⚡ LIMITED TIME Get our FREE €500+ Compliance Starter Kit
Get It Now →

Zero Trust Architecture 2026: Audit-Ready Evidence

Igor Petreski
14 min read
Zero Trust Architecture evidence mapping for ISO 27001 NIS2 DORA and GDPR

The Monday Morning Zero Trust Audit Nobody Planned For

At 08:12 on a Monday, the CISO of a European SaaS fintech receives three messages within five minutes.

The first is from a banking customer: “Please provide your Zero Trust Architecture evidence pack for our annual ICT third-party review.”

The second is from legal: “We may be classified as an important entity under NIS2 in one member state, and some customers are asking whether DORA flows down to us as an ICT service provider.”

The third is from the head of engineering: “We have MFA, SSO, EDR, Kubernetes network policies and SIEM alerts. Is that Zero Trust?”

This is where many organizations get stuck. They have security tools, but not a Zero Trust compliance operating model. They can point to MFA screenshots, but cannot explain how identity, device posture, least privilege, segmentation, monitoring, incident reporting, privacy safeguards and supplier dependencies fit together. They can show controls, but not traceability.

In 2026, Zero Trust Architecture based on NIST SP 800-207 needs to be more than “never trust, always verify.” For CISOs, compliance managers, auditors and business owners, the practical question is sharper:

How do we turn Zero Trust into evidence that satisfies ISO/IEC 27001:2022, NIS2 cyber hygiene expectations, DORA ICT risk management, GDPR Article 32 security of processing, customer due diligence and board oversight?

The answer is not another tool. It is a risk-based evidence model that connects policy, controls, technical implementation, monitoring and management accountability.

Zero Trust in 2026: From Security Strategy to Compliance Evidence

NIST SP 800-207 defines Zero Trust as a set of principles for designing and operating secure systems where trust is never implicit. Access is granted based on identity, context, policy, asset posture and continuous evaluation.

The seven NIST Zero Trust tenets are especially useful because they turn a vague security slogan into something that can be mapped, tested and audited:

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual enterprise resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy, including identity, device, application and behavioral attributes.
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
  7. The enterprise collects information about assets, infrastructure and communications, then uses it to improve security posture.

For a modern SaaS provider, digital bank, managed service provider or cloud-native platform, these principles translate into practical control domains:

  • Identity is verified and governed.
  • Devices are assessed before access is granted.
  • Privileged access is minimized and reviewed.
  • Network paths are segmented and controlled.
  • Applications, APIs and data stores enforce authorization.
  • Logs and telemetry support continuous monitoring.
  • Incidents trigger containment, reporting and recovery.
  • Evidence proves the controls are operating, not just designed.

That final point is where compliance enters.

ISO/IEC 27001:2022 requires organizations to define context, interested parties, applicable legal and contractual requirements, scope, interfaces and dependencies. It also requires risk assessment, risk treatment, a Statement of Applicability, leadership accountability, internal audit, management review and continual improvement.

Zero Trust fits naturally into that structure when it is treated as a control system. It should not sit outside the ISMS as an engineering initiative. It should be part of risk assessment, control selection, policy governance, supplier management, privacy protection, incident response and board reporting.

The Regulatory Pressure Behind Zero Trust Evidence

The pressure for Zero Trust evidence usually comes from overlapping obligations rather than one single standard.

NIS2 may apply to public or private entities in Annex I or Annex II sectors that meet size and activity thresholds, and it can also apply to certain smaller but critical entities. Annex I includes cloud computing service providers, data centre providers, content delivery network providers, trust service providers, managed service providers, managed security service providers, banking and financial market infrastructure entities. Annex II includes digital providers such as online marketplaces, search engines and social networking platforms.

NIS2 Article 20 makes cybersecurity a management body responsibility. The board must approve cybersecurity risk management measures, oversee implementation and receive cybersecurity training. Article 21 requires appropriate and proportionate technical, operational and organizational measures covering risk analysis, incident handling, business continuity, supply chain security, secure development, vulnerability handling, effectiveness assessment, cyber hygiene, training, cryptography, HR security, access control, asset management and, where appropriate, MFA or continuous authentication. Article 23 introduces staged significant-incident reporting, including 24-hour early warning, 72-hour notification and final reporting.

DORA applies from 17 January 2025 and creates a uniform digital operational resilience regime for financial entities. It covers ICT risk management, major ICT-related incident reporting, operational resilience testing, threat information sharing and ICT third-party risk. DORA Articles 5 and 6 require governance and a documented ICT risk management framework. Article 9 addresses protection and prevention, including policies, procedures, protocols and tools to protect ICT systems. Article 17 requires an ICT-related incident management process.

