This work package provides organisations with expert guidance, assessment, and implementation support to adopt a Zero Trust Architecture (ZTA) aligned with the ISO 27001:2022 standard. It integrates Zero Trust principles—continuous verification, least‑privilege access, micro‑segmentation, and explicit trust reduction—into the governance, risk, and control structure of an ISO‑aligned Information Security Management System (ISMS).
The service helps clients modernise their security posture, reduce attack surface, and embed Zero Trust into policies, controls, architecture, and operational processes, ensuring compliance and resilience.
Assess current security posture against ISO 27001 controls and Zero Trust principles.
Design a Zero Trust architecture aligned to ISO 27001 Annex A controls.
Integrate Zero Trust into governance, risk management, and ISMS processes.
Reduce implicit trust, lateral movement, and identity‑related risks.
Improve visibility, monitoring, and continuous verification.
Enable a phased, realistic Zero Trust transformation roadmap.
A complete ISO‑aligned Zero Trust maturity assessment.
A Zero Trust architecture blueprint mapped to ISO 27001 controls.
Hardened identity, device, network, application, and data controls.
Updated ISMS documentation, policies, and governance.
Improved detection, response, and automation capabilities.
A multi‑phase Zero Trust transformation roadmap.
Assessment across ISO 27001 Annex A domains, mapped to Zero Trust pillars:
Identity & Access Control (A.5, A.6)
Device & Asset Management (A.5, A.7)
Network & Communications Security (A.8)
Application & Workload Security (A.8, A.14)
Data Security & Classification (A.5, A.8)
Monitoring, Logging & Analytics (A.8, A.12)
Governance, Risk & Compliance (A.4, A.5)
Activities include:
Review of ISMS documentation, controls, and governance.
Mapping of current capabilities to Zero Trust principles.
Gap analysis and prioritised recommendations.
Threat‑informed assessment aligned with ISO risk management.
Enterprise Zero Trust architecture blueprint aligned to ISO 27001.
Mapping of ZTA components to ISO controls:
Identity Provider → A.5 Access Control
Policy Decision Point → A.5, A.8
Policy Enforcement Point → A.8
Logging & Monitoring → A.12
Secure Configuration → A.8, A.10
Micro‑segmentation and network isolation strategy.
Data protection and classification model.
Integration with cloud platforms (Azure, AWS, GCP, OCI).
Identity governance aligned to ISO 27001.
MFA, passwordless, and continuous authentication strategy.
Conditional access and risk‑based access policies.
Privileged access management (PAM) design.
Service account and machine identity governance.
Device trust and posture assessment.
Integration with EDR/XDR platforms.
BYOD and corporate device governance.
Continuous device compliance monitoring.
Automated enforcement of device‑based access policies.
Zero Trust network segmentation design.
East‑west traffic control and inspection.
Software‑defined perimeter (SDP) architecture.
Secure remote access and VPN modernisation.
Integration with firewalls, SD‑WAN, and SASE.
Application identity and workload trust.
API security and gateway integration.
Container and Kubernetes Zero Trust patterns.
Secure DevOps and CI/CD pipeline controls.
Runtime protection and workload isolation.
Data classification and sensitivity‑based access.
Encryption, key management, and tokenisation.
Data loss prevention (DLP) strategy.
Zero Trust data access policies.
Monitoring of data flows and exfiltration risks.
Centralised logging and telemetry strategy.
Behavioural analytics and anomaly detection.
Integration with SIEM, SOAR, and XDR.
Automated policy enforcement and remediation.
Continuous verification and adaptive access.
Zero Trust governance framework aligned to ISO 27001.
Roles, responsibilities, and decision‑making workflows.
Policy lifecycle management.
ISMS updates: policies, procedures, risk register, SoA.
Zero Trust transformation roadmap (12–36 months).
ISO 27001 Zero Trust Maturity Assessment Report
Zero Trust Architecture Blueprint (ISO‑aligned)
Identity & Access Modernisation Pack
Network Micro‑Segmentation Design
Data Protection & Governance Framework
Policy Decision & Enforcement Design Pack
ISMS Update Pack (Policies, SoA, Risk Register)
Executive Summary & Board‑Level Presentation
Zero Trust Landing Zone (cloud or hybrid)
Secure DevOps / DevSecOps Integration Guide
Continuous Zero Trust Monitoring Service
Zero Trust Incident Response Playbooks
Multi‑Cloud Zero Trust Architecture
Initiation & Discovery (1–2 weeks)
ISO Zero Trust Maturity Assessment (2–4 weeks)
Architecture & Policy Design (4–8 weeks)
Identity, Network & Data Hardening (variable)
Monitoring & Automation Integration (2–4 weeks)
Governance & ISMS Integration (ongoing)
Optional: Continuous Zero Trust Assurance (subscription)
Lead Zero Trust Architect
ISO 27001 Lead Implementer / Auditor
Identity & Access Specialist
Network & Micro‑Segmentation Engineer
Cloud Security Architect
Governance & Compliance Analyst
Project Manager
Fixed‑price for assessment, architecture, and governance phases.
Time & materials for engineering, integration, and hardening.
Subscription/retainer for continuous Zero Trust monitoring and assurance.
Access to identity, network, cloud, and security platforms.
Engagement with IT, security, and architecture teams.
Availability of existing ISMS documentation and architecture diagrams.
Client commitment to governance and operational adoption.
Legacy systems incompatible with ZT → mitigated through compensating controls and phased migration.
Identity sprawl → mitigated through governance and rationalisation.
Operational resistance → mitigated through training and clear operating models.
ISMS misalignment → mitigated through structured ISO‑aligned documentation updates.