Network segmentation for NIS2 and ISO 27001: from compliance requirement to practical security control

Most corporate networks were once built “flat”: one large network where the receptionist's laptop, the accounting server, the production machines and the backups can all reach each other. That is convenient to manage, but it is exactly the scenario an attacker hopes for. Anyone who gets in through a single phished login or one vulnerable device can move freely across the entire network — from workstation to server to backup — without ever hitting a second barrier.
Network segmentation puts those barriers back into the network. It is at once one of the most effective technical measures against ransomware and a control that both NIS2 and ISO 27001 expect from you. This article explains what segmentation is, why it works, how it maps onto both frameworks, and how to implement it so that you can also demonstrate it during an audit.
What is network segmentation?
Network segmentation is the practice of dividing your network into separated zones and deliberately controlling the traffic between them. Instead of one open space where everything talks to everything, you create compartments with clear boundaries — much like fire compartments in a building. An incident in one zone does not automatically spread to the rest.
In practice, segmentation exists at several levels, from coarse to fine:
- Physical separation: dedicated equipment or networks for critical systems (for example an isolated OT/production network).
- VLAN and subnet segmentation: logical zones such as office, guest Wi-Fi, servers, cameras and IoT, with a firewall filtering traffic at the zone boundary.
- Micro-segmentation: fine-grained isolation down to individual systems or workloads, where only explicitly permitted traffic is allowed through.
- Zero Trust segmentation: access is determined not by location in the network but verified per connection based on identity, device and context — the principle of “never trust, always verify”.
This approach aligns with the broader Zero Trust model described by the US NIST in SP 800-207 (Zero Trust Architecture), which now underpins many European security strategies. Segmentation is its network layer: it makes the idea of “restrict access to what is strictly necessary” concrete and enforceable.
Why segmentation works: stopping lateral movement
The main reason attackers cause so much damage is not the initial breach — it is what happens next. After the initial access, attackers move laterally: from the first compromised system they hunt for accounts, servers and data of higher value. In a flat network that takes very little effort.
Two figures from independent research make clear how much time attackers get for this. According to the M-Trends 2025 report from Mandiant (Google Cloud), the global median dwell time — the period an attacker remains undetected inside — is 11 days. During those days, your network design determines whether the attacker stays on one workstation or breaks through to your crown jewels. The annual Verizon Data Breach Investigations Report has meanwhile shown for years that stolen credentials and exploited vulnerabilities are the leading access routes — precisely the scenarios in which segmentation limits the damage.
Segmentation shrinks what security professionals call the blast radius: the reach of an incident. Leading government guidance confirms this. The US cyber agency CISA explicitly recommends, in its #StopRansomware Guide, using network segmentation to hinder attackers' lateral movement and prevent the spread of ransomware. For SMEs and organisations with multiple locations, clients or departments, that is often the difference between an isolated incident and a company-wide outage.
The link with NIS2 and ISO 27001
Segmentation is not just good hygiene — it directly touches two frameworks that a growing number of Dutch, Belgian and wider European organisations must comply with.
NIS2: appropriate measures and access restriction
The NIS2 Directive (Directive (EU) 2022/2555) requires essential and important entities to take appropriate technical, operational and organisational measures. Article 21 lists, among other things, risk analysis, security of network and information systems, access control policies and incident handling. NIS2 does not literally prescribe segmentation, but access restriction, network security and limiting the impact of incidents are widely recognised ways to meet it — as also reflected in the technical implementation guidance from ENISA, the European Union agency for cybersecurity. Applying segmentation where it is proportionate, and justifying it from the risk, is how you show the measures are “appropriate”.
ISO 27001: Annex A makes it concrete
ISO 27001:2022 translates the same principle into concrete controls in Annex A. Four of them are directly relevant:
- A.8.20 – Networks security: networks and network devices must be secured, managed and controlled.
- A.8.22 – Segregation of networks: groups of information services, users and systems must be segregated within the network. This is the core control that literally calls for segmentation.
- A.8.15 – Logging: events are recorded, including traffic and access between zones.
- A.8.16 – Monitoring activities: networks and systems are monitored for anomalous behaviour.
For an auditor the question is not only whether you segment, but whether the choice stems from your risk assessment and whether you can demonstrate that it works. Segmentation is therefore a textbook example of how NIS2 and ISO 27001 reinforce each other: the same measure serves both frameworks.
Practical measures: how to approach it
Segmentation need not be a multi-year project. A pragmatic, risk-driven approach delivers results quickly:
- Map traffic flows. You cannot separate what you cannot see. Start by understanding which systems talk to each other and why.
- Define zones based on risk. Think of: critical servers and data, office workstations, guest Wi-Fi, IoT/cameras, management, and backup. Critical systems get the strictest boundaries.
