Knowledge Center / Zero Trust
NIST · Global

Zero Trust (NIST SP 800-207)

A security model of "never trust, always verify" for modern architectures.

Introduction: Zero Trust (NIST SP 800-207)

Zero Trust is a cybersecurity paradigm that shifts defences from static, network-based perimeters to a model centred on users, assets and resources. NIST Special Publication 800-207, published by the National Institute of Standards and Technology in August 2020, is the authoritative reference architecture for Zero Trust Architecture (ZTA). It defines Zero Trust not as a single product or technology but as an evolving set of principles that assume no implicit trust is granted to any asset or user account based solely on its physical or network location (for example, being inside a corporate LAN) or on asset ownership. Every access request is treated as though it originates from an untrusted network, and each is authenticated, authorised and continuously validated before access to an enterprise resource is granted.

This guide is written from the perspective of a CERT-In empanelled auditor and PCI QSA, translating the abstract tenets of SP 800-207 into a concrete, evidence-driven assessment programme. It maps the seven tenets, the logical architecture (Policy Decision Point, Policy Enforcement Point, Policy Engine, Policy Administrator), the deployment models and the trust-algorithm variations into auditable control statements. Because Zero Trust is a strategy rather than a certifiable standard, an organisation is assessed for maturity and design conformance rather than pass/fail compliance. The framework is complementary to the NIST Cybersecurity Framework, NIST SP 800-53 controls, CISA's Zero Trust Maturity Model, and the DoD Zero Trust Reference Architecture, all of which are referenced where relevant.

Copyright and source note
NIST SP 800-207 is a United States Government publication and is not subject to copyright in the United States; however, this guide contains original interpretation and does not reproduce the verbatim text of NIST, CISA or DoD publications. Readers should consult the official NIST SP 800-207 document, the CISA Zero Trust Maturity Model v2.0 and the DoD Zero Trust Reference Architecture for the authoritative source language. Where CISA and DoD pillar terminology is used, those works remain the property of their respective agencies.

What is Zero Trust

Zero Trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets and resources. A Zero Trust Architecture (ZTA) uses Zero Trust principles to plan industrial and enterprise infrastructure and workflows. The core assumption is that the enterprise-owned network environment is no different from, or is no more trustworthy than, any non-enterprise-owned network. Trust is never granted implicitly and must be continually evaluated.

NIST SP 800-207 articulates Zero Trust through seven foundational tenets. These tenets are the abstract requirements against which any ZTA design should be measured:

  1. Tenet 1 — All data sources and computing services are considered resources. A network may be composed of multiple classes of devices, and the enterprise may classify personally-owned devices as resources if they access enterprise-owned resources.
  2. Tenet 2 — All communication is secured regardless of network location. Network location alone does not imply trust. Access requests from assets on enterprise-owned network infrastructure must meet the same security requirements as requests from any other non-enterprise-owned network; all communication is done in the most secure manner available, protecting confidentiality and integrity and providing source authentication.
  3. Tenet 3 — Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before access is granted, and access is granted with the least privileges needed to complete the task. Authentication and authorisation to one resource do not automatically grant access to another.
  4. Tenet 4 — Access to resources is determined by dynamic policy — including the observable state of client identity, application/service and the requesting asset — and may include other behavioural and environmental attributes.
  5. Tenet 5 — The enterprise monitors and measures the integrity and security posture of all owned and associated assets. No asset is inherently trusted; the enterprise evaluates the security posture of the asset when evaluating a resource request using a continuous diagnostics and mitigation (CDM) or similar system.
  6. Tenet 6 — All resource authentication and authorisation are dynamic and strictly enforced before access is allowed. This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually re-evaluating trust in ongoing communication.
  7. Tenet 7 — The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications, and uses it to improve its security posture.

The logical architecture of a ZTA centres on a Policy Decision Point (PDP), which is split into a Policy Engine (PE) that makes the ultimate grant/deny decision using a trust algorithm, and a Policy Administrator (PA) that executes that decision by establishing or shutting down the communication path. The Policy Enforcement Point (PEP) sits in the data plane and enables, monitors and terminates connections between a subject and an enterprise resource. Supporting the PDP are data sources such as CDM systems, threat intelligence feeds, activity logs, data-access policy, PKI, ID management and SIEM systems.

