Introduction: Zero Trust (NIST SP 800-207)
Zero Trust is a cybersecurity paradigm that shifts defences from static, network-based perimeters to a model centred on users, assets and resources. NIST Special Publication 800-207, published by the National Institute of Standards and Technology in August 2020, is the authoritative reference architecture for Zero Trust Architecture (ZTA). It defines Zero Trust not as a single product or technology but as an evolving set of principles that assume no implicit trust is granted to any asset or user account based solely on its physical or network location (for example, being inside a corporate LAN) or on asset ownership. Every access request is treated as though it originates from an untrusted network, and each is authenticated, authorised and continuously validated before access to an enterprise resource is granted.
This guide is written from the perspective of a CERT-In empanelled auditor and PCI QSA, translating the abstract tenets of SP 800-207 into a concrete, evidence-driven assessment programme. It maps the seven tenets, the logical architecture (Policy Decision Point, Policy Enforcement Point, Policy Engine, Policy Administrator), the deployment models and the trust-algorithm variations into auditable control statements. Because Zero Trust is a strategy rather than a certifiable standard, an organisation is assessed for maturity and design conformance rather than pass/fail compliance. The framework is complementary to the NIST Cybersecurity Framework, NIST SP 800-53 controls, CISA's Zero Trust Maturity Model, and the DoD Zero Trust Reference Architecture, all of which are referenced where relevant.
What is Zero Trust
Zero Trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets and resources. A Zero Trust Architecture (ZTA) uses Zero Trust principles to plan industrial and enterprise infrastructure and workflows. The core assumption is that the enterprise-owned network environment is no different from, or is no more trustworthy than, any non-enterprise-owned network. Trust is never granted implicitly and must be continually evaluated.
NIST SP 800-207 articulates Zero Trust through seven foundational tenets. These tenets are the abstract requirements against which any ZTA design should be measured:
- Tenet 1 — All data sources and computing services are considered resources. A network may be composed of multiple classes of devices, and the enterprise may classify personally-owned devices as resources if they access enterprise-owned resources.
- Tenet 2 — All communication is secured regardless of network location. Network location alone does not imply trust. Access requests from assets on enterprise-owned network infrastructure must meet the same security requirements as requests from any other non-enterprise-owned network; all communication is done in the most secure manner available, protecting confidentiality and integrity and providing source authentication.
- Tenet 3 — Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before access is granted, and access is granted with the least privileges needed to complete the task. Authentication and authorisation to one resource do not automatically grant access to another.
- Tenet 4 — Access to resources is determined by dynamic policy — including the observable state of client identity, application/service and the requesting asset — and may include other behavioural and environmental attributes.
- Tenet 5 — The enterprise monitors and measures the integrity and security posture of all owned and associated assets. No asset is inherently trusted; the enterprise evaluates the security posture of the asset when evaluating a resource request using a continuous diagnostics and mitigation (CDM) or similar system.
- Tenet 6 — All resource authentication and authorisation are dynamic and strictly enforced before access is allowed. This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually re-evaluating trust in ongoing communication.
- Tenet 7 — The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications, and uses it to improve its security posture.
The logical architecture of a ZTA centres on a Policy Decision Point (PDP), which is split into a Policy Engine (PE) that makes the ultimate grant/deny decision using a trust algorithm, and a Policy Administrator (PA) that executes that decision by establishing or shutting down the communication path. The Policy Enforcement Point (PEP) sits in the data plane and enables, monitors and terminates connections between a subject and an enterprise resource. Supporting the PDP are data sources such as CDM systems, threat intelligence feeds, activity logs, data-access policy, PKI, ID management and SIEM systems.
