This work package provides organisations with expert guidance to design, assess, and implement a Zero Trust programme aligned to the CISA Zero Trust Maturity Model (ZTMM), integrating:
CISA Zero Trust Maturity Model v2.0
NIST SP 800‑207 Zero Trust Architecture
NIST SP 800‑53 Rev.5 supporting controls
Cloud‑native Zero Trust patterns (AWS, Azure, GCP, OCI, Alibaba)
Identity‑centric, least‑privilege, continuous verification principles
The service ensures organisations progress from Traditional → Initial → Advanced → Optimal maturity across all Zero Trust pillars, enabling secure digital transformation across hybrid and multicloud environments.
Assess the organisation’s maturity against the CISA ZTMM pillars.
Develop a CISA‑aligned Zero Trust Reference Architecture.
Strengthen identity, device, network, workload, data, and operational security.
Improve monitoring, detection, and automated response capabilities.
Establish governance, policies, and continuous assurance processes.
CISA ZTMM Maturity Assessment & Remediation Roadmap.
Zero Trust Reference Architecture blueprint aligned to CISA.
Hardened identity, network, data, and workload controls.
Updated governance, policies, and operational processes.
A multi‑phase Zero Trust transformation roadmap.
CISA ZTMM defines six Zero Trust pillars.
Your work package aligns to each pillar and its maturity stages.
Identity governance and lifecycle management.
MFA, passwordless, conditional access.
Privileged Access Management (PAM).
Attribute‑based access control (ABAC).
Continuous authentication and authorisation.
Identity Hardening Pack
Zero Trust Identity Architecture
Privileged Access Governance Model
Device inventory, trust scoring, and posture assessment.
Endpoint detection and response (EDR/XDR).
BYOD and unmanaged device controls.
Device‑based access policies integrated with identity.
Device Trust & Posture Framework
Endpoint Security Hardening Pack
Device‑Aware Access Policy Set
Zero Trust network segmentation and micro‑segmentation.
Software‑defined perimeter (SDP) and ZTNA patterns.
East‑west traffic inspection and isolation.
Secure remote access and identity‑aware proxies.
Zero Trust Network Segmentation Design
ZTNA Architecture Pack
Network Security Hardening Standards
Secure DevOps and CI/CD integration.
API security and gateway integration.
Container and serverless Zero Trust patterns.
Workload identity and runtime protection.
Application & Workload Security Pack
DevSecOps Integration Guide
API & Workload Trust Architecture
Data classification and sensitivity‑based access.
Encryption, tokenisation, key management.
Data Loss Prevention (DLP) and insider risk controls.
Data access governance and monitoring.
Data Protection & Governance Framework
Encryption & Key Management Design
DLP & Insider Risk Controls Pack
SIEM, SOAR, XDR integration.
Behavioural analytics and anomaly detection.
Continuous monitoring of identity, device, network, and workload signals.
Automated remediation and policy enforcement.
Monitoring & Telemetry Strategy
Detection Engineering Use Case Library
Zero Trust Incident Response Playbook Pack
Our consultancy guides organisations through the four CISA maturity stages:
Stage Description Outcome
Traditional. Static, perimeter‑based, siloed controls (Baseline assessment)
Initial. Basic Zero Trust capabilities deployed (Foundational controls)
Advanced. Integrated, automated, risk‑adaptive (Continuous verification)
Optimal. Fully automated, AI‑driven, enterprise‑wide Dynamic, (Self‑healing Zero Trust)
Continuous authentication
Least privilege & JIT access
Strong identity governance
Device trust scoring
Posture‑based access
EDR/XDR integration
Micro‑segmentation
ZTNA & SDP
Identity‑aware routing
Secure SDLC
API security
Workload identity
Classification, encryption, tokenisation
DLP & insider risk
Attribute‑based access control (ABAC)
SIEM, SOAR, XDR
Behavioural analytics
Continuous monitoring
CISA ZTMM Maturity Assessment Report
Zero Trust Reference Architecture Blueprint
Identity, Network & Data Hardening Packs
Monitoring, Detection & Automation Design Pack
Governance & Operating Model Framework
Executive Summary & Board‑Level Presentation
Zero Trust Landing Zone (cloud‑agnostic or cloud‑specific)
Secure DevOps / DevSecOps Integration Guide
Continuous Zero Trust Monitoring Service
Multi‑Cloud Zero Trust Architecture
Compliance Accelerator (ISO, NIST, CIS, PCI, HIPAA)
Initiation & Discovery
CISA ZTMM Maturity Assessment
Architecture & Policy Design
Identity, Network & Data Hardening
Monitoring & Automation Integration
Governance & Capability Uplift
Optional: Continuous Zero Trust Assurance
Lead Zero Trust Architect
Identity & Access Specialist
Cloud Network Engineer
DevSecOps & Workload Security Specialist
Governance & Compliance Analyst
Detection Engineering Specialist
Project Manager
Fixed‑price for assessment, architecture, and governance phases.
Time & materials for engineering and integration.
Subscription/retainer for continuous Zero Trust assurance.
Identity sprawl → strong IAM governance & automation.
Cloud misconfigurations → CSPM + IaC.
Network complexity → micro‑segmentation & ZTNA simplification.
Operational resistance → training & clear operating models.
Tool sprawl → consolidation into unified Zero Trust fabric.