Who must comply

Zero Trust is a voluntary architectural strategy for the private sector but is mandated for United States federal civilian agencies and increasingly expected of their supply chains. In India, the CERT-In directions and the sector-specific guidance from RBI, SEBI and IRDAI increasingly reference Zero Trust principles. The following table summarises the applicability landscape.

Organisation typeBasis of applicabilityNature of obligation
US Federal civilian agencies (FCEB)Executive Order 14028 and OMB Memorandum M-22-09Mandatory — must meet specific Zero Trust goals across CISA's five pillars
US Department of Defense and contractorsDoD Zero Trust Strategy and Reference ArchitectureMandatory for DoD; flowed down to defence industrial base
Critical national infrastructure operatorsSector regulators and CISA guidanceStrongly recommended; often required via sector rules
Indian regulated entities (banks, NBFCs, insurers, market infrastructure)RBI cyber-security framework, SEBI CSCRF, IRDAI guidelines, CERT-In directionsIncreasingly expected — Zero Trust cited as leading practice for access control and network segmentation
Enterprises pursuing cyber-insurance or major contractsInsurer and customer due-diligence questionnairesContractual / commercial pressure to demonstrate ZT maturity
Any organisation with remote workforce, cloud and SaaSRisk-driven business decisionVoluntary but recommended to counter perimeter erosion
  • Chief Information Security Officers responsible for enterprise security architecture and roadmap.
  • Enterprise and security architects designing identity, network and data controls.
  • Cloud and platform teams operating IaaS, PaaS and SaaS estates.
  • Identity and access management teams owning authentication, authorisation and privileged access.
  • Governance, risk and compliance functions aligning ZT to regulatory obligations.
  • Third-party and supply-chain risk managers extending trust evaluation to partners.

Structure of Zero Trust

Because SP 800-207 is principle-based, practical assessment blends the NIST tenets and logical components with the pillar taxonomy popularised by CISA's Zero Trust Maturity Model (ZTMM) and the DoD Reference Architecture. This guide organises controls into a coherent structure spanning the seven tenets, the logical architecture components, the five CISA pillars, and the three cross-cutting capabilities. The following table lays out this control structure.

Structural layerElementDescription
Foundational tenetsTenets 1-7 (NIST SP 800-207)Abstract requirements that any ZTA must satisfy
Logical architecturePolicy Engine (PE)Component that makes the access decision using the trust algorithm
Logical architecturePolicy Administrator (PA)Establishes/terminates the communication path and issues session credentials
Logical architecturePolicy Enforcement Point (PEP)Data-plane gateway that enables, monitors and ends subject-to-resource connections
Logical architecturePolicy Decision Point (PDP)Combined PE + PA control-plane authority
Pillar (CISA)IdentityAuthentication, identity stores, risk-based access for users and entities
Pillar (CISA)DevicesAsset inventory, posture, compliance and threat protection of endpoints
Pillar (CISA)NetworksSegmentation, micro-segmentation, encrypted traffic and traffic management
Pillar (CISA)Applications and WorkloadsSecure application access, workload authorisation and secure development
Pillar (CISA)DataClassification, encryption, data-access governance and DLP
Cross-cuttingVisibility and AnalyticsTelemetry, monitoring, logging and analytics feeding decisions
Cross-cuttingAutomation and OrchestrationAutomated policy response, SOAR and dynamic enforcement
Cross-cuttingGovernancePolicy definition, roles, lifecycle and continuous improvement
Trust algorithm variantsCriteria-based vs score-based; singular vs contextualDetermines how the PE weighs attributes to reach an access decision
Deployment modelsEnhanced identity governance, micro-segmentation, network infrastructure/SDPApproaches for realising ZTA in the enterprise

Master assessment checklist

This is the core of the guide. It enumerates every tenet, logical component, pillar and cross-cutting capability as an auditable checklist. For each group there is a table with two columns: what to verify, and the typical evidence an auditor should collect. No control area is skipped.