Who must comply
Zero Trust is a voluntary architectural strategy for the private sector but is mandated for United States federal civilian agencies and increasingly expected of their supply chains. In India, the CERT-In directions and the sector-specific guidance from RBI, SEBI and IRDAI increasingly reference Zero Trust principles. The following table summarises the applicability landscape.
| Organisation type | Basis of applicability | Nature of obligation |
|---|---|---|
| US Federal civilian agencies (FCEB) | Executive Order 14028 and OMB Memorandum M-22-09 | Mandatory — must meet specific Zero Trust goals across CISA's five pillars |
| US Department of Defense and contractors | DoD Zero Trust Strategy and Reference Architecture | Mandatory for DoD; flowed down to defence industrial base |
| Critical national infrastructure operators | Sector regulators and CISA guidance | Strongly recommended; often required via sector rules |
| Indian regulated entities (banks, NBFCs, insurers, market infrastructure) | RBI cyber-security framework, SEBI CSCRF, IRDAI guidelines, CERT-In directions | Increasingly expected — Zero Trust cited as leading practice for access control and network segmentation |
| Enterprises pursuing cyber-insurance or major contracts | Insurer and customer due-diligence questionnaires | Contractual / commercial pressure to demonstrate ZT maturity |
| Any organisation with remote workforce, cloud and SaaS | Risk-driven business decision | Voluntary but recommended to counter perimeter erosion |
- Chief Information Security Officers responsible for enterprise security architecture and roadmap.
- Enterprise and security architects designing identity, network and data controls.
- Cloud and platform teams operating IaaS, PaaS and SaaS estates.
- Identity and access management teams owning authentication, authorisation and privileged access.
- Governance, risk and compliance functions aligning ZT to regulatory obligations.
- Third-party and supply-chain risk managers extending trust evaluation to partners.
Structure of Zero Trust
Because SP 800-207 is principle-based, practical assessment blends the NIST tenets and logical components with the pillar taxonomy popularised by CISA's Zero Trust Maturity Model (ZTMM) and the DoD Reference Architecture. This guide organises controls into a coherent structure spanning the seven tenets, the logical architecture components, the five CISA pillars, and the three cross-cutting capabilities. The following table lays out this control structure.
| Structural layer | Element | Description |
|---|---|---|
| Foundational tenets | Tenets 1-7 (NIST SP 800-207) | Abstract requirements that any ZTA must satisfy |
| Logical architecture | Policy Engine (PE) | Component that makes the access decision using the trust algorithm |
| Logical architecture | Policy Administrator (PA) | Establishes/terminates the communication path and issues session credentials |
| Logical architecture | Policy Enforcement Point (PEP) | Data-plane gateway that enables, monitors and ends subject-to-resource connections |
| Logical architecture | Policy Decision Point (PDP) | Combined PE + PA control-plane authority |
| Pillar (CISA) | Identity | Authentication, identity stores, risk-based access for users and entities |
| Pillar (CISA) | Devices | Asset inventory, posture, compliance and threat protection of endpoints |
| Pillar (CISA) | Networks | Segmentation, micro-segmentation, encrypted traffic and traffic management |
| Pillar (CISA) | Applications and Workloads | Secure application access, workload authorisation and secure development |
| Pillar (CISA) | Data | Classification, encryption, data-access governance and DLP |
| Cross-cutting | Visibility and Analytics | Telemetry, monitoring, logging and analytics feeding decisions |
| Cross-cutting | Automation and Orchestration | Automated policy response, SOAR and dynamic enforcement |
| Cross-cutting | Governance | Policy definition, roles, lifecycle and continuous improvement |
| Trust algorithm variants | Criteria-based vs score-based; singular vs contextual | Determines how the PE weighs attributes to reach an access decision |
| Deployment models | Enhanced identity governance, micro-segmentation, network infrastructure/SDP | Approaches for realising ZTA in the enterprise |
Master assessment checklist
This is the core of the guide. It enumerates every tenet, logical component, pillar and cross-cutting capability as an auditable checklist. For each group there is a table with two columns: what to verify, and the typical evidence an auditor should collect. No control area is skipped.