- Set policy per zone boundary. Block everything by default and explicitly allow only necessary traffic (default-deny). This is the segmentation equivalent of least privilege.
- Isolate management and backups. Management interfaces and backup environments belong in a separate, tightly controlled zone — they are exactly what ransomware targets.
- Start with the biggest risks. Separate guests, IoT and critical servers first; refine towards micro-segmentation later where the risk justifies it.
- Document and review. Record the zoning, the policy and the justification, and review them periodically — that too is an audit requirement.
For smaller organisations this dovetails neatly with the broader cybersecurity baseline measures and with ISO 27001 for SMEs, where proportionality is central.
Logging, monitoring, audit trails and SIEM
A zone boundary you cannot see is one you cannot trust. Segmentation and visibility are inseparable: the traffic between zones is precisely where you can catch attackers in the act of lateral movement. That is why both A.8.15/A.8.16 and NIS2 require logging and monitoring.
The NIST publication SP 800-92 (Guide to Computer Security Log Management) is the reference for structured log management: collect logs centrally, protect them against tampering and retain them long enough for investigation. In practice, this means the traffic and policy logs from your segmentation solution are forwarded to a SIEM (Security Information and Event Management), where they are correlated with other sources. That produces usable audit trails: who did what, when, and which traffic was blocked or allowed. That is not only operationally valuable — it is exactly the evidence an auditor wants to see.
How Zenarmor supports this
Segmentation lives or dies by the technology with which you see and enforce the traffic between zones. A next-generation firewall with application awareness is a logical building block here. Zenarmor is one such solution: it adds next-gen firewall capabilities to common platforms and fits well within a layered security and compliance approach. Capabilities relevant to a segmentation scenario include:
- Traffic visibility: insight into which applications and users move across the zone boundaries — the basis for meaningful segmentation and for a well-considered segmentation design.
- Policy enforcement and application control: enforcing policy at the application level rather than only on ports and IP addresses — aligned with A.8.20 and A.8.22.
- Zero Trust principles: restricting access to what is necessary, in line with Zero Trust Network Access and the NIST model.
- Logging, audit trails and SIEM/SOAR integration: exporting traffic and policy events to your SIEM for correlation and retention — the demonstrability A.8.15/A.8.16 require.
- API automation and policy backup & restore: managing policy as code, keeping it versioned and recoverable, so changes are traceable and demonstrable.
- Multi-tenant governance: separated policy and reporting per location, client or department — valuable for organisations managing multiple environments.
Zenarmor is emphatically not a replacement for a compliance programme, but a practical way to fill the technical layer. The governance around it — risk assessment, policy, Statement of Applicability and demonstrability during the audit — is where Secrotec supports you alongside the technology.
Conclusion
Network segmentation is one of the few measures that simultaneously increases your resilience and advances your compliance. It stops lateral movement, shrinks the blast radius of an incident, and answers concrete requirements from ISO 27001 Annex A (A.8.20, A.8.22, A.8.15, A.8.16) and NIS2 Article 21. With the right technology — for example a next-gen firewall such as Zenarmor for visibility and policy enforcement — and the right governance around it, segmentation turns from an abstract compliance requirement into a tangible, demonstrable security control.
Want to know whether your network demonstrably meets NIS2 and ISO 27001? Secrotec helps you from risk assessment to audit-ready implementation.
Frequently asked questions
Short, direct answers to the most common questions.
NIS2 does not name segmentation explicitly, but Article 21 requires appropriate technical and organisational measures to protect network and information systems. Network segmentation, access restriction and monitoring are widely recognised ways of meeting that requirement. Regulators and standards such as ISO 27001 expect you to apply segmentation where the risk justifies it and to base that choice on your risk assessment.
The most relevant controls in ISO 27001:2022 are A.8.20 (Networks security), A.8.22 (Segregation of networks), A.8.15 (Logging) and A.8.16 (Monitoring activities). Together they require separated network zones, controlled traffic between zones, and demonstrable logging and monitoring of that traffic.
VLAN segmentation divides the network into a few large zones (for example office, guest, servers) and filters traffic at the boundary between them. Micro-segmentation is more granular: it isolates individual systems or workloads and only allows explicitly permitted traffic, following the Zero Trust principle of “never trust, always verify”. Micro-segmentation limits lateral movement more strongly but requires deeper insight into traffic flows.
Document the zoning, the associated policy and its justification from the risk assessment. Ensure firewall rules, policies and changes are versioned and logged, and that traffic between zones is monitored and retained. A central console with audit trails, policy backup and export to your SIEM provides the evidence an auditor wants to see: that the control exists, works and is managed.
Is your network demonstrably secure and compliant?
Schedule a no-obligation security & compliance scan. Within a single conversation you will know where your segmentation stands against NIS2 and ISO 27001, and what the next step is.