A. Foundational tenets (SP 800-207 Section 2)

What to verifyTypical evidence
Tenet 1: A complete resource catalogue defines all data sources and computing services as protectable resources, including SaaS, APIs and personally-owned devices where in scopeResource inventory / CMDB export; SaaS register; API catalogue; scoping document
Tenet 2: All communications are secured (TLS/mTLS) irrespective of network location, with source authentication and integrity protectionEncryption policy; TLS configuration reports; mTLS certificates; network capture samples
Tenet 3: Access is granted per-session with least privilege and re-evaluated each sessionSession policy configuration; token TTL settings; least-privilege role definitions
Tenet 4: Access decisions use dynamic policy incorporating identity, application, asset state and environmental attributesPolicy engine rule-sets; conditional-access policies; attribute schema
Tenet 5: Asset integrity and security posture are continuously monitored via CDM or equivalentCDM/EDR dashboards; device-posture reports; compliance scoring output
Tenet 6: Authentication and authorisation are dynamic and strictly enforced before every access, with continuous re-evaluationContinuous-authentication logs; step-up MFA events; session re-evaluation records
Tenet 7: The enterprise collects and uses telemetry on assets, network and communications to improve postureSIEM data-source list; log-retention policy; analytics use-case catalogue

B. Logical architecture components (PDP / PE / PA / PEP)

What to verifyTypical evidence
A Policy Engine exists and applies a defined trust algorithm to grant, deny or revoke accessPolicy engine design document; trust-algorithm specification; decision logs
The Policy Administrator issues and terminates session credentials and configures the PEP accordinglyPA configuration; credential-issuance logs; session-teardown records
Policy Enforcement Points are positioned in front of every protected resource and cannot be bypassedNetwork architecture diagram; PEP placement map; bypass-testing results
The trust algorithm variant (criteria-based/score-based, singular/contextual) is documented and appropriate to riskTrust-algorithm design rationale; scoring model; risk assessment
Control-plane and data-plane separation is enforced; the PDP is protected and highly availableSegmentation evidence; PDP hardening baseline; HA/DR test results
Input data sources (CDM, threat intel, activity logs, PKI, ID management, SIEM, data-access policy) feed the PEData-source integration diagrams; API connections; feed status reports

C. Identity pillar

What to verifyTypical evidence
A single authoritative identity store (or federated stores) covers all human and non-human identitiesIdentity store schema; federation configuration; joiner-mover-leaver process
Phishing-resistant multi-factor authentication is enforced enterprise-wideMFA policy; FIDO2/WebAuthn deployment reports; MFA coverage metrics
Access is risk-based and adaptive, using signals such as location, device and behaviour anomalyConditional-access policies; risk-scoring configuration; step-up events
Privileged access is governed via just-in-time and just-enough-access with session recordingPAM configuration; JIT approval logs; session recordings
Authorisation follows least privilege and is periodically recertifiedRBAC/ABAC model; access-review reports; certification attestations
Non-human identities (service accounts, workloads, machines) are inventoried and securedService-account inventory; secret-rotation logs; workload identity config

D. Devices pillar

What to verifyTypical evidence
A near-real-time inventory of all devices (managed and unmanaged) that access resources is maintainedAsset inventory; MDM/UEM export; discovery-scan results
Device posture (patch level, encryption, EDR presence) is assessed at and during accessPosture-check policies; compliance dashboards; access-denial logs for non-compliant devices
Endpoint detection and response is deployed and monitored on in-scope endpointsEDR coverage report; alert triage records; response playbooks
Devices are enrolled, and compliance is a precondition for resource accessEnrolment records; conditional-access device requirements; exception register
Unmanaged and BYOD devices are handled through defined, risk-appropriate controlsBYOD policy; isolation/browser-isolation configuration; data-containerisation evidence
Hardware roots of trust and supply-chain assurance are considered for critical devicesTPM attestation reports; secure-boot configuration; procurement standards

E. Networks pillar

What to verifyTypical evidence
The network is segmented and micro-segmented to isolate resources and limit lateral movementSegmentation architecture; micro-segmentation policy; east-west flow rules
All network traffic, including internal traffic, is encrypted where feasibleEncryption inventory; TLS/IPsec coverage; internal-traffic capture samples
Application-layer access replaces broad network access (for example, ZTNA/SDP instead of VPN)ZTNA/SDP deployment; VPN decommission plan; per-application access rules
Traffic is inspected and analysed for threats, including encrypted-traffic analyticsIDS/IPS logs; TLS-inspection or ETA configuration; NDR dashboards
Resilient, policy-driven traffic management and DNS security are in placeNetwork policy management config; protective DNS logs; DDoS protection evidence
Network policies are dynamically enforced and align with the policy engine decisionsDynamic-policy integration; SDN controller config; enforcement audit trail

