Jan 23 2026

Zero Trust Architecture to ISO/IEC 27001:2022 Controls Crosswalk

Category: CISO,ISO 27k,vCISO,Zero trustdisc7 @ 7:33 am

1. What is Zero Trust Security

Zero Trust Security is a security model that assumes no user, device, workload, application, or network is inherently trusted, whether inside or outside the traditional perimeter.

The core principles reflected in the image are:

  1. Never trust, always verify – every access request must be authenticated, authorized, and continuously evaluated.
  2. Least privilege access – users and systems only get the minimum access required.
  3. Assume breach – design controls as if attackers are already present.
  4. Continuous monitoring and enforcement – security decisions are dynamic, not one-time.

Instead of relying on perimeter defenses, Zero Trust distributes controls across endpoints, identities, APIs, networks, data, applications, and cloud environments—exactly the seven domains shown in the diagram.

2. The Seven Components of Zero Trust

1. Endpoint Security

Purpose: Ensure only trusted, compliant devices can access resources.

Key controls shown:

  • Antivirus / Anti-Malware
  • Endpoint Detection & Response (EDR)
  • Patch Management
  • Device Control
  • Data Loss Prevention (DLP)
  • Mobile Device Management (MDM)
  • Encryption
  • Threat Intelligence Integration

Zero Trust intent:
Access decisions depend on device posture, not just identity.

2. API Security

Purpose: Protect machine-to-machine and application integrations.

Key controls shown:

  • Authentication & Authorization
  • API Gateways
  • Rate Limiting
  • Encryption (at rest & in transit)
  • Threat Detection & Monitoring
  • Input Validation
  • API Keys & Tokens
  • Secure Development Practices

Zero Trust intent:
Every API call is explicitly authenticated, authorized, and inspected.

3. Network Security

Purpose: Eliminate implicit trust within networks.

Key controls shown:

  • IDS / IPS
  • Network Access Control (NAC)
  • Network Segmentation / Micro-segmentation
  • SSL / TLS
  • VPN
  • Firewalls
  • Traffic Analysis & Anomaly Detection

Zero Trust intent:
The network is treated as hostile, even internally.

4. Data Security

Purpose: Protect data regardless of location.

Key controls shown:

  • Encryption (at rest & in transit)
  • Data Masking
  • Data Loss Prevention (DLP)
  • Access Controls
  • Backup & Recovery
  • Data Integrity Verification
  • Tokenization

Zero Trust intent:
Security follows the data, not the infrastructure.

5. Cloud Security

Purpose: Enforce Zero Trust in shared-responsibility environments.

Key controls shown:

  • Cloud Access Security Broker (CASB)
  • Data Encryption
  • Identity & Access Management (IAM)
  • Security Posture Management
  • Continuous Compliance Monitoring
  • Cloud Identity Federation
  • Cloud Security Audits

Zero Trust intent:
No cloud service is trusted by default—visibility and control are mandatory.

6. Application Security

Purpose: Prevent application-layer exploitation.

Key controls shown:

  • Secure Code Review
  • Web Application Firewall (WAF)
  • API Security
  • Runtime Application Self-Protection (RASP)
  • Software Composition Analysis (SCA)
  • Secure SDLC
  • SAST / DAST

Zero Trust intent:
Applications must continuously prove they are secure and uncompromised.

7. IoT Security

Purpose: Secure non-traditional and unmanaged devices.

Key controls shown:

  • Device Authentication
  • Network Segmentation
  • Secure Firmware Updates
  • Encryption for IoT Data
  • Anomaly Detection
  • Vulnerability Management
  • Device Lifecycle Management
  • Secure Boot

Zero Trust intent:
IoT devices are high-risk by default and strictly controlled.

3. Mapping Zero Trust Controls to ISO/IEC 27001

Below is a practical mapping to ISO/IEC 27001:2022 (Annex A).
(Zero Trust is not a standard, but it maps very cleanly to ISO controls.)

Identity, Authentication & Access (Core Zero Trust)

Zero Trust domains: API, Cloud, Network, Application
ISO 27001 controls:

  • A.5.15 – Access control
  • A.5.16 – Identity management
  • A.5.17 – Authentication information
  • A.5.18 – Access rights

Endpoint & Device Security

Zero Trust domain: Endpoint, IoT
ISO 27001 controls:

  • A.8.1 – User endpoint devices
  • A.8.7 – Protection against malware
  • A.8.8 – Management of technical vulnerabilities
  • A.5.9 – Inventory of information and assets

Network Security & Segmentation

Zero Trust domain: Network
ISO 27001 controls:

  • A.8.20 – Network security
  • A.8.21 – Security of network services
  • A.8.22 – Segregation of networks
  • A.5.14 – Information transfer

