Information Security

ISO/IEC 27033: Network Security and the Discipline of Segmentation That Holds

Standarity Editorial Team·Network Security Architects
··7 min read

ISO/IEC 27033 is the multi-part standard providing detailed guidance on network security as a complement to the broader controls in ISO 27001. The standard covers overview and concepts, network security design, reference networking scenarios, securing communications between networks, VPNs, IP convergence considerations, wireless networks, and other specific topics. Used substantively, 27033 anchors architectural decisions that determine whether the network constrains attacker movement after initial compromise. Used cosmetically, 27033 produces network diagrams and a clause-mapping table that satisfy the auditor.

Segmentation as the Foundational Discipline

Network segmentation is the single most consequential architectural decision in network security. Flat networks make lateral movement trivial — an attacker who compromises any endpoint can reach any other endpoint, including the data they actually came for. Segmented networks impose work on the attacker between compromise and objective, give defenders detection opportunities, and limit blast radius when controls fail. The segmentation principles are not new; what has changed is the tooling that makes meaningful segmentation operationally feasible at scale, including software-defined networking, microsegmentation platforms, and identity-aware proxies.

Zones, Trust Levels, and the Traffic Flow Model

ISO 27033 builds segmentation guidance around zones and trust levels — categorising network areas by the trust assumptions that apply, defining the controls that govern movement between them, and constructing the traffic flow model that describes what should and should not be possible. The model is conceptually simple and operationally demanding. Zone definitions need to reflect actual usage; trust levels need to be applied consistently; the traffic flow model needs to be enforced rather than aspirational. The architectures that hold up to attack are the ones where the design and the enforcement match.

Why Traditional Perimeter Models Fail in Modern Estates

The traditional perimeter model — hard outside, soft inside, with the firewall as the primary control — assumed a clear boundary between the trusted internal network and the untrusted external network. Modern estates have no such boundary. Cloud services, SaaS applications, mobile devices, partner integrations, remote work, and contractor access all blur the perimeter. The perimeter model still exists in name in many organisations and effectively fails the moment any of these patterns operate. Modern segmentation guidance — including the zero trust direction that 27033 acknowledges — replaces the perimeter assumption with per-flow access decisions.

A pattern in network architecture reviews: the organisation has a documented network architecture with internal zones, firewall rules between them, and a traffic flow model. Sampling shows that any-any rules accumulate over time as exceptions for "temporary" integrations, the zones contain devices with very different sensitivity levels, and the firewall rule set has not been substantively reviewed in years. The architecture is documented; the enforcement has degraded. The remediation is not redesign — it is operational discipline around rule review, exception management, and zone composition.

Internal Segmentation as the Higher-Leverage Investment

Most segmentation effort historically went into the external perimeter. The higher-leverage modern investment is internal segmentation — controlling movement between the parts of the internal estate that an attacker would traverse after initial compromise. Workstation networks should not have unrestricted access to server networks. Production networks should not be reachable from development networks. Critical data systems should be reachable only from explicitly authorised paths. The internal segmentation work is more operationally complex than external segmentation but generates substantially more risk reduction per unit of effort.

Microsegmentation in Modern Workload Environments

Microsegmentation — segmentation at the workload or process level rather than the network subnet level — is now practical in cloud and modern data centre environments where the network is largely software-defined. Microsegmentation tooling discovers the actual communication patterns between workloads, generates rules that allow only those patterns, and enforces them at the workload level. The result is segmentation granularity that physical networks could not practically achieve, with detection of unauthorised communication attempts as a side effect. Organisations operating cloud workloads have access to a degree of segmentation that on-premises networks did not historically support.

Components of an Effective Network Security Programme

  • Documented zone architecture with trust levels, traffic flow model, and explicit enforcement
  • Internal segmentation aligned to data sensitivity and operational function, not just to subnet topology
  • Microsegmentation where workload environments support it, particularly in cloud
  • Firewall and rule management discipline including periodic review, exception management, and any-any rule audit
  • Secure connectivity for remote access, partner integrations, and cloud-to-on-premises traffic
  • Wireless network security with appropriate authentication, encryption, and isolation
  • Network detection capability that surfaces unauthorised flows the segmentation should have prevented
  • Integration of network security with identity, endpoint, and data protection rather than as a standalone domain

The Standard That Makes Architecture Defensible

ISO 27033 is not a certification standard — there is no 27033 certificate to display. It is a guidance standard that helps organisations design and operate network security in a way that actually does what it claims. Programmes that use it substantively produce network architectures that constrain attackers and survive review by experienced security architects. Programmes that ignore it produce diagrams. The standard does not make the work easier; it makes the architectural decisions clearer, and the resulting architectures are the ones that hold up under attack.

Explore Courses on Udemy

Intermediate

Implement NIST Zero Trust Architecture (ZTA) Step by Step

Intermediate

ISO/IEC 27033 Network Security

Intermediate

Implement NIST Zero Trust Architecture (ZTA) Step by Step

Intermediate

ISO/IEC 27001:2022 Information Security Controls Explained