A. Foundational tenets (SP 800-207 Section 2)
| What to verify | Typical evidence |
|---|---|
| Tenet 1: A complete resource catalogue defines all data sources and computing services as protectable resources, including SaaS, APIs and personally-owned devices where in scope | Resource inventory / CMDB export; SaaS register; API catalogue; scoping document |
| Tenet 2: All communications are secured (TLS/mTLS) irrespective of network location, with source authentication and integrity protection | Encryption policy; TLS configuration reports; mTLS certificates; network capture samples |
| Tenet 3: Access is granted per-session with least privilege and re-evaluated each session | Session policy configuration; token TTL settings; least-privilege role definitions |
| Tenet 4: Access decisions use dynamic policy incorporating identity, application, asset state and environmental attributes | Policy engine rule-sets; conditional-access policies; attribute schema |
| Tenet 5: Asset integrity and security posture are continuously monitored via CDM or equivalent | CDM/EDR dashboards; device-posture reports; compliance scoring output |
| Tenet 6: Authentication and authorisation are dynamic and strictly enforced before every access, with continuous re-evaluation | Continuous-authentication logs; step-up MFA events; session re-evaluation records |
| Tenet 7: The enterprise collects and uses telemetry on assets, network and communications to improve posture | SIEM data-source list; log-retention policy; analytics use-case catalogue |
B. Logical architecture components (PDP / PE / PA / PEP)
| What to verify | Typical evidence |
|---|---|
| A Policy Engine exists and applies a defined trust algorithm to grant, deny or revoke access | Policy engine design document; trust-algorithm specification; decision logs |
| The Policy Administrator issues and terminates session credentials and configures the PEP accordingly | PA configuration; credential-issuance logs; session-teardown records |
| Policy Enforcement Points are positioned in front of every protected resource and cannot be bypassed | Network architecture diagram; PEP placement map; bypass-testing results |
| The trust algorithm variant (criteria-based/score-based, singular/contextual) is documented and appropriate to risk | Trust-algorithm design rationale; scoring model; risk assessment |
| Control-plane and data-plane separation is enforced; the PDP is protected and highly available | Segmentation evidence; PDP hardening baseline; HA/DR test results |
| Input data sources (CDM, threat intel, activity logs, PKI, ID management, SIEM, data-access policy) feed the PE | Data-source integration diagrams; API connections; feed status reports |
C. Identity pillar
| What to verify | Typical evidence |
|---|---|
| A single authoritative identity store (or federated stores) covers all human and non-human identities | Identity store schema; federation configuration; joiner-mover-leaver process |
| Phishing-resistant multi-factor authentication is enforced enterprise-wide | MFA policy; FIDO2/WebAuthn deployment reports; MFA coverage metrics |
| Access is risk-based and adaptive, using signals such as location, device and behaviour anomaly | Conditional-access policies; risk-scoring configuration; step-up events |
| Privileged access is governed via just-in-time and just-enough-access with session recording | PAM configuration; JIT approval logs; session recordings |
| Authorisation follows least privilege and is periodically recertified | RBAC/ABAC model; access-review reports; certification attestations |
| Non-human identities (service accounts, workloads, machines) are inventoried and secured | Service-account inventory; secret-rotation logs; workload identity config |
D. Devices pillar
| What to verify | Typical evidence |
|---|---|
| A near-real-time inventory of all devices (managed and unmanaged) that access resources is maintained | Asset inventory; MDM/UEM export; discovery-scan results |
| Device posture (patch level, encryption, EDR presence) is assessed at and during access | Posture-check policies; compliance dashboards; access-denial logs for non-compliant devices |
| Endpoint detection and response is deployed and monitored on in-scope endpoints | EDR coverage report; alert triage records; response playbooks |
| Devices are enrolled, and compliance is a precondition for resource access | Enrolment records; conditional-access device requirements; exception register |
| Unmanaged and BYOD devices are handled through defined, risk-appropriate controls | BYOD policy; isolation/browser-isolation configuration; data-containerisation evidence |
| Hardware roots of trust and supply-chain assurance are considered for critical devices | TPM attestation reports; secure-boot configuration; procurement standards |
E. Networks pillar
| What to verify | Typical evidence |
|---|---|
| The network is segmented and micro-segmented to isolate resources and limit lateral movement | Segmentation architecture; micro-segmentation policy; east-west flow rules |
| All network traffic, including internal traffic, is encrypted where feasible | Encryption inventory; TLS/IPsec coverage; internal-traffic capture samples |
| Application-layer access replaces broad network access (for example, ZTNA/SDP instead of VPN) | ZTNA/SDP deployment; VPN decommission plan; per-application access rules |
| Traffic is inspected and analysed for threats, including encrypted-traffic analytics | IDS/IPS logs; TLS-inspection or ETA configuration; NDR dashboards |