Application & API Security

Zero Trust domain: Application, API
ISO 27001 controls:

  • A.8.25 – Secure development lifecycle
  • A.8.26 – Application security requirements
  • A.8.27 – Secure system architecture
  • A.8.28 – Secure coding
  • A.8.29 – Security testing in development

Data Protection & Cryptography

Zero Trust domain: Data
ISO 27001 controls:

  • A.8.10 – Information deletion
  • A.8.11 – Data masking
  • A.8.12 – Data leakage prevention
  • A.8.13 – Backup
  • A.8.24 – Use of cryptography

Monitoring, Detection & Response

Zero Trust domain: Endpoint, Network, Cloud
ISO 27001 controls:

  • A.8.15 – Logging
  • A.8.16 – Monitoring activities
  • A.5.24 – Incident management planning
  • A.5.25 – Assessment and decision on incidents
  • A.5.26 – Response to information security incidents

Cloud & Third-Party Security

Zero Trust domain: Cloud
ISO 27001 controls:

  • A.5.19 – Information security in supplier relationships
  • A.5.20 – Addressing security in supplier agreements
  • A.5.21 – ICT supply chain security
  • A.5.22 – Monitoring supplier services

4. Key Takeaway (Executive Summary)

  • Zero Trust is an architecture and mindset
  • ISO 27001 is a management system and control framework
  • Zero Trust implements ISO 27001 controls in a continuous, adaptive, and identity-centric way

In short:

ISO 27001 defines what controls you need.
Zero Trust defines how to enforce them effectively.

Zero Trust → ISO/IEC 27001 Crosswalk

Zero Trust DomainPrimary Security ControlsZero Trust ObjectiveISO/IEC 27001:2022 Annex A Controls
Identity & Access (Core ZT Layer)IAM, MFA, RBAC, API auth, token-based access, least privilegeEnsure every access request is explicitly verifiedA.5.15 Access control
A.5.16 Identity management
A.5.17 Authentication information
A.5.18 Access rights
Endpoint SecurityEDR, AV, MDM, patching, device posture checks, disk encryptionAllow access only from trusted and compliant devicesA.8.1 User endpoint devices
A.8.7 Protection against malware
A.8.8 Technical vulnerability management
A.5.9 Inventory of information and assets
Network SecurityMicro-segmentation, NAC, IDS/IPS, TLS, VPN, firewallsRemove implicit trust inside the networkA.8.20 Network security
A.8.21 Security of network services
A.8.22 Segregation of networks
A.5.14 Information transfer
Application SecuritySecure SDLC, SAST/DAST, WAF, RASP, dependency scanningPrevent application-layer compromiseA.8.25 Secure development lifecycle
A.8.26 Application security requirements
A.8.27 Secure system architecture
A.8.28 Secure coding
A.8.29 Security testing
API SecurityAPI gateways, rate limiting, input validation, encryption, monitoringSecure machine-to-machine trustA.5.15 Access control
A.8.20 Network security
A.8.26 Application security requirements
A.8.29 Security testing
Data SecurityEncryption, DLP, tokenization, masking, access controls, backupsProtect data regardless of locationA.8.10 Information deletion
A.8.11 Data masking
A.8.12 Data leakage prevention
A.8.13 Backup
A.8.24 Use of cryptography
Cloud SecurityCASB, cloud IAM, posture management, identity federation, auditsEnforce Zero Trust in shared-responsibility modelsA.5.19 Supplier relationships
A.5.20 Supplier agreements
A.5.21 ICT supply chain security
A.5.22 Monitoring supplier services
IoT / Non-Traditional AssetsDevice authentication, segmentation, secure boot, firmware updatesControl high-risk unmanaged devicesA.5.9 Asset inventory
A.8.1 User endpoint devices
A.8.8 Technical vulnerability management
Monitoring & Incident ResponseLogging, SIEM, anomaly detection, SOARAssume breach and respond rapidlyA.8.15 Logging
A.8.16 Monitoring activities
A.5.24 Incident management planning
A.5.25 Incident assessment
A.5.26 Incident response

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.

Tags: ISO/IEC 27001:2022, Zero Trust Architecture

Apr 16 2024

Zero Trust Architecture

Category: Cloud computing,Zero trustdisc7 @ 8:19 am

Zero Trust Architecture

Cloud computing and the use of mobile devices challenged the concept of a perimeter-based security model. The change in thinking started with the Jericho Forum in 2007 releasing the Jericho Forum Commandments for a de-perimiterised world where it’s assumed a network perimeter doesn’t exist.