GDPR applies to processing in the context of an EU establishment and also to non-EU controllers or processors offering goods or services to individuals in the EU or monitoring their behavior. GDPR Article 5 requires accountability. Article 32 requires appropriate technical and organizational measures to ensure a level of security appropriate to risk. Article 33 requires personal data breach notification to the supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach.

A Zero Trust evidence model helps because the same control can support multiple frameworks. MFA can support ISO/IEC 27001:2022 access control, NIS2 authentication measures, DORA protection requirements and GDPR security of processing. But only if the organization can prove scope, ownership, implementation, monitoring and review.

Mapping NIST Zero Trust Tenets to ISO/IEC 27001:2022 Controls

ISO/IEC 27001:2022 Annex A controls, supported by ISO/IEC 27002:2022 implementation guidance, provide the audit language most organizations need. The table below translates NIST Zero Trust tenets into ISO control areas that auditors recognize.

NIST SP 800-207 Zero Trust tenetCore Zero Trust principleRelevant ISO/IEC 27001:2022 Annex A controls
All data sources and computing services are resourcesAsset and data identificationA.5.9 Inventory of information and other associated assets, A.5.10 Acceptable use of information and other associated assets, A.5.12 Classification of information
All communication is secured regardless of network locationSecure communication and encrypted channelsA.8.20 Network security, A.8.22 Segregation of networks, A.8.24 Use of cryptography
Access is granted on a per-session basisSession-based authentication and authorizationA.5.17 Authentication information, A.8.5 Secure authentication
Access is determined by dynamic policyContext-aware and least-privilege accessA.5.15 Access control, A.5.18 Access rights, A.8.3 Information access restriction
Asset integrity and security posture are monitoredEndpoint and workload posture verificationA.8.1 User endpoint devices, A.8.8 Management of technical vulnerabilities
Authentication and authorization are dynamic and strictly enforcedIdentity lifecycle and privileged access managementA.5.16 Identity management, A.8.2 Privileged access rights, A.8.5 Secure authentication
Information is collected to improve security postureContinuous monitoring, logging and improvementA.8.15 Logging, A.8.16 Monitoring activities, A.8.23 Web filtering

This mapping is not just a technical design exercise. It becomes the structure for the risk register, Statement of Applicability, evidence pack and management review agenda.

For example, a risk scenario such as “compromised developer account modifies production code and accesses customer data” should map to identity management, MFA, privileged access, network segregation, logging, monitoring, secure development, change management and incident response. That single scenario may support ISO/IEC 27001:2022, NIS2 Article 21, DORA ICT risk management and GDPR Article 32.

The Clarysec Zero Trust Control Stack

Clarysec builds Zero Trust around five evidence domains: identity, device, network, application and data, with monitoring and governance across all five.

The foundation is access control and identity management. In Zenith Controls: The Cross-Compliance Guide, ISO/IEC 27002:2022 control 5.15, Access control, is classified as a preventive control supporting confidentiality, integrity and availability, aligned to the Protect cybersecurity concept and the Identity and Access Management capability. Control 5.16, Identity management, is also preventive and tied to the same CIA properties and IAM capability. Control 8.16, Monitoring activities, is classified as detective and corrective, supporting Detect and Respond through information security event management.

That combination matters. Zero Trust is not access control alone. It is access control plus identity lifecycle plus device posture plus network segregation plus monitoring plus response.

Clarysec policy clauses turn that model into enforceable governance.

From the Enterprise Access Control Policy, section Objectives, clause 3.4:

To support zero trust principles by denying access by default unless explicitly approved and justified.

From the Enterprise User Account and Privilege Management Policy, section Policy Implementation Requirements, clause 6.2.1:

All users must be assigned the minimum level of access necessary to perform their job functions.

From the Enterprise Network Security Policy, section Governance Requirements, clause 5.2:

All inter-zone traffic must be controlled by firewalls or software-defined perimeter solutions, with explicit deny-by-default configurations.

From the Enterprise Logging and Monitoring Policy, section Objectives, clause 3.4:

Establish centralized logging and alerting systems (e.g., SIEM) to aggregate, correlate, and escalate suspicious activity in near real time.

From the Enterprise Information Security Policy, section Policy Implementation Requirements, clause 6.6.1:

All implemented controls shall be auditable, supported by documented procedures and retained evidence of operation.

