify business continuity or disaster recovery documentation that maps critical business functions to network segments and defines acceptable isolation impacts.
- Test a sample isolation scenario by requesting a walk-through simulation or reviewing logs from a previous isolation event showing response time and business impact.
- Verify that monitoring and alerting systems can detect when isolation actions occur and notify appropriate stakeholders in real-time.