ISO/IEC 27033 is the multi-part international standard for network security. Where ISO 27001 specifies "implement appropriate network security controls" and ISO 27002 provides high-level guidance, ISO 27033 is the standard that goes into the actual practice. It covers network security architecture, network security requirements analysis, securing communications between networks using gateways and VPNs, IP security, and wireless network security across multiple parts. The content is genuinely useful and substantially underused, even by ISMS programmes that reference it in their Statement of Applicability.
Why It Matters in Modern Environments
Cloud, hybrid, zero-trust, and software-defined networking have changed what "network security" means in practice. ISO 27033 has aged better than most multi-part technical standards because the underlying concepts — threat-aware architecture, layered defences, segregation, secure communications, monitoring — apply across deployment models. The cloud-native organisation does not implement the controls the same way as the on-premise organisation, but the standard's framework for thinking about network security applies in both contexts.
The Parts and What Each Covers
Part 1 covers overview and concepts. Part 2 addresses guidelines for the design and implementation of network security. Part 3 covers reference networking scenarios — threats, design techniques, and control issues for common network types. Part 4 addresses securing communications between networks using security gateways. Part 5 covers VPNs. Part 6 addresses securing wireless IP networks. Subsequent parts cover specific topics like IP security, virtualised networks, and other emerging areas. For an ISMS programme implementing the network-related Annex A controls, the relevant parts of 27033 provide the operational guidance Annex A intentionally leaves abstract.
Network Security Architecture
The standard treats network security architecture as a deliberate design process — identify the assets, characterise the threats, identify the technical and operational controls, document the architecture, validate against actual operating conditions. This is the discipline that distinguishes networks designed for security from networks where security is a layer added after the fact. Most organisations that have grown organically have networks in the second category, and retrofitting design is harder than designing it correctly the first time.
A pattern in network security assessments: the organisation has good firewall rules, segmented production environments, and monitored egress, but the network architecture is not actually documented anywhere a new engineer could understand. The institutional knowledge lives in three or four senior network engineers. ISO 27033's emphasis on documented architecture is not bureaucratic — it is what allows the network to remain secure when the people who built it leave.
Segregation in Practice
Network segregation is one of the highest-value security controls, and one of the easiest to weaken over time as exception rules accumulate. ISO 27033 covers segregation principles, the patterns for implementing them across physical and virtual networks, and the operational discipline required to maintain segregation in production. Programmes that documented their segregation rationale upfront and review it periodically against current rules tend to maintain segregation effectively. Programmes that operate by exception accumulate firewall rules and end up with segregation that exists in name only.
How to Use the Standard Without Reading All Of It
Reading every part of ISO 27033 from end to end is not the right approach for most practitioners. The right approach is using the relevant parts as reference material when designing or reviewing specific architectural elements. Designing network segmentation? Read Part 2. Implementing or reviewing wireless? Part 6. Building secure inter-network communication? Part 4 and Part 5. The standard rewards selective consultation more than cover-to-cover reading, and the time invested in each consultation pays back in better-designed controls.