F. Applications and Workloads pillar

What to verifyTypical evidence
Applications are accessible only through authenticated, authorised and continuously-verified sessionsApplication access policy; SSO configuration; session-verification logs
Workload-to-workload communication uses strong identity and authorisation (for example, mTLS, service mesh)Service-mesh config; workload identity certificates; authorisation policies
Applications are protected at runtime (WAF, RASP) and inventoried including shadow ITWAF rules; runtime-protection reports; application inventory; CASB findings
Secure software development lifecycle with security testing is enforcedSDLC policy; SAST/DAST/SCA results; pipeline security-gate evidence
Access to applications is granted per-session with least privilege and continuous authorisationFine-grained authorisation policies; per-session token config; entitlement reviews
Public-facing and internal applications are continuously monitored for vulnerabilitiesVulnerability-scan reports; penetration-test results; remediation tracking

G. Data pillar

What to verifyTypical evidence
Data is inventoried and classified according to sensitivityData catalogue; classification policy; discovery/classification tool output
Data is encrypted at rest and in transit, with managed key lifecycleEncryption standards; KMS/HSM configuration; key-rotation logs
Data-access governance enforces least-privilege, attribute-based access to dataData-access policies; ABAC rules; access-review records
Data loss prevention monitors and controls sensitive-data movementDLP policy; DLP incident logs; egress-control configuration
Data-centric monitoring, tagging and rights management protect data independent of locationInformation-rights-management config; tagging schema; usage-audit logs
Data retention, disposal and sovereignty requirements are enforcedRetention schedule; secure-disposal records; data-residency controls

H. Visibility and Analytics (cross-cutting)

What to verifyTypical evidence
Comprehensive telemetry is collected across identity, device, network, application and data pillarsLog-source inventory; SIEM ingestion report; coverage matrix
Logs are centralised, time-synchronised, tamper-resistant and retained per policyLog-management architecture; NTP config; immutability/retention settings
Analytics and correlation detect anomalies and feed the policy engineDetection use-cases; UEBA configuration; feedback-loop to PDP
Security posture is measured with metrics and dashboards for decision makersKPI dashboards; posture-scoring reports; executive reporting
Threat intelligence is integrated into detection and access decisionsThreat-intel feed integration; enrichment rules; intel-driven policy changes

I. Automation and Orchestration (cross-cutting)

What to verifyTypical evidence
Policy changes and responses are automated to reduce manual latency and errorSOAR playbooks; automation runbooks; change-automation logs
Incident response actions (isolate device, revoke session) can be triggered automaticallyAutomated-response configuration; containment-action logs; test evidence
Provisioning and de-provisioning of access are automated across the identity lifecycleIGA workflows; automated JML records; de-provisioning proof
Orchestration integrates identity, device, network and application controls coherentlyIntegration architecture; API/orchestration config; end-to-end test results
Automation actions are logged, reviewable and subject to human oversight where requiredAutomation audit trail; approval gates; exception handling records

J. Governance (cross-cutting)

What to verifyTypical evidence
A documented Zero Trust strategy, roadmap and target architecture exist and are approvedZT strategy document; roadmap; architecture board approval
Roles, responsibilities and ownership for ZT capabilities are definedRACI matrix; role descriptions; ownership register
Policies are version-controlled, reviewed and consistently enforced across pillarsPolicy repository; review records; enforcement-consistency checks
Risk management integrates ZT posture into enterprise risk decisionsRisk register entries; risk-acceptance records; posture-risk linkage
Continuous improvement and maturity assessment are performed periodicallyMaturity-assessment reports; improvement backlog; management review minutes
Third-party and supply-chain trust is governed under the same principlesThird-party access policies; vendor risk assessments; contractual security terms

Scoping

Scoping a Zero Trust programme means defining the protect surface — the critical data, assets, applications and services (DAAS) that the architecture must safeguard — rather than trying to protect the entire, ever-expanding attack surface at once. A well-defined scope prevents boil-the-ocean failure and enables incremental, risk-prioritised rollout.

