ISO/IEC 27001/27002 Zero Trust Reference Architecture Security Consultancy Services Work Package

1. Executive Summary

This work package provides organisations with expert guidance to design and implement a Zero Trust Architecture (ZTA) aligned to ISO/IEC 27001:2022 and ISO/IEC 27002:2022. It integrates Zero Trust principles — continuous verification, least privilege, micro‑segmentation, identity‑centric access, and adaptive policy enforcement — into the ISMS governance model, Annex A controls, and operational security practices.

The service ensures Zero Trust becomes a control‑aligned, risk‑driven, and auditable security architecture, strengthening compliance, resilience, and cloud‑ready security posture across hybrid and multi‑cloud environments.

2. Objectives and Outcomes

Primary Objectives

• Assess current security posture against ISO/IEC 27001/27002 and Zero Trust principles.

• Develop a Zero Trust Reference Architecture aligned to ISO controls.

• Strengthen identity, device, network, application, and data security.

• Improve monitoring, detection, and automated response capabilities.

• Establish governance, policies, and continuous assurance processes.

Expected Outcomes

• ISO‑aligned Zero Trust maturity assessment.

• Zero Trust Reference Architecture mapped to ISO/IEC 27001 Annex A controls.

• Hardened identity, network, data, and workload controls.

• Updated ISMS governance, policies, and risk register.

• A multi‑phase Zero Trust transformation roadmap.

3. Scope of Services (Aligned to ISO/IEC 27001:2022 Annex A)

3.1 Governance & ISMS Integration (A.5 – Organisational Controls)

Activities:

• Zero Trust governance framework aligned to ISO/IEC 27001.

• Policy updates: access control, network security, monitoring, data protection.

• Roles, responsibilities, and decision‑making workflows.

• Zero Trust risk register and Statement of Applicability (SoA) updates.

• Supplier and third‑party Zero Trust requirements.

Deliverables:

• Governance Framework

• Updated ISMS Policy Suite

• ISO‑Aligned Zero Trust Risk Register

3.2 Identity & Access Security (A.5, A.6 – Identity & Access Controls)

Activities:

• Identity governance and lifecycle management.

• MFA, passwordless, conditional access.

• Privileged Access Management (PAM).

• Service account and workload identity governance.

• Zero Trust identity architecture.

Deliverables:

• Identity & Access Modernisation Pack

• Access Control Policy Updates

• PAM & Conditional Access Design

3.3 Asset, Device & Endpoint Security (A.5, A.7 – People & Physical Controls)

Activities:

• Device trust and compliance policies.

• Endpoint hardening and threat protection.

• BYOD and corporate device governance.

• Integration with EDR/XDR platforms.

Deliverables:

• Device Trust Architecture

• Endpoint Hardening Standards

• EDR/XDR Integration Blueprint

3.4 Network & Micro‑Segmentation (A.8 – Technological Controls)

Activities:

• Zero Trust network segmentation.

• East‑west traffic inspection and isolation.

• Secure remote access and ZTNA patterns.

• Cloud network segmentation (Azure/AWS/GCP).

• Firewall, WAF, and private networking design.

Deliverables:

• Network Micro‑Segmentation Design

• ZTNA Architecture Pack

• Cloud Network Security Blueprint

3.5 Application & Workload Security (A.8 – Technological Controls)

Activities:

• Application identity and workload trust.

• API security and gateway integration.

• Secure DevOps and CI/CD controls.

• Container and serverless Zero Trust patterns.

Deliverables:

• Application & Workload Security Pack

• DevSecOps Integration Guide

• API & Workload Trust Architecture

3.6 Data Security & Governance (A.5, A.8 – Information Controls)

Activities:

• Data classification and sensitivity‑based access.

• Encryption, tokenisation, key management.

• Data loss prevention (DLP) and insider risk controls.

• Data access governance and monitoring.

Deliverables:

• Data Protection & Governance Framework

• Encryption & Key Management Design

• DLP & Insider Risk Controls Pack

3.7 Monitoring, Detection & Response (A.8 – Monitoring & Logging Controls)

Activities:

• SIEM, SOAR, XDR integration.

• Behavioural analytics and anomaly detection.

• Cloud‑native monitoring (Azure/AWS/GCP).

• Threat intelligence integration.

• Detection engineering aligned to MITRE ATT&CK.

Deliverables:

• Monitoring & Telemetry Strategy

• Detection Engineering Use Case Library

• Incident Response Playbooks

3.8 Business Continuity & Resilience (A.5 – Resilience Controls)

Activities:

• Zero Trust‑aligned business continuity planning.

• Cloud resilience patterns (multi‑region, failover, backups).

• Post‑incident review and continuous improvement.

Deliverables:

• Resilience & Continuity Framework

• Cloud Resilience Architecture

• Continuous Improvement Model

4. Zero Trust Reference Architecture (ISO‑Aligned)

The architecture spans:

Identity Security

• IAM, MFA, Conditional Access

• Privileged Access Management

• Workload identity governance

Network Security

• Zero Trust network segmentation

• Cloud network security patterns

• ZTNA and software‑defined perimeter

Data Security

• Classification, encryption, tokenisation

• Data governance and DLP

• Insider risk management

Application & Workload Security

• DevSecOps and CI/CD security

• API security

• Container and serverless security

Infrastructure Security

• Cloud landing zones

• CSPM, CIEM, CWPP

• Secure configuration baselines

Operations & Monitoring

• SIEM, SOAR, XDR

• Threat intelligence

• Behavioural analytics

5. Deliverables

Core Deliverables

• ISO/IEC 27001 Zero Trust Maturity Assessment Report

• Zero Trust Reference Architecture Blueprint (ISO‑aligned)

• Governance & Policy Framework

• Identity, Network & Data Hardening Packs

• Monitoring, Detection & Automation Design Pack

• Incident Response & Resilience Playbook Pack

• Executive Summary & Board‑Level Presentation

Optional Deliverables

• Cloud Zero Trust Landing Zone

• Secure DevOps / DevSecOps Integration Guide

• Continuous ISO‑Aligned Monitoring Service

• Zero Trust Incident Response Playbooks

• Multi‑Cloud Zero Trust Architecture

6. Engagement Model

Delivery Phases

1. Initiation & Discovery (1–2 weeks)

2. ISO Zero Trust Maturity Assessment (2–4 weeks)

3. Architecture & Policy Design (4–8 weeks)

4. Identity, Network & Data Hardening (variable)

5. Monitoring & Automation Integration (2–4 weeks)

6. Governance & Capability Uplift (ongoing)

7. Optional: Continuous ISO Assurance (subscription)

Team Roles

• Lead Cybersecurity Architect

• Zero Trust Architect

• Identity & Access Specialist

• Cloud Security Architect

• Governance & Compliance Analyst

• Detection Engineering Specialist

• Project Manager

7. Pricing Model

• Fixed‑price for assessment, architecture, and governance phases.

• Time & materials for engineering, integration, and hardening.

• Subscription/retainer for continuous ISO‑aligned monitoring and assurance.

8. Assumptions & Dependencies

• Access to identity, network, cloud, and security platforms.

• Engagement with IT, security, and architecture teams.

• Availability of existing ISMS documentation and architecture diagrams.

• Client commitment to governance and operational adoption.

9. Risks & Mitigations

• Legacy systems incompatible with modern controls → phased migration & compensating controls.

• Identity sprawl → IAM governance & PIM.

• Cloud misconfigurations → CSPM & policy enforcement.

• Operational resistance → training & clear operating models.