| Resilient, policy-driven traffic management and DNS security are in place | Network policy management config; protective DNS logs; DDoS protection evidence |
| Network policies are dynamically enforced and align with the policy engine decisions | Dynamic-policy integration; SDN controller config; enforcement audit trail |
F. Applications and Workloads pillar
| What to verify | Typical evidence |
|---|---|
| Applications are accessible only through authenticated, authorised and continuously-verified sessions | Application access policy; SSO configuration; session-verification logs |
| Workload-to-workload communication uses strong identity and authorisation (for example, mTLS, service mesh) | Service-mesh config; workload identity certificates; authorisation policies |
| Applications are protected at runtime (WAF, RASP) and inventoried including shadow IT | WAF rules; runtime-protection reports; application inventory; CASB findings |
| Secure software development lifecycle with security testing is enforced | SDLC policy; SAST/DAST/SCA results; pipeline security-gate evidence |
| Access to applications is granted per-session with least privilege and continuous authorisation | Fine-grained authorisation policies; per-session token config; entitlement reviews |
| Public-facing and internal applications are continuously monitored for vulnerabilities | Vulnerability-scan reports; penetration-test results; remediation tracking |
G. Data pillar
| What to verify | Typical evidence |
|---|---|
| Data is inventoried and classified according to sensitivity | Data catalogue; classification policy; discovery/classification tool output |
| Data is encrypted at rest and in transit, with managed key lifecycle | Encryption standards; KMS/HSM configuration; key-rotation logs |
| Data-access governance enforces least-privilege, attribute-based access to data | Data-access policies; ABAC rules; access-review records |
| Data loss prevention monitors and controls sensitive-data movement | DLP policy; DLP incident logs; egress-control configuration |
| Data-centric monitoring, tagging and rights management protect data independent of location | Information-rights-management config; tagging schema; usage-audit logs |
| Data retention, disposal and sovereignty requirements are enforced | Retention schedule; secure-disposal records; data-residency controls |
H. Visibility and Analytics (cross-cutting)
| What to verify | Typical evidence |
|---|---|
| Comprehensive telemetry is collected across identity, device, network, application and data pillars | Log-source inventory; SIEM ingestion report; coverage matrix |
| Logs are centralised, time-synchronised, tamper-resistant and retained per policy | Log-management architecture; NTP config; immutability/retention settings |
| Analytics and correlation detect anomalies and feed the policy engine | Detection use-cases; UEBA configuration; feedback-loop to PDP |
| Security posture is measured with metrics and dashboards for decision makers | KPI dashboards; posture-scoring reports; executive reporting |
| Threat intelligence is integrated into detection and access decisions | Threat-intel feed integration; enrichment rules; intel-driven policy changes |
I. Automation and Orchestration (cross-cutting)
| What to verify | Typical evidence |
|---|---|
| Policy changes and responses are automated to reduce manual latency and error | SOAR playbooks; automation runbooks; change-automation logs |
| Incident response actions (isolate device, revoke session) can be triggered automatically | Automated-response configuration; containment-action logs; test evidence |
| Provisioning and de-provisioning of access are automated across the identity lifecycle | IGA workflows; automated JML records; de-provisioning proof |
| Orchestration integrates identity, device, network and application controls coherently | Integration architecture; API/orchestration config; end-to-end test results |
| Automation actions are logged, reviewable and subject to human oversight where required | Automation audit trail; approval gates; exception handling records |
J. Governance (cross-cutting)
| What to verify | Typical evidence |
|---|---|
| A documented Zero Trust strategy, roadmap and target architecture exist and are approved | ZT strategy document; roadmap; architecture board approval |
| Roles, responsibilities and ownership for ZT capabilities are defined | RACI matrix; role descriptions; ownership register |
| Policies are version-controlled, reviewed and consistently enforced across pillars | Policy repository; review records; enforcement-consistency checks |
| Risk management integrates ZT posture into enterprise risk decisions | Risk register entries; risk-acceptance records; posture-risk linkage |
| Continuous improvement and maturity assessment are performed periodically | Maturity-assessment reports; improvement backlog; management review minutes |
| Third-party and supply-chain trust is governed under the same principles | Third-party access policies; vendor risk assessments; contractual security terms |
Scoping
Scoping a Zero Trust programme means defining the protect surface — the critical data, assets, applications and services (DAAS) that the architecture must safeguard — rather than trying to protect the entire, ever-expanding attack surface at once. A well-defined scope prevents boil-the-ocean failure and enables incremental, risk-prioritised rollout.