  • Identify the protect surface: enumerate the specific DAAS elements (crown-jewel data, sensitive applications, critical assets and services) that carry the greatest business and regulatory risk.
  • Map transaction flows: understand how traffic moves to and around the protect surface, including user-to-application, application-to-data and workload-to-workload flows.
  • Determine the subjects and entities: human users, service accounts, workloads, devices and third parties that require access to in-scope resources.
  • Define the boundaries of each deployment model (enhanced identity governance, micro-segmentation, network infrastructure/SDP) applicable to the scope.
  • Establish exclusions and dependencies: legacy systems that cannot yet participate, and the compensating controls applied to them.
  • Confirm regulatory overlays that expand or constrain scope (for example, cardholder data environment for PCI DSS, or personal data under DPDP).
Scoping principle
Zero Trust is implemented protect-surface by protect-surface. Start with a single, high-value DAAS element, prove the architecture end to end, then iterate. The scope should be explicitly documented and re-validated at each phase because cloud adoption and business change continually reshape the protect surface.

Implementation approach

A pragmatic Zero Trust rollout is phased. Each phase below lists its principal activities and the deliverables an auditor should expect to see. The phases align with the Kindervag five-step model and the CISA maturity progression from Traditional to Optimal.

Phase 1 — Discovery and strategy

  • Activities: secure executive sponsorship; define the Zero Trust vision and guiding principles; inventory identities, devices, networks, applications and data; identify the initial protect surface; perform a current-state maturity baseline against the CISA pillars.
  • Deliverables: approved ZT strategy and charter; DAAS/protect-surface register; asset and identity inventories; baseline maturity assessment report; prioritised roadmap.

Phase 2 — Design the target architecture

  • Activities: select deployment models and trust-algorithm approach; design the PDP/PE/PA and PEP placement; define policy model (RBAC/ABAC) and attribute schema; design identity, device, network, application and data controls; plan telemetry and analytics integration.
  • Deliverables: target ZTA reference architecture; policy design and attribute catalogue; PEP placement map; data and telemetry design; integration blueprint.

Phase 3 — Foundational identity and device controls

  • Activities: consolidate identity stores and federation; deploy phishing-resistant MFA and conditional access; implement PAM with JIT/JEA; roll out device inventory, posture checks and EDR; enforce device compliance as an access precondition.
  • Deliverables: MFA and conditional-access coverage reports; PAM configuration; device-compliance policy and dashboards; identity-lifecycle automation.

Phase 4 — Network, application and data enforcement

  • Activities: replace broad VPN access with ZTNA/SDP; implement segmentation and micro-segmentation; enforce mTLS and workload identity; deploy application-layer authorisation; classify and protect data with encryption and DLP.
  • Deliverables: ZTNA rollout evidence; segmentation policies; workload-identity configuration; data-classification and DLP reports; per-application access policies.

Phase 5 — Visibility, automation and continuous improvement

  • Activities: centralise telemetry into SIEM; build detection and UEBA use-cases; automate response through SOAR; establish feedback loops to the policy engine; measure KPIs; conduct periodic maturity reassessments and tabletop exercises.
  • Deliverables: SIEM/analytics coverage matrix; SOAR playbooks; KPI dashboards; continuous-improvement backlog; reassessment reports and management reviews.

Maturity model

CISA's Zero Trust Maturity Model defines four stages of maturity across each pillar and cross-cutting capability. An assessment scores each pillar independently and then aggregates to an overall maturity profile. The stages are summarised below.

Maturity stageCharacteristicsIllustrative state
TraditionalManually configured lifecycles and static policies; siloed pillars; least-privilege established only at provisioning; limited visibilityPerimeter VPN, password-plus-basic-MFA, flat network, manual access reviews
InitialStarting automation of attribute assignment and policy; some cross-pillar integration; initial responses to external stimuliConditional access introduced; device inventory begun; initial segmentation
AdvancedAutomated controls for lifecycle and configuration; centralised visibility and policy; cross-pillar coordination; least privilege tuned to riskRisk-based adaptive access; micro-segmentation; workload identity; centralised SIEM
OptimalFully automated, self-reporting and dynamic policy across pillars; continuous validation; just-in-time and just-enough access; full cross-pillar interoperabilityContinuous authentication; automated response; data-centric enforcement everywhere

For programmes aligning to the DoD model, a complementary view distinguishes a Target Level of Zero Trust (the minimum set of activities required for baseline effectiveness) and an Advanced Level (the full set achieving the strategic end-state). Auditors should record the target maturity per pillar and the timeline to reach it.

Assessment and audit approach

A Zero Trust assessment is design- and maturity-oriented. The following ordered steps describe a rigorous audit engagement.

