Zero Trust
Implement zero trust -- never trust, always verify.
9 of 9 frameworks cover this control
Framework Mappings
How Zero Trust maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | PR.AA-01 PR.AA-03 PR.IR-01 |
| ISO 27001 | Covered | A.8.20 A.5.15 |
| CIS v8 | Covered | CIS 6.1 CIS 12.2 |
| SOC 2 | Covered | CC6.1 CC6.3 |
| PCI DSS | Covered | 1.3.1 7.2.1 |
| CMMC | Covered | AC.L2-3.1.1 SC.L2-3.13.1 |
| 800-53 | Covered | AC-4 SC-7 |
| HIPAA | Covered | §164.312(a)(1) |
| GDPR | Covered | Art.32(1)(b) Art.25(1) |
About Zero Trust
Zero Trust is a cybersecurity control in the Protect domain. Implement zero trust -- never trust, always verify. Zero trust architecture operates on the principle that no user, device, or network segment should be implicitly trusted, requiring continuous verification of identity and authorization for every access request. Implementation involves micro-segmentation, identity-aware proxies, device posture checks, least-privilege access policies, and continuous monitoring of all network traffic regardless of its origin. Organizations adopting zero trust should take a phased approach, starting with identity verification and MFA, then extending to network segmentation and workload isolation as the architecture matures.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.