- Identify the protect surface: enumerate the specific DAAS elements (crown-jewel data, sensitive applications, critical assets and services) that carry the greatest business and regulatory risk.
- Map transaction flows: understand how traffic moves to and around the protect surface, including user-to-application, application-to-data and workload-to-workload flows.
- Determine the subjects and entities: human users, service accounts, workloads, devices and third parties that require access to in-scope resources.
- Define the boundaries of each deployment model (enhanced identity governance, micro-segmentation, network infrastructure/SDP) applicable to the scope.
- Establish exclusions and dependencies: legacy systems that cannot yet participate, and the compensating controls applied to them.
- Confirm regulatory overlays that expand or constrain scope (for example, cardholder data environment for PCI DSS, or personal data under DPDP).
Implementation approach
A pragmatic Zero Trust rollout is phased. Each phase below lists its principal activities and the deliverables an auditor should expect to see. The phases align with the Kindervag five-step model and the CISA maturity progression from Traditional to Optimal.
Phase 1 — Discovery and strategy
- Activities: secure executive sponsorship; define the Zero Trust vision and guiding principles; inventory identities, devices, networks, applications and data; identify the initial protect surface; perform a current-state maturity baseline against the CISA pillars.
- Deliverables: approved ZT strategy and charter; DAAS/protect-surface register; asset and identity inventories; baseline maturity assessment report; prioritised roadmap.
Phase 2 — Design the target architecture
- Activities: select deployment models and trust-algorithm approach; design the PDP/PE/PA and PEP placement; define policy model (RBAC/ABAC) and attribute schema; design identity, device, network, application and data controls; plan telemetry and analytics integration.
- Deliverables: target ZTA reference architecture; policy design and attribute catalogue; PEP placement map; data and telemetry design; integration blueprint.
Phase 3 — Foundational identity and device controls
- Activities: consolidate identity stores and federation; deploy phishing-resistant MFA and conditional access; implement PAM with JIT/JEA; roll out device inventory, posture checks and EDR; enforce device compliance as an access precondition.
- Deliverables: MFA and conditional-access coverage reports; PAM configuration; device-compliance policy and dashboards; identity-lifecycle automation.
Phase 4 — Network, application and data enforcement
- Activities: replace broad VPN access with ZTNA/SDP; implement segmentation and micro-segmentation; enforce mTLS and workload identity; deploy application-layer authorisation; classify and protect data with encryption and DLP.
- Deliverables: ZTNA rollout evidence; segmentation policies; workload-identity configuration; data-classification and DLP reports; per-application access policies.
Phase 5 — Visibility, automation and continuous improvement
- Activities: centralise telemetry into SIEM; build detection and UEBA use-cases; automate response through SOAR; establish feedback loops to the policy engine; measure KPIs; conduct periodic maturity reassessments and tabletop exercises.
- Deliverables: SIEM/analytics coverage matrix; SOAR playbooks; KPI dashboards; continuous-improvement backlog; reassessment reports and management reviews.
Maturity model
CISA's Zero Trust Maturity Model defines four stages of maturity across each pillar and cross-cutting capability. An assessment scores each pillar independently and then aggregates to an overall maturity profile. The stages are summarised below.
| Maturity stage | Characteristics | Illustrative state |
|---|---|---|
| Traditional | Manually configured lifecycles and static policies; siloed pillars; least-privilege established only at provisioning; limited visibility | Perimeter VPN, password-plus-basic-MFA, flat network, manual access reviews |
| Initial | Starting automation of attribute assignment and policy; some cross-pillar integration; initial responses to external stimuli | Conditional access introduced; device inventory begun; initial segmentation |
| Advanced | Automated controls for lifecycle and configuration; centralised visibility and policy; cross-pillar coordination; least privilege tuned to risk | Risk-based adaptive access; micro-segmentation; workload identity; centralised SIEM |
| Optimal | Fully automated, self-reporting and dynamic policy across pillars; continuous validation; just-in-time and just-enough access; full cross-pillar interoperability | Continuous authentication; automated response; data-centric enforcement everywhere |
For programmes aligning to the DoD model, a complementary view distinguishes a Target Level of Zero Trust (the minimum set of activities required for baseline effectiveness) and an Advanced Level (the full set achieving the strategic end-state). Auditors should record the target maturity per pillar and the timeline to reach it.