  1. Define the engagement scope, protect surface and target maturity with the sponsor, and agree the assessment criteria (SP 800-207 tenets, CISA ZTMM, or DoD activities).
  2. Gather and review documentation: strategy, architecture, policies, inventories and prior assessments.
  3. Conduct stakeholder interviews across identity, device, network, application, data, security operations and governance functions.
  4. Perform current-state mapping of each pillar and cross-cutting capability to the chosen maturity model.
  5. Validate control effectiveness through configuration review, log inspection and, where agreed, technical testing (for example, lateral-movement and access-bypass testing).
  6. Assess the logical architecture: verify PE/PA/PEP existence, placement, non-bypassability and trust-algorithm suitability.
  7. Identify gaps between current and target maturity, rating each by risk and effort.
  8. Score each pillar and produce an aggregated maturity profile with heat-map visualisation.
  9. Develop a prioritised, phased remediation roadmap with owners and timelines.
  10. Report findings to management, and agree a reassessment cadence to track progress.

Evidence request list

The following categorised list is the evidence an auditor typically requests. It should be tailored to the agreed scope.

  • Strategy and governance: Zero Trust strategy, charter, roadmap, target architecture, policy repository, RACI matrix, risk register entries, management-review minutes.
  • Identity: identity-store schema, federation configuration, MFA policy and coverage, conditional-access policies, PAM configuration and JIT logs, access-review and recertification records, service-account inventory.
  • Devices: asset/device inventory, MDM/UEM exports, device-posture and compliance policies, EDR coverage and alert records, BYOD policy, exception register.
  • Networks: network architecture and segmentation diagrams, micro-segmentation policies, ZTNA/SDP configuration, VPN decommission plan, IDS/IPS/NDR logs, protective-DNS and DDoS evidence.
  • Applications and workloads: application inventory, SSO and authorisation configuration, service-mesh/workload-identity config, WAF/RASP rules, SDLC policy, SAST/DAST/SCA and penetration-test reports.
  • Data: data catalogue and classification policy, encryption standards, KMS/HSM and key-rotation logs, DLP policies and incident logs, IRM configuration, retention and disposal records.
  • Visibility and analytics: log-source inventory, SIEM ingestion and retention settings, detection and UEBA use-cases, threat-intel integration, KPI dashboards.
  • Automation and orchestration: SOAR playbooks, automated-response configuration, IGA/JML automation records, automation audit trails and approval gates.
  • Prior assessments: previous maturity assessments, penetration-test reports, audit findings and remediation-tracking evidence.

Roles and responsibilities

RolePrimary responsibilities
Executive sponsor / CISOOwns the Zero Trust vision, secures funding, sets risk appetite and target maturity, and champions organisational change
Zero Trust / security architectDesigns the target ZTA, selects deployment models and trust algorithm, and defines the policy model
Identity and access management leadOwns identity stores, authentication, authorisation, PAM and identity-lifecycle automation
Endpoint / device management leadOwns device inventory, posture, EDR and compliance enforcement
Network / infrastructure leadOwns segmentation, micro-segmentation, ZTNA/SDP and encrypted transport
Application and DevSecOps leadOwns application access, workload identity, runtime protection and secure SDLC
Data protection / privacy leadOwns data classification, encryption, DLP and data-access governance
Security operations (SOC) leadOwns telemetry, detection, analytics, SOAR and continuous monitoring
Governance, risk and complianceAligns ZT to regulations, maintains policies, and tracks risk and maturity
Internal audit / assessorIndependently assesses design conformance, control effectiveness and maturity

KPIs to track

  • Percentage of resources fronted by a Policy Enforcement Point (PEP coverage).
  • Percentage of users and privileged accounts using phishing-resistant MFA.
  • Percentage of access requests evaluated by dynamic, risk-based policy.
  • Percentage of managed and unmanaged devices with enforced posture checks and EDR.
  • Proportion of applications behind ZTNA/SDP versus legacy VPN access.
  • Extent of micro-segmentation coverage across the protect surface.
  • Percentage of sensitive data classified, encrypted and under DLP monitoring.
  • Mean time to detect and mean time to respond for access-related incidents.
  • Rate of successful lateral-movement attempts in red-team or purple-team exercises (target: declining).
  • Percentage of privileged sessions granted just-in-time versus standing privilege.
  • Log-source and telemetry coverage across the five pillars.
  • Maturity score per pillar and overall, trended over time.