For SMEs, the same governance intent can be implemented with lighter policy documentation. The User Account and Privilege Management Policy - SME, section Objectives, clause 3.2 states:

Enforce the principle of least privilege, ensuring users are granted only the minimum level of access necessary to perform their duties.

The Access Control Policy - SME, section Governance Requirements, clause 5.4.3 adds:

Privileged accounts must use multi-factor authentication (MFA) where supported.

The Network Security Policy - SME, section Policy Implementation Requirements, clause 6.2.3 states:

Traffic between segments must be filtered, and inter-segment access must follow the principle of least privilege

The Logging and Monitoring Policy - SME, section Purpose, clause 1.3 explains:

Logging and monitoring support threat detection, regulatory compliance, incident reporting and management, and forensic analysis.

For privacy-driven Zero Trust, the Data Protection and Privacy Policy - SME, section Governance Requirements, clause 5.3.2 states:

User access to personal data must be limited to roles with a documented business need

These clauses create audit anchors. An auditor can test whether access is denied by default, privilege is minimized, inter-zone traffic is controlled, logs are centralized and evidence is retained.

Cross-Framework Zero Trust Evidence Map

A strong Zero Trust evidence model should avoid fragmented screenshots. Evidence should show governance, design, implementation, monitoring and review.

Zero Trust capabilityISO/IEC 27001:2022 and ISO/IEC 27002:2022 evidenceNIS2 evidenceDORA evidenceGDPR evidence
Identity verification and lifecycleISMS scope, risk register, SoA entries for A.5.15 and A.5.16, joiner-mover-leaver recordsArticle 21 HR security, access control and asset management measuresICT asset and user access governance within ICT risk frameworkAccess limited to authorized roles, controller accountability records
MFA and continuous authenticationAccess control policy, privileged access procedure, MFA enforcement reportsArticle 21 measures for MFA or continuous authentication where appropriateControls supporting secure access to ICT systems and critical functionsArticle 32 security of processing evidence for personal data access
Device posture and endpoint trustAsset inventory, endpoint configuration baseline, EDR coverage, exception approvalsCyber hygiene, vulnerability handling and secure system policiesICT asset inventory, resilience testing, monitoring of ICT systemsProtection against unauthorized or unlawful processing from compromised endpoints
Network segmentation and microsegmentationNetwork diagrams, firewall rules, segmentation test results, change recordsMeasures to prevent or minimize incident impact and support business continuityReference architecture, impact tolerance, testing of critical systemsData isolation, minimization of breach scope
Application and API least privilegeRBAC or ABAC matrices, cloud IAM policies, token scopes, API access reviewsSecure acquisition, development and maintenance, vulnerability handlingICT-supported function mapping and dependency documentationPurpose limitation, access to personal data based on business need
Continuous monitoring and detectionSIEM use cases, alert triage, monitoring procedure, incident recordsIncident handling and significant incident reporting readinessIncident classification, management escalation and reporting lifecyclePersonal data breach detection and accountability evidence
Supplier and cloud trustSupplier agreements, cloud exit plan, supplier monitoring, shared responsibility mappingSupply chain security for direct suppliers and service providersICT third-party risk strategy, register of ICT contracts, audit rights and exit plansProcessor due diligence, contractual safeguards and security controls

This table is the core of a board-ready Zero Trust program. It shows how one control environment can support multiple assurance demands without creating separate evidence packs for every framework.

Using Zenith Blueprint to Create Traceability

Clarysec’s Zenith Blueprint: An Auditor’s 30-Step Roadmap is designed to stop Zero Trust from becoming an undocumented engineering philosophy. In the Risk Management phase, Step 13, Risk Treatment Planning and Statement of Applicability, it explains:

The SoA is effectively a bridging document : it links your risk assessment/treatment to the
actual controls you have. By completing it, you also double-check if you missed any controls.

The same step recommends mapping controls to risks, adding Annex A control references to risk treatment entries and cross-referencing regulations such as GDPR, NIS2 or DORA where controls are implemented to satisfy those obligations.

For Zero Trust, this is the missing bridge. If an auditor asks why you implemented conditional access, the answer should not be “because Zero Trust says so.” A better answer is:

  • The risk scenario is unauthorized access to customer data through compromised credentials.
  • The risk owner is the CTO or Head of Engineering.
  • The treatment includes SSO, MFA, conditional access, endpoint posture validation, least privilege, segmentation and monitoring.
  • The SoA maps the treatment to access control, identity management, logging, monitoring, cryptography, vulnerability management and cloud service management.
  • The same treatment supports NIS2 Article 21, DORA ICT risk management and GDPR Article 32.
  • Evidence includes policy clauses, access reviews, SIEM alerts, EDR posture reports, firewall rules, IAM exports, incident exercises and management review minutes.

