Zero Trust

Zero Trust is a security model based on the principle of 'never trust, always verify' — never trust a user or device, always verify, and grant only the minimum necessary privileges. Zero Trust is a response to the fact that traditional perimeter-based defences are no longer sufficient in a cloud and remote-working reality.

Back to Dictionary

What is Zero Trust?

The traditional perimeter-based security paradigm assumed that everything inside the network boundary was trustworthy. With cloud computing, remote working, mobile devices and sophisticated attacks, this assumption is no longer tenable. An attacker who has compromised a single account or device can move freely within a traditional 'trusted' network.

Zero Trust eliminates implicit trust. Instead, all access requests are verified continuously — regardless of whether the user is in the office, at home or on an unfamiliar network. Users and devices must continuously prove that they are authorised for the specific resource they are attempting to access.

Core principles of Zero Trust

NIST's Zero Trust Architecture (SP 800-207) is built on three core principles:

Verify explicitly: Always authenticate and authorise based on all available data points — identity, location, device health, service or workload, data classification and anomalies.
Use least-privilege access: Limit user access with just-in-time and just-enough-access, risk-based adaptive policies and data protection.
Assume breach: Minimise the blast radius and segment access. Assume that attackers are already in the network and design defences accordingly.

The Zero Trust pillars

Zero Trust is typically implemented across five domains:

Identity: Strong authentication (MFA), privileged access management
Devices: Device compliance checks, MDM, endpoint protection
Network: Microsegmentation, encrypted traffic, network monitoring
Applications: Application access control, secure publishing
Data: Data classification, DLP, encryption

Zero Trust is a journey: No organisation implements Zero Trust overnight. Start with the highest-priority measures — typically strong identity management and MFA — and build from there. Zero Trust is a goal, not a product.

Zero Trust and compliance frameworks

Zero Trust aligns well with the requirements of multiple compliance frameworks. ISO 27001 Annex A controls on access control (A.9), cryptography (A.10) and operations security (A.12) map directly to Zero Trust principles. NIS2 requirements for risk management and technical security measures are also well served by a Zero Trust approach.

Implementing Zero Trust in practice

Practical first steps towards Zero Trust include:

Implement MFA: Deploy multi-factor authentication for all users and administrative access.
Device compliance: Require device health checks before granting access to corporate resources.
Identity-centric access: Migrate to cloud-based identity providers and implement conditional access policies.
Microsegmentation: Segment the network so that compromising one area does not give access to all others.
Privileged access management: Implement PAM solutions to control and audit administrative access.

Frequently Asked Questions about Zero Trust

What is Zero Trust?

Zero Trust is a security model that eliminates implicit trust and requires continuous verification of all access requests. It is built on three principles: verify explicitly, use least-privilege access, and assume breach.

What are the core principles of Zero Trust?

The three core principles are: verify explicitly (authenticate and authorise based on all available data points), use least-privilege access (grant only the minimum necessary permissions), and assume breach (design defences as though attackers are already inside the network).

How does Zero Trust differ from traditional security?

Traditional security relies on a trusted perimeter — once inside the network, users and devices are implicitly trusted. Zero Trust eliminates this implicit trust and requires continuous verification for every access request, regardless of the user's location.

Is Zero Trust a product I can purchase?

No. Zero Trust is a security strategy and architectural approach, not a single product. Implementing Zero Trust requires a combination of technologies (MFA, microsegmentation, PAM, endpoint protection) along with changes to policies and processes.

How does Zero Trust relate to ISO 27001?

Zero Trust aligns well with ISO 27001. The Annex A controls on access control, cryptography and operations security map directly to Zero Trust principles. Implementing Zero Trust supports compliance with multiple ISO 27001 controls simultaneously.