This work package provides organisations with expert guidance to design and implement a Zero Trust Architecture (ZTA) using the Open Enterprise Security Architecture (O‑ESA) framework. It integrates Zero Trust principles — continuous verification, least‑privilege access, micro‑segmentation, identity‑centric security — into O‑ESA’s business‑aligned, capability‑driven architecture model.
The service ensures Zero Trust is embedded into business capabilities, security services, architecture domains, governance, and operational processes, enabling a modern, resilient, and risk‑aligned security posture across hybrid and multi‑cloud environments.
Assess current enterprise security architecture maturity using O‑ESA and Zero Trust principles.
Develop an O‑ESA‑aligned Zero Trust Reference Architecture.
Integrate Zero Trust into business capabilities, security services, and architecture domains.
Reduce implicit trust, lateral movement, and identity‑related risks.
Improve visibility, monitoring, and adaptive access enforcement.
Deliver a phased Zero Trust transformation roadmap aligned to O‑ESA lifecycle.
An O‑ESA‑aligned Zero Trust maturity assessment.
A Zero Trust Reference Architecture mapped to O‑ESA domains.
Hardened identity, device, network, application, and data controls.
Updated governance, security services, and operating models.
Improved detection, response, and automation capabilities.
A multi‑phase Zero Trust transformation roadmap.
Identify business drivers, mission, and critical capabilities.
Define Zero Trust business outcomes and success criteria.
Map Zero Trust to business capability models.
Stakeholder analysis and organisational impact assessment.
Define Zero Trust governance principles aligned to O‑ESA.
Define Zero Trust security services across:
Identity & Access
Device & Endpoint
Network & Segmentation
Application & Workload
Data Protection
Monitoring & Analytics
Automation & Orchestration
Map Zero Trust capabilities to O‑ESA service domains.
Develop capability maturity models and improvement plans.
Architecture design across O‑ESA domains:
Zero Trust business capability model.
Business process redesign for identity‑centric access.
Updated business principles and governance.
Data classification and Zero Trust data access model.
Data lineage, ownership, and protection patterns.
Encryption, tokenisation, and key management strategy.
Application identity and workload trust.
API security and gateway integration.
Secure DevOps and CI/CD controls.
Application segmentation and workload isolation.
Identity & Access Modernisation
Device & Endpoint Security
Network & Micro‑Segmentation
Cloud & Hybrid Security
Logging, Monitoring & Telemetry
Automation & Orchestration
Policy decision and enforcement points (PDP/PEP).
Trust evaluation services.
Threat intelligence and analytics services.
Zero Trust orchestration and automation services.
Zero Trust governance model aligned to O‑ESA.
Updated security policies and standards.
Architecture decision‑making workflows.
Zero Trust risk register and control mapping.
Policy lifecycle management.
Prioritised capability roadmap (12–36 months).
Work package catalogue aligned to business priorities.
Dependency mapping across identity, network, data, and cloud.
Costing, resourcing, and risk analysis.
Identity hardening (MFA, PIM, conditional access).
Network segmentation and ZTNA deployment.
SIEM/SOAR/XDR integration.
Cloud security hardening (Azure/AWS/GCP).
DevSecOps and CI/CD security integration.
O‑ESA Zero Trust Maturity Assessment Report
Zero Trust Reference Architecture Blueprint (O‑ESA aligned)
Business Capability & Security Service Mapping
Data, Application & Technology Architecture Packs
Identity, Network & Data Hardening Designs
Monitoring, Detection & Automation Design Pack
Governance & Operating Model Framework
Executive Summary & Board‑Level Presentation
Zero Trust Landing Zone (cloud or hybrid)
Secure DevOps / DevSecOps Integration Guide
Continuous Zero Trust Monitoring Service
Zero Trust Incident Response Playbooks
Multi‑Cloud Zero Trust Architecture
Business Alignment — Business drivers, capabilities, governance
Security Services Definition — Zero Trust capability modelling
Architecture Design — Business, information, application, technology
Security Services Integration — PDP/PEP, trust engines, telemetry
Implementation Planning — Roadmap, work packages, dependencies
Governance & Operations — Operating model, metrics, continuous assurance
Optional: Continuous Zero Trust Assurance (subscription)
Lead Enterprise Security Architect (O‑ESA Practitioner)
Zero Trust Architect
Identity & Access Specialist
Network & Micro‑Segmentation Engineer
Cloud Security Architect
Governance & Risk Analyst
Project Manager
Fixed‑price for assessment, architecture, and governance phases.
Time & materials for engineering, integration, and hardening.
Subscription/retainer for continuous Zero Trust monitoring and assurance.
Access to enterprise architecture artefacts and security platforms.
Engagement with IT, security, and architecture teams.
Availability of existing O‑ESA documentation and architecture diagrams.
Client commitment to governance and operational adoption.
Legacy systems incompatible with ZT → mitigated through compensating controls and phased migration.
Architecture sprawl → mitigated through O‑ESA governance and capability modelling.
Identity sprawl → mitigated through governance and rationalisation.
Operational resistance → mitigated through training and clear operating models.