Book a demo Start free
ISO/IEC 27001 · Compliance

An ISO 27001 firewall — Annex A network controls, checked on every change.

Several ISO/IEC 27001:2022 Annex A controls land on the firewall — network security, segregation, secure configuration and change management. Enforza ships a bundled ISO/IEC 27001:2022 pack and checks each policy change against it, advising or blocking a rule that would break a control before it reaches a firewall.

Start free Book a demo

Enforza helps you implement and evidence the Annex A controls that touch firewall rules. It does not certify your ISMS — ISO 27001 certification is an accredited-auditor process covering your whole organisation.

Annex A

Which ISO 27001 controls land on your firewall

The 2022 revision's Annex A names several controls a firewall directly supports. Here is what they ask, and the Enforza control that lines up with each.

  • A.8.20

    Networks security

    Networks and network devices must be secured, managed and controlled to protect information. Enforza policies default-deny on every section, with explicit allows you scope by network, port and hostname — a concrete, evidenced implementation of managed network controls.

  • A.8.22

    Segregation of networks

    Groups of services, users and systems must be segregated on networks. East-west and north-south rules sit in the same default-deny policy model, so a guardrail can require lateral connections between trust zones to be explicit and scoped — not implied.

  • A.8.21

    Security of network services

    Security mechanisms and service levels for network services must be identified and managed. Broad egress to 0.0.0.0/0 is scoped with an L7 (FQDN / SNI) matcher rather than a bare-port passthrough, so every wide rule names the service it is allowed to reach.

  • A.8.9

    Configuration management

    Configurations, including security configurations, must be established and managed. A guardrail set is your defined secure baseline for firewall rules; every change is checked against it, so configuration drift is caught at publish time.

  • A.8.32

    Change management

    Changes to information-processing facilities must be subject to change-management procedures. Run Enforza as policy-as-code or in the console — either way every rule change is checked against the attached ISO pack and recorded as an audit event you can show an assessor.

Control references are to ISO/IEC 27001:2022 Annex A. Enforza maps to the network, configuration and change-management controls; controls outside a firewall's scope are catalogued accordingly.

How it works

Attach the pack. Advise, then enforce. Evidence everything.

The ISO/IEC 27001:2022 pack is one of 25 bundled framework packs covering 210 firewall-applicable controls. Attach it as your network-control baseline and every change is checked.

  1. Attach the ISO/IEC 27001:2022 pack

    ISO/IEC 27001:2022 ships as one of 25 bundled framework packs. Attach it to a policy — whole pack, or cherry-pick the Annex A controls that map to firewall rules — and it becomes your defined network-control baseline.

  2. Advise while you tighten, enforce when ready

    Run the pack in advise mode to surface violations without blocking, bring your rules into line, then switch to enforce so a rule that breaks a control is rejected before any firewall sees it.

  3. Evidence every check

    Every check, advise warning and enforce block is recorded — direct evidence for the network-control, configuration-management and change-management Annex A controls when your certification auditor asks for it.

See all 25 frameworks How it deploys
And it costs less

ISO-ready, without the cloud-firewall tax

An ISO-scoped network usually means a managed firewall plus a NAT gateway — two per-hour fees (often duplicated per Availability Zone) plus two per-GB meters. Enforza is one flat-priced appliance.

Flat per firewall

£179/month per firewall (£149 from your sixth), plus the VM you run it on. No per-GB data-processing charge — the bill stops scaling with traffic.

Typically 60–80% less

Against a cloud-native firewall stacked with a NAT gateway at modest egress, the flat line is usually 60–80% cheaper — and the gap widens as traffic grows.

No add-on for compliance

The ISO 27001 pack and advise-or-enforce guardrails are part of the platform. There is no separate compliance SKU and no per-control charge.

Estimate your savings Compare to AWS Network Firewall
FAQ

ISO 27001 firewall — common questions

Does Enforza make me ISO 27001 certified?

No — ISO 27001 certification is granted by an accredited certification body that audits your entire information security management system (ISMS), which spans governance, risk treatment, people, physical security and far more than the network. Enforza helps you implement and evidence the Annex A controls that touch firewall rules — network security (A.8.20), network segregation (A.8.22), secure configuration (A.8.9) and change management (A.8.32). It is one strong, evidenced piece of your ISMS, not the certification itself.

Which ISO 27001 controls does a firewall map to?

The 2022 revision's Annex A includes several controls a firewall directly supports: A.8.20 networks security, A.8.21 security of network services, A.8.22 segregation of networks, A.8.9 configuration management and A.8.32 change management. Enforza's default-deny policies with scoped allows implement the network controls, and its advise-or-enforce guardrails check secure configuration and change management on every rule change.

How does Enforza support the change-management control?

You attach the ISO 27001 pack to a policy as your defined secure baseline. On every change — published from a GitHub pipeline or the console — Enforza checks the rules against the pack and records the result. A change that breaks a control is advised, or in enforce mode blocked before any firewall sees it. That gives you a controlled, evidenced change process for firewall rules, mapping to A.8.32.

Can I use Enforza's checks as audit evidence?

Yes. Every compliance check is recorded — the controls evaluated, what passed, what was advised, and any enforce block that rejected a change. That is defensible evidence for the network and configuration controls in your Statement of Applicability. It evidences the firewall-rule controls; your auditor still assesses the wider ISMS.

How much does Enforza cost?

Enforza is a flat per-firewall licence — £179/month per firewall, dropping to £149 from your sixth — plus the VM you run it on, with no per-GB data-processing charge. Against a cloud-native firewall stacked with a NAT gateway, the flat line is typically 60–80% cheaper at modest egress. The ISO 27001 pack and advise-or-enforce guardrails are part of the platform, not a paid add-on.

More compliance: Compliance hub · PCI DSS firewall · HIPAA firewall · NIST firewall rules · Firewall audit & change control · Secure NAT gateway · Savings calculator

Annex A network controls, handled.

Stop non-compliant rules before they ship.

A bundled ISO/IEC 27001:2022 pack, advise-or-enforce on every rule change, and a flat per-firewall price with no per-GB tax. Start free, no card.

Start free See all frameworks