John Kindervag, from Forrester Research, then came up with the term “zero trust” in 2010 and developed the phrase “never trust, always verify” . He identified zero trust as a model that removes implicit trust within a system boundary and continuously evaluates the risks by applying mitigations to business transactions and data flows at every step of their journey. The phrase “assume breach” is also often associated with zero trust and comes from the phrase “assume compromise” used by the US Department of Defense in the 1990’s.

The approach requires a combination of technologies, processes, practices, and cultural changes to be successfully implemented. It involves a fundamental shift in the way organizations approach cybersecurity. Traditional “castle and moat” security models assumed, after data passed through the perimeter, that everything inside a system could be implicitly trusted.

Zero trust basics

The zero-trust model assumes that all business transactions and data flows, whether originating from inside or outside the network, are potentially malicious. Every interaction in a business transaction or data flow must be continuously validated to ensure that only authorized users and devices can access sensitive business data. In effect, it moves the perimeter from the system boundary to the point at which identification, authentication, and authorization take place, resulting in identity becoming the new perimeter. The whole concept often gets simplified down to the “never trust, always verify” principle, but it’s more than that.

Zero-trust architecture requires a cultural shift that emphasizes the importance of security rather than just compliance throughout an organization. This means that implementing a zero-trust architecture involves not only the deployment of specific technologies but also the development of processes and practices that promote a data security first mindset across the organization, building on the data centric security approach we discussed earlier.

When architecting and developing security for a system, an architect should follow a set of principles, tenets, or simply a way of thinking to apply zero trust. Zero trust isn’t an end-to-end method, and a comprehensive approach requires integration with other architectural thinking techniques.

Zero trust principles

Organizations offer guidance in publications including the US National Institute of Standards and Technology (NIST) SP 800-207 Zero Trust Architecture document that has a set of zero trust architecture tenets and the UK National Cyber Security Centre (NCSC) Zero trust architecture design principles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Hybrid cloud, Zero Trust Architecture

Oct 17 2023

CISCO’S TICKING TIME BOMB: CVE-2023-20198 WITH CVSS SCORE 10 HITS CISCO DEVICES

Category: Network securitydisc7 @ 9:10 am
Cisco’s Ticking Time Bomb: CVE-2023-20198 with CVSS Score 10 Hits Cisco Devices

Cisco IOS XE is a robust and flexible operating system, optimized for the evolving landscape of enterprise networking and technology. It enables model-driven programmability, application hosting, and automated configuration management, thus simplifying many day-to-day tasks. IOS XE is integral in providing consistency across Cisco’s array of switching, routing, and wireless network devices.

THE VULNERABILITY: CVE-2023-20198


A new, critical zero-day vulnerability has emerged, labeled as CVE-2023-20198. This vulnerability, with a maximum severity rating of CVSS 10, predominantly affects devices running the Cisco IOS XE software and is currently without a patch, leaving systems vulnerable to potential exploits. The flaw can be exploited by an unauthenticated attacker to create a user account with the highest privilege level, leading to unauthorized system access.

Two security flaws in the Cisco AnyConnect Secure Mobility Client. Patch immediately

Exploitation in the Wild
Attackers have already begun exploiting this vulnerability in the wild, utilizing it to deliver malicious implants. Organizations using the affected devices are advised to apply mitigation measures promptly to defend against these exploits.

Affected Devices and Systems
The vulnerability, CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled, especially when exposed to the internet or untrusted networks. To ascertain if a system is vulnerable, administrators should:

  1. Utilize the command show running-config | include ip http server|secure|active to check for the presence of ip http server or ip http secure-server commands in the global configuration.
  2. Inspect the configuration for ip http active-session-modules none or ip http secure-active-session-modules none to determine if the vulnerability is exploitable over HTTP or HTTPS respectively.

Cisco’s Response
Cisco has acknowledged the vulnerability, confirming its presence in devices running the Cisco IOS XE software. The company provided steps to identify affected systems and noted the following Indicators of Compromise (IoCs):

  1. System logs containing messages indicating programmatic configuration by unfamiliar users, such as:
  • %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line.
  • %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address].
  1. System logs containing messages about unknown file installation actions, like:
  • %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename.
  1. Presence of an implant, checked by issuing the following command from a workstation with access to the affected system:
  • curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1", if a hexadecimal string is returned, the implant is present.

Cisco, alongside other cybersecurity firms like Tenable, has provided plugins to identify affected systems. While awaiting a patch, these plugins and the aforementioned checks can assist in identifying and mitigating unauthorized access attempts.


CVE-2023-20198 poses a significant threat to cybersecurity due to its maximum severity rating and the absence of a patch. Organizations using affected Cisco IOS XE devices should remain vigilant and apply necessary mitigation measures to safeguard their systems from potential exploits.

Zero Trust Architecture (Networking Technology: Security)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cisco, CVE-2023-20198, Zero Trust Architecture