Readiness checklist

  • Executive sponsorship secured and a documented Zero Trust strategy approved.
  • Protect surface (critical DAAS) identified and transaction flows mapped.
  • Complete inventories of identities, devices, applications and data maintained.
  • Phishing-resistant MFA enforced across users and privileged accounts.
  • Conditional, risk-based access policies operational.
  • Privileged access managed with just-in-time and just-enough access.
  • Device posture and EDR enforced as a precondition for resource access.
  • Segmentation and micro-segmentation implemented for the protect surface.
  • Broad VPN access replaced by application-layer ZTNA/SDP where feasible.
  • Data classified, encrypted at rest and in transit, and monitored by DLP.
  • Policy Enforcement Points front all in-scope resources and cannot be bypassed.
  • Centralised telemetry, SIEM and analytics feed the policy engine.
  • Automated response (SOAR) capable of isolating devices and revoking sessions.
  • Governance, roles and continuous-improvement cadence established.
  • Current-state maturity baselined and a phased roadmap agreed.

Common gaps

  • Treating Zero Trust as a single product purchase rather than an architecture and strategy.
  • Incomplete asset and identity inventories, leaving unknown resources unprotected.
  • MFA present but not phishing-resistant, and not extended to service and privileged accounts.
  • Standing privileged access persisting because just-in-time access is never implemented.
  • Network segmentation stopping at coarse VLANs without true micro-segmentation, so lateral movement remains easy.
  • Policy Enforcement Points that can be bypassed through legacy paths or direct network access.
  • Device posture checked only at logon and never re-evaluated during a session.
  • Data left unclassified and unencrypted, so data-centric controls cannot be applied.
  • Telemetry gaps that starve the policy engine of the signals needed for dynamic decisions.
  • No feedback loop from analytics to policy, leaving the trust algorithm static.
  • Governance and ownership undefined, so pillars evolve in silos and inconsistently.
  • Legacy and operational-technology systems excluded indefinitely without compensating controls.

Zero Trust mapped to other frameworks

Zero Trust does not replace existing control frameworks; it provides an architectural strategy that many of them can express. The table maps Zero Trust concepts to representative controls in other frameworks to aid integrated compliance.

Zero Trust conceptNIST CSF 2.0 / SP 800-53ISO/IEC 27001:2022PCI DSS v4.0CIS Controls v8
Per-session, least-privilege accessPR.AA / AC-2, AC-3, AC-6A.5.15, A.5.18Req 7 (Least privilege)Control 6 (Access management)
Phishing-resistant MFAPR.AA / IA-2A.8.5Req 8 (MFA)Control 6.5
Device inventory and postureID.AM / CM-8, RA-5A.5.9, A.8.8Req 2, Req 11Controls 1 and 7
Micro-segmentation / network isolationPR.IR / SC-7A.8.20, A.8.22Req 1 (Network security)Control 12 (Network infrastructure)
Continuous monitoring and analyticsDE.CM / AU-6, SI-4A.8.15, A.8.16Req 10 (Logging and monitoring)Control 8 (Audit log management)
Data classification and protectionPR.DS / SC-28, MP-4A.5.12, A.8.10, A.8.24Req 3 (Protect stored data)Control 3 (Data protection)
Automated response and orchestrationRS.MI / IR-4A.5.24, A.5.26Req 12.10 (Incident response)Control 17 (Incident response)
Governance and continuous improvementGV.OC / PM-1A.5.1, Clause 6 and 10Req 12 (Security policy)Control 14 / governance
How CyberSigma helps
CyberSigma brings CERT-In empanelled auditors and PCI QSAs who translate NIST SP 800-207 and the CISA Zero Trust Maturity Model into a practical, prioritised programme for your organisation. We baseline your current maturity across the identity, device, network, application and data pillars, define your protect surface, and design a target Zero Trust Architecture with a clear PDP/PE/PA and PEP model. Our engagements cover phishing-resistant MFA and privileged-access hardening, micro-segmentation and ZTNA rollout, data-centric protection, and the visibility, automation and governance needed to reach Optimal maturity. We map every control to your existing NIST, ISO 27001, PCI DSS and CIS obligations so a single programme satisfies multiple frameworks, and we provide independent assessment, evidence-driven roadmaps and ongoing assurance to sustain your Zero Trust journey.

Frequently asked questions

Is Zero Trust a product?
No — it is a security model and architecture. Many products help implement it (identity, ZTNA, micro-segmentation), but Zero Trust is achieved through architecture and policy, not a single tool.

Need help with Zero Trust?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.