Zero trust is a response to the collapse of the network perimeter. The traditional security model assumed that anything inside the corporate network could be trusted and that the firewall was the primary defence. That model breaks down when employees work from home, when SaaS applications sit outside the network, and when attackers routinely move laterally after compromising a single internal machine. Zero trust replaces the perimeter assumption with a different one: trust nothing implicitly, verify everything explicitly, and apply the principle of least privilege to every access request regardless of where it originates.
In practice, zero trust is an architecture philosophy rather than a single product or standard. NIST SP 800-207 defines the principles and the logical components, covering identity verification, device health assessment, policy enforcement points, and continuous monitoring. The NCSC provides implementation guidance for UK and European organisations. A zero trust implementation typically involves strengthening identity (MFA, device certificates), segmenting resources so lateral movement is constrained even after an initial compromise, and logging access decisions in a form that enables real-time detection of anomalous behaviour.
For ISO 27001 and NIS2 compliance, zero trust architecture supports multiple Annex A controls simultaneously, particularly in the access control and network security families. Organisations that have adopted it often find their audit evidence easier to produce because access decisions are logged at the enforcement point rather than inferred from network topology. The migration path from traditional perimeter-based security to zero trust is typically multi-year and incremental; the architecture is a direction rather than a destination. The Askara Solutions agent maps the current access architecture against zero trust principles as part of the ISO 27001 risk assessment, identifying where implicit trust assumptions are still operating and which Annex A controls address each gap.