Checklist of ISO/IEC 27001-A.9.1.2 Access to networks and network services


Access control is an essential aspect of information security management, as it determines who is allowed to access an organization’s systems, data, and resources. 

This includes controlling access to networks and network services, which is covered by control A.9.1.2 in the ISO 27001 standard. 

In this article, we will discuss the importance of access control to networks and network services, and provide a sample checklist for organizations to use when reviewing their access control policies and practices.

Sample Checklist:

  • Review the organization’s network services policy to ensure it aligns with the access control policy and other relevant policies, procedures, guidelines, and records.
  • Determine how the organization authorizes, controls, and monitors VPN and wireless access. Is there a defined workflow for granting access based on specific business needs and approvals at appropriate levels?
  • Verify whether multifactor authentication is in place for critical networks, systems, and applications, especially for privileged users.
  • Check the organization’s network security controls regularly, such as through penetration testing, to ensure they are effective and proven.
  • Determine how the organization monitors networks for unauthorized access, use, or suspicious/anomalous activities.
  • Review the incident identification and response times, and ensure the organization measures and reports these metrics.


Access control to networks and network services is crucial to protecting an organization’s sensitive information and resources.

Organizations must have policies and practices in place that align with ISO 27001 control A.9.1.2 to ensure authorized access and monitor for suspicious activities. 

By reviewing their access control policies and practices using a checklist like the one provided, organizations can identify areas for improvement and strengthen their overall security posture.

See also  Checklist of ISO/IEC 27001-A.14.2.3 Technical review of applications after operating platform changes

Leave a comment

Your email address will not be published. Required fields are marked *