Assessment and audit approach
A Zero Trust assessment is design- and maturity-oriented. The following ordered steps describe a rigorous audit engagement.
- Define the engagement scope, protect surface and target maturity with the sponsor, and agree the assessment criteria (SP 800-207 tenets, CISA ZTMM, or DoD activities).
- Gather and review documentation: strategy, architecture, policies, inventories and prior assessments.
- Conduct stakeholder interviews across identity, device, network, application, data, security operations and governance functions.
- Perform current-state mapping of each pillar and cross-cutting capability to the chosen maturity model.
- Validate control effectiveness through configuration review, log inspection and, where agreed, technical testing (for example, lateral-movement and access-bypass testing).
- Assess the logical architecture: verify PE/PA/PEP existence, placement, non-bypassability and trust-algorithm suitability.
- Identify gaps between current and target maturity, rating each by risk and effort.
- Score each pillar and produce an aggregated maturity profile with heat-map visualisation.
- Develop a prioritised, phased remediation roadmap with owners and timelines.
- Report findings to management, and agree a reassessment cadence to track progress.
Evidence request list
The following categorised list is the evidence an auditor typically requests. It should be tailored to the agreed scope.
- Strategy and governance: Zero Trust strategy, charter, roadmap, target architecture, policy repository, RACI matrix, risk register entries, management-review minutes.
- Identity: identity-store schema, federation configuration, MFA policy and coverage, conditional-access policies, PAM configuration and JIT logs, access-review and recertification records, service-account inventory.
- Devices: asset/device inventory, MDM/UEM exports, device-posture and compliance policies, EDR coverage and alert records, BYOD policy, exception register.
- Networks: network architecture and segmentation diagrams, micro-segmentation policies, ZTNA/SDP configuration, VPN decommission plan, IDS/IPS/NDR logs, protective-DNS and DDoS evidence.
- Applications and workloads: application inventory, SSO and authorisation configuration, service-mesh/workload-identity config, WAF/RASP rules, SDLC policy, SAST/DAST/SCA and penetration-test reports.
- Data: data catalogue and classification policy, encryption standards, KMS/HSM and key-rotation logs, DLP policies and incident logs, IRM configuration, retention and disposal records.
- Visibility and analytics: log-source inventory, SIEM ingestion and retention settings, detection and UEBA use-cases, threat-intel integration, KPI dashboards.
- Automation and orchestration: SOAR playbooks, automated-response configuration, IGA/JML automation records, automation audit trails and approval gates.
- Prior assessments: previous maturity assessments, penetration-test reports, audit findings and remediation-tracking evidence.
Roles and responsibilities
| Role | Primary responsibilities |
|---|---|
| Executive sponsor / CISO | Owns the Zero Trust vision, secures funding, sets risk appetite and target maturity, and champions organisational change |
| Zero Trust / security architect | Designs the target ZTA, selects deployment models and trust algorithm, and defines the policy model |
| Identity and access management lead | Owns identity stores, authentication, authorisation, PAM and identity-lifecycle automation |
| Endpoint / device management lead | Owns device inventory, posture, EDR and compliance enforcement |
| Network / infrastructure lead | Owns segmentation, micro-segmentation, ZTNA/SDP and encrypted transport |
| Application and DevSecOps lead | Owns application access, workload identity, runtime protection and secure SDLC |
| Data protection / privacy lead | Owns data classification, encryption, DLP and data-access governance |
| Security operations (SOC) lead | Owns telemetry, detection, analytics, SOAR and continuous monitoring |
| Governance, risk and compliance | Aligns ZT to regulations, maintains policies, and tracks risk and maturity |
| Internal audit / assessor | Independently assesses design conformance, control effectiveness and maturity |
KPIs to track
- Percentage of resources fronted by a Policy Enforcement Point (PEP coverage).
- Percentage of users and privileged accounts using phishing-resistant MFA.
- Percentage of access requests evaluated by dynamic, risk-based policy.
- Percentage of managed and unmanaged devices with enforced posture checks and EDR.
