This work package provides organisations with expert guidance, assessment, and implementation support to adopt a Zero Trust Architecture (ZTA) aligned with the UK Cyber Assessment Framework (CAF) and NCSC Zero Trust principles. It integrates Zero Trust into governance, risk management, architecture, and operational processes, ensuring compliance with UK national cyber standards while modernising security posture.
The service helps clients reduce attack surface, strengthen identity‑centric access, and embed continuous verification across hybrid and multi‑cloud environments.
Assess current security posture against CAF, NCSC Zero Trust, and modern ZTA principles.
Design a Zero Trust architecture aligned to NCSC guidance and CAF outcomes.
Integrate Zero Trust into governance, risk management, and operational controls.
Reduce implicit trust, lateral movement, and identity‑related risks.
Improve visibility, monitoring, and adaptive access enforcement.
Deliver a phased, realistic Zero Trust transformation roadmap.
A CAF‑aligned Zero Trust maturity assessment.
A Zero Trust architecture blueprint aligned to NCSC principles.
Hardened identity, device, network, application, and data controls.
Updated governance, policies, and operational processes.
Improved detection, response, and automation capabilities.
A multi‑phase Zero Trust transformation roadmap.
Assessment across CAF’s four objectives:
Managing Security Risk
Protecting Against Cyber Attack
Detecting Cyber Security Events
Minimising the Impact of Cyber Security Incidents
Mapped to Zero Trust pillars:
Identity
Devices
Networks
Applications & Workloads
Data
Visibility & Analytics
Automation & Orchestration
Activities include:
Review of governance, risk, and compliance documentation.
Mapping of current capabilities to NCSC Zero Trust principles.
Gap analysis and prioritised recommendations.
Threat‑informed assessment aligned with CAF and NCSC guidance.
Enterprise Zero Trust architecture blueprint aligned to:
NCSC Zero Trust Architecture Guidance
CAF security outcomes
Modern ZTA components (PDP/PEP, identity provider, telemetry)
Micro‑segmentation and network isolation strategy.
Data protection and classification model.
Integration with cloud platforms (Azure, AWS, GCP, OCI).
Mapping of ZTA components to CAF outcomes and NCSC principles.
Aligned to CAF Objective A and NCSC Zero Trust identity principles:
Identity governance and lifecycle management.
MFA, passwordless, and continuous authentication.
Conditional access and risk‑based access policies.
Privileged access management (PAM) design.
Service account and machine identity governance.
Aligned to CAF Objective B:
Device trust and posture assessment.
Integration with EDR/XDR platforms.
BYOD and corporate device governance.
Continuous device compliance monitoring.
Automated enforcement of device‑based access policies.
Aligned to CAF Objective B and NCSC ZT network principles:
Zero Trust network segmentation design.
East‑west traffic control and inspection.
Software‑defined perimeter (SDP) architecture.
Secure remote access and VPN modernisation.
Integration with firewalls, SD‑WAN, and SASE.
Aligned to CAF Objective B:
Application identity and workload trust.
API security and gateway integration.
Container and Kubernetes Zero Trust patterns.
Secure DevOps and CI/CD pipeline controls.
Runtime protection and workload isolation.
Aligned to CAF Objective B and C:
Data classification and sensitivity‑based access.
Encryption, key management, and tokenisation.
Data loss prevention (DLP) strategy.
Zero Trust data access policies.
Monitoring of data flows and exfiltration risks.
Aligned to CAF Objective C and D:
Centralised logging and telemetry strategy.
Behavioural analytics and anomaly detection.
Integration with SIEM, SOAR, and XDR.
Automated policy enforcement and remediation.
Continuous verification and adaptive access.
Aligned to CAF Objective A and NCSC governance principles:
Zero Trust governance framework.
Roles, responsibilities, and decision‑making workflows.
Policy lifecycle management.
CAF‑aligned risk register and evidence pack.
Zero Trust transformation roadmap (12–36 months).
CAF‑Aligned Zero Trust Maturity Assessment Report
NCSC‑Aligned Zero Trust Architecture Blueprint
Identity & Access Modernisation Pack
Network Micro‑Segmentation Design
Data Protection & Governance Framework
Policy Decision & Enforcement Design Pack
CAF Evidence Pack (Policies, Risk Register, Controls)
Executive Summary & Board‑Level Presentation
Zero Trust Landing Zone (cloud or hybrid)
Secure DevOps / DevSecOps Integration Guide
Continuous Zero Trust Monitoring Service
Zero Trust Incident Response Playbooks
Multi‑Cloud Zero Trust Architecture
Initiation & Discovery (1–2 weeks)
CAF Zero Trust Maturity Assessment (2–4 weeks)
Architecture & Policy Design (4–8 weeks)
Identity, Network & Data Hardening (variable)
Monitoring & Automation Integration (2–4 weeks)
Governance & CAF Alignment (ongoing)
Optional: Continuous Zero Trust Assurance (subscription)
Lead Zero Trust Architect
CAF/NCSC Governance Specialist
Identity & Access Engineer
Network & Micro‑Segmentation Engineer
Cloud Security Architect
Compliance & Risk Analyst
Project Manager
Fixed‑price for assessment, architecture, and governance phases.
Time & materials for engineering, integration, and hardening.
Subscription/retainer for continuous Zero Trust monitoring and CAF assurance.
Access to identity, network, cloud, and security platforms.
Engagement with IT, security, and architecture teams.
Availability of existing CAF documentation and architecture diagrams.
Client commitment to governance and operational adoption.
Legacy systems incompatible with ZT → mitigated through compensating controls and phased migration.
Identity sprawl → mitigated through governance and rationalisation.
Operational resistance → mitigated through training and clear operating models.
CAF misalignment → mitigated through structured evidence and control mapping.