Skip to main content
Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks Cloud Adoption Agent Azure migration & CAF delivery CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session Helpdesk & SLAs +27 (0)11 731 0600 · response times by plan All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
technological Preventive Protect High Priority

A.8.21 Security of Network Services

M365 Admin Path: Azure Portal > Network Security Groups

Evidence Source: Azure and FortiGate

What is A.8.21 Security of Network Services?

ISO 27001 control A.8.21 Security of Network Services ensures that security mechanisms, service levels, and management requirements of network services are identified, implemented, and monitored. The control covers both internally managed network services and externally provided services including cloud connectivity and internet access. Service Level Agreements must address security requirements, monitoring capabilities, and incident response procedures.

How to implement A.8.21 in Microsoft 365

Implement A.8.21 by documenting security requirements in network

Implement A.8.21 by documenting security requirements in network service contracts and SLAs covering encryption standards, access controls, monitoring capabilities, and incident notification. Configure FortiGate firewalls with IPS, anti-malware, and application control for all network traffic.

Enable Microsoft Entra Global Secure Access for secure

Enable Microsoft Entra Global Secure Access for secure cloud connectivity with traffic inspection. Monitor network service health via Azure Monitor and FortiAnalyzer with alerts configured for service degradation.

Review ISP and network service provider security certifications

Review ISP and network service provider security certifications annually. Document network service architecture and security controls in network security policy.

What an auditor checks for A.8.21

  • Auditors will verify network service contracts include security requirements and SLAs.
  • They will check FortiGate firewall configuration shows IPS, anti-malware, and application control are enabled.
  • Auditors will verify Global Secure Access is configured for cloud traffic protection.
  • They will check network monitoring is configured via Azure Monitor or FortiAnalyzer with service health alerts.
  • Auditors will review ISP and service provider security certifications dated within 12 months.
  • They will verify network security policy documents architecture and security controls.

Evidence we surface for A.8.21

Network-services security for A.8.21 reads Microsoft Defender for Office 365 policy state: Exchange Online Protection anti-malware, anti-spam, and connection-filter policies (with CIS hygiene check results), Safe Links policies, and Safe Attachments policies. The ISO control covers more than email, but for cloud-first M365 estates email is the network-service surface that matters most.

See how your organisation scores against A.8.21 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Exchange CIS Fundamentals Foundation

CIS Microsoft 365 Foundations benchmark settings for Exchange Online

Network Service Security Foundation

Email gateway security, Safe Links, Safe Attachments, transport rule hardening, SMTP auth, and mail forwarding controls