This work package provides organisations with expert guidance to design and implement a Zero Trust Architecture (ZTA) using the SABSA Framework. It integrates Zero Trust principles—continuous verification, least‑privilege access, micro‑segmentation, identity‑centric security—into the SABSA layers:
Contextual Architecture (Business Requirements)
Conceptual Architecture (Security Concepts & Principles)
Logical Architecture (Policies & Models)
Physical Architecture (Technology‑Agnostic Design)
Component Architecture (Technology Selection)
Operational Architecture (Processes & Operations)
The service ensures Zero Trust is risk‑driven, business‑aligned, and fully integrated into governance, architecture, and operational security.
Assess current security architecture maturity using SABSA and Zero Trust principles.
Develop a SABSA‑aligned Zero Trust Reference Architecture.
Integrate Zero Trust into business, risk, policy, and technical layers.
Reduce implicit trust, lateral movement, and identity‑related risks.
Improve visibility, monitoring, and adaptive access enforcement.
Deliver a phased Zero Trust transformation roadmap aligned to SABSA lifecycle.
A SABSA‑aligned Zero Trust maturity assessment.
A Zero Trust Reference Architecture mapped to SABSA layers.
Hardened identity, device, network, application, and data controls.
Updated governance, risk models, and operational processes.
Improved detection, response, and automation capabilities.
A multi‑phase Zero Trust transformation roadmap.
Identify business drivers, mission, and critical assets.
Define Zero Trust business attributes and success criteria.
Develop a Zero Trust risk model aligned to SABSA’s Business Attribute Profiling.
Stakeholder mapping and organisational impact assessment.
Define Zero Trust governance principles.
Define Zero Trust principles aligned to:
Identity‑centric access
Continuous verification
Least privilege
Micro‑segmentation
Explicit trust reduction
Develop conceptual models for:
Identity trust
Device trust
Network trust
Application trust
Data trust
Align conceptual models with business attributes.
Develop Zero Trust policies and logical control models.
Map Zero Trust controls to:
NIST SP 800‑207
CISA Zero Trust Maturity Model
NCSC Zero Trust principles
ISO 27001 Annex A
Logical models for:
Identity governance
Network segmentation
Data access and protection
Application trust boundaries
Monitoring and analytics
Design Zero Trust architecture patterns:
Identity & Access
Device & Endpoint
Network & Segmentation
Cloud & Hybrid
Data & Key Management
Logging & Telemetry
Define technology‑agnostic security services and capabilities.
Map physical designs to logical models and business attributes.
Select and map technologies to Zero Trust capabilities:
IAM, PAM, IdP, MFA
EDR/XDR
SD‑WAN, SASE, ZTNA
SIEM, SOAR, UEBA
Cloud security platforms
Integration architecture for hybrid and multi‑cloud environments.
Component‑level design for Zero Trust enforcement points.
Define operational processes for:
Identity lifecycle
Access reviews
Threat detection & response
Incident management
Change control
Develop Zero Trust operational playbooks.
Define KPIs, metrics, and continuous improvement cycles.
Zero Trust governance framework aligned to SABSA lifecycle.
Architecture Board updates and decision‑making workflows.
Policy lifecycle management.
Risk register updates and control assurance.
Benefits realisation and continuous improvement.
SABSA‑Aligned Zero Trust Maturity Assessment Report
Zero Trust Reference Architecture Blueprint (SABSA‑aligned)
Business Attribute Profiling & Risk Model
Conceptual & Logical Zero Trust Models
Physical & Component Architecture Designs
Operational Architecture & Playbook Pack
Governance & Architecture Board Framework
Executive Summary & Board‑Level Presentation
Zero Trust Landing Zone (cloud or hybrid)
Secure DevOps / DevSecOps Integration Guide
Continuous Zero Trust Monitoring Service
Zero Trust Incident Response Playbooks
Multi‑Cloud Zero Trust Architecture
Contextual — Business drivers, risk, governance
Conceptual — Zero Trust principles & conceptual models
Logical — Policies, control models, logical architecture
Physical — Technology‑agnostic design
Component — Technology selection & integration
Operational — Processes, monitoring, continuous improvement
Optional: Continuous Zero Trust Assurance (subscription)
Lead Enterprise Security Architect (SABSA Certified)
Zero Trust Architect
Identity & Access Specialist
Network & Micro‑Segmentation Engineer
Cloud Security Architect
Governance & Risk Analyst
Project Manager
Fixed‑price for assessment, architecture, and governance phases.
Time & materials for engineering, integration, and hardening.
Subscription/retainer for continuous Zero Trust monitoring and assurance.
Access to enterprise architecture artefacts and security platforms.
Engagement with IT, security, and architecture teams.
Availability of existing SABSA documentation and architecture diagrams.
Client commitment to governance and operational adoption.
Legacy systems incompatible with ZT → mitigated through compensating controls and phased migration.
Architecture sprawl → mitigated through SABSA governance and Architecture Board oversight.
Identity sprawl → mitigated through governance and rationalisation.
Operational resistance → mitigated through training and clear operating models.