- Proportion of applications behind ZTNA/SDP versus legacy VPN access.
- Extent of micro-segmentation coverage across the protect surface.
- Percentage of sensitive data classified, encrypted and under DLP monitoring.
- Mean time to detect and mean time to respond for access-related incidents.
- Rate of successful lateral-movement attempts in red-team or purple-team exercises (target: declining).
- Percentage of privileged sessions granted just-in-time versus standing privilege.
- Log-source and telemetry coverage across the five pillars.
- Maturity score per pillar and overall, trended over time.
Readiness checklist
- Executive sponsorship secured and a documented Zero Trust strategy approved.
- Protect surface (critical DAAS) identified and transaction flows mapped.
- Complete inventories of identities, devices, applications and data maintained.
- Phishing-resistant MFA enforced across users and privileged accounts.
- Conditional, risk-based access policies operational.
- Privileged access managed with just-in-time and just-enough access.
- Device posture and EDR enforced as a precondition for resource access.
- Segmentation and micro-segmentation implemented for the protect surface.
- Broad VPN access replaced by application-layer ZTNA/SDP where feasible.
- Data classified, encrypted at rest and in transit, and monitored by DLP.
- Policy Enforcement Points front all in-scope resources and cannot be bypassed.
- Centralised telemetry, SIEM and analytics feed the policy engine.
- Automated response (SOAR) capable of isolating devices and revoking sessions.
- Governance, roles and continuous-improvement cadence established.
- Current-state maturity baselined and a phased roadmap agreed.
Common gaps
- Treating Zero Trust as a single product purchase rather than an architecture and strategy.
- Incomplete asset and identity inventories, leaving unknown resources unprotected.
- MFA present but not phishing-resistant, and not extended to service and privileged accounts.
- Standing privileged access persisting because just-in-time access is never implemented.
- Network segmentation stopping at coarse VLANs without true micro-segmentation, so lateral movement remains easy.
- Policy Enforcement Points that can be bypassed through legacy paths or direct network access.
- Device posture checked only at logon and never re-evaluated during a session.
- Data left unclassified and unencrypted, so data-centric controls cannot be applied.
- Telemetry gaps that starve the policy engine of the signals needed for dynamic decisions.
- No feedback loop from analytics to policy, leaving the trust algorithm static.
- Governance and ownership undefined, so pillars evolve in silos and inconsistently.
- Legacy and operational-technology systems excluded indefinitely without compensating controls.
Zero Trust mapped to other frameworks
Zero Trust does not replace existing control frameworks; it provides an architectural strategy that many of them can express. The table maps Zero Trust concepts to representative controls in other frameworks to aid integrated compliance.
| Zero Trust concept | NIST CSF 2.0 / SP 800-53 | ISO/IEC 27001:2022 | PCI DSS v4.0 | CIS Controls v8 |
|---|---|---|---|---|
| Per-session, least-privilege access | PR.AA / AC-2, AC-3, AC-6 | A.5.15, A.5.18 | Req 7 (Least privilege) | Control 6 (Access management) |
| Phishing-resistant MFA | PR.AA / IA-2 | A.8.5 | Req 8 (MFA) | Control 6.5 |
| Device inventory and posture | ID.AM / CM-8, RA-5 | A.5.9, A.8.8 | Req 2, Req 11 | Controls 1 and 7 |
| Micro-segmentation / network isolation | PR.IR / SC-7 | A.8.20, A.8.22 | Req 1 (Network security) | Control 12 (Network infrastructure) |
| Continuous monitoring and analytics | DE.CM / AU-6, SI-4 | A.8.15, A.8.16 | Req 10 (Logging and monitoring) | Control 8 (Audit log management) |
| Data classification and protection | PR.DS / SC-28, MP-4 | A.5.12, A.8.10, A.8.24 | Req 3 (Protect stored data) | Control 3 (Data protection) |
| Automated response and orchestration | RS.MI / IR-4 | A.5.24, A.5.26 | Req 12.10 (Incident response) | Control 17 (Incident response) |
| Governance and continuous improvement | GV.OC / PM-1 | A.5.1, Clause 6 and 10 | Req 12 (Security policy) | Control 14 / governance |
Frequently asked questions
Need help with Zero Trust?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
