A.8.20 / A.8.22 / A.8.23 / SC-7 / CIS-12.2 ISO/IEC 27001:2022 Annex A ISO 27001

A.8.20 / A.8.22 / A.8.23 — Are networks secured with segregation, NGFW and web filtering? (A.8.23 NEW)

Demonstrate that networks are architecturally segmented by trust zones, protected by next-generation firewalls enforcing application-layer policies, and equipped with active web filtering to prevent access to malicious or unauthorized content.

Description

What this control does

This control mandates the use of network segmentation to separate assets by trust level and function, next-generation firewalls (NGFW) to enforce layer 7 inspection and application-aware policies, and web filtering to block access to malicious or unauthorized content. Network segmentation limits lateral movement by isolating workloads into zones such as DMZs, internal LANs, and management networks, while NGFWs provide stateful inspection, intrusion prevention, and URL filtering at boundaries. Web filtering prevents users from accessing phishing sites, malware distribution points, and prohibited categories, reducing exposure to web-borne threats.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Lateral movement by attackers following initial compromise, enabling widespread access to sensitive systems
Exfiltration of data across unsegmented network boundaries without detection or blocking
Employees accessing phishing or malware-hosting websites, leading to credential theft or endpoint infection
Unauthorized applications bypassing traditional port-based firewalls, creating unmonitored communication channels
Flat network architecture allowing ransomware to propagate rapidly across all connected systems
Lack of visibility into encrypted web traffic enabling command-and-control communications to evade detection
Misconfigured firewall rules allowing unintended traffic flows between trust zones

Testing procedure

How an auditor verifies this control

Obtain and review the current network architecture diagram, identifying all defined segments, trust zones, and boundary enforcement points.
Request firewall configuration exports and rule tables from all NGFWs protecting network segment boundaries.
Verify that NGFWs are configured for application-layer inspection, intrusion prevention, and SSL/TLS decryption where appropriate.
Review web filtering policies and categories blocked or allowed, and confirm integration with NGFW or proxy infrastructure.
Select a sample of firewall rules and trace them to documented business justifications and change approvals.
Perform sample network scans or request recent vulnerability assessment results to confirm segmentation is enforced at the packet level.
Test web filtering by attempting to access a known blocked category from a representative user workstation and verify block action is logged.
Review logs from NGFWs and web filters for the past 30 days to confirm active policy enforcement, alerting, and anomaly detection.

Evidence required Network topology diagrams annotated with segment boundaries and firewall placement; NGFW configuration exports showing application control, IPS, and SSL inspection settings; web filtering policy documents and blocked category lists; firewall rule tables with approval records and business justifications; screenshots or packet captures demonstrating segmentation enforcement; web filter block logs and alerts from the past 30 days; penetration test or vulnerability scan results validating segmentation.

Pass criteria Network architecture demonstrates logical segmentation by trust zones, all segment boundaries are protected by NGFWs with application-layer inspection and intrusion prevention enabled, web filtering is actively enforced with current block lists, and logs confirm ongoing policy enforcement and incident detection.