That is how Zero Trust Architecture becomes audit-ready.

Endpoint Trust, APIs and Network Segregation in Practice

Zero Trust often fails because organizations focus on identity while ignoring device, workload, data and network context.

Zenith Blueprint Step 19, Technological Controls I, explains the endpoint posture requirement clearly:

Access to information via endpoints must be context-aware. For example, does the device
meet minimum security standards before accessing company resources? Has it recently passed
a malware scan? Is it connecting from an unusual location or network? Integrating with Zero
Trust principles, endpoint posture can feed into conditional access, denying entry until the
device proves it’s safe.

This turns the device into part of the authorization decision. A valid password from an unmanaged laptop should not be treated the same as a valid login from a compliant, encrypted and monitored corporate endpoint.

The same step emphasizes that access restrictions apply to applications, services and APIs, not only users:

Access restrictions should also be applied to applications, services, and APIs , not just people.
For example, a microservice might only need read access to a database table, not full CRUD
rights. A backup tool may only need access to specific storage buckets, not all tenant resources.

That guidance is critical for cloud-native environments. API scopes, service accounts, workload identities, Kubernetes roles and cloud IAM policies must all follow least privilege. Human access is only one part of the control surface.

Step 20 of Zenith Blueprint addresses segregation of networks:

Segregation is one of the oldest and most effective principles in cybersecurity: limit the
spread, reduce the risk, and contain the damage
. Control 8.22 focuses on network
segregation, the practice of separating systems, services, and users across different logical or
physical zones to prevent unauthorized access and restrict lateral movement in case of
compromise.

This is critical for DORA and NIS2 resilience. A Zero Trust network should assume that one account, workload or endpoint can be compromised. Segmentation prevents a local event from becoming a systemic incident.

A 10-Day Zero Trust Evidence Pack

Imagine a SaaS fintech that provides fraud analytics to banks. It processes personal data, uses cloud infrastructure, relies on managed Kubernetes, integrates with customer APIs and uses a third-party identity provider. A customer asks for Zero Trust evidence, and the company has ten working days.

A practical Clarysec evidence sprint would look like this.

TimelineActionEvidence output
Day 1 to 2Define Zero Trust scope across production cloud accounts, identity provider, CI/CD, administrator workstations, customer API gateway, data warehouse, SIEM, EDR and critical suppliersScope statement, dependency map, boundary diagram
Day 3Build risk-to-control traceability using Zenith Blueprint Step 13Risk register entries, treatment plan, SoA mappings
Day 4 to 5Apply enterprise or SME policy clauses and document exceptionsApproved policies, exception register, risk acceptance records
Day 6 to 7Gather technical evidenceMFA reports, conditional access policies, PAM records, endpoint dashboards, firewall rules, Kubernetes network policies, IAM exports, SIEM use cases
Day 8Add privacy and data protection evidenceRole-to-data matrix, processing records, encryption evidence, retention rules, breach escalation procedure
Day 9Add NIS2 and DORA overlaysArticle 21 mapping, incident reporting readiness, ICT function map, supplier register, exit plan evidence
Day 10Create executive summaryBoard-ready narrative, residual risk summary, improvement roadmap

The goal is not to pretend the organization has achieved perfect Zero Trust in ten days. The goal is to create a defensible evidence chain for the most important risks and prove that the program is governed, measurable and improving.

How Different Auditors Will Test Zero Trust

A common mistake is to prepare one technical story and assume every auditor will ask the same questions. They will not.

An ISO/IEC 27001:2022 auditor will look for the management system. They will ask whether Zero Trust risks are included in the risk assessment, whether treatments are approved, whether the SoA is complete, whether policies are controlled documents, whether access reviews occur, whether internal audits test the controls and whether management reviews track performance.

A DORA reviewer will ask whether Zero Trust controls are part of the documented ICT risk management framework. They will expect asset and dependency inventories, critical or important function mapping, incident classification, board escalation, testing, third-party contract requirements, audit rights, exit strategies and remediation tracking.

A NIS2 assessor will focus on management body accountability, Article 21 cybersecurity risk management measures and Article 23 incident reporting readiness. They will also expect evidence that supply chain security, business continuity, vulnerability handling, access control and cyber hygiene are managed.

A GDPR reviewer or privacy auditor will ask whether access to personal data is necessary, documented, limited, monitored and aligned with processing purposes. They will examine controller and processor roles, personal data breach detection, role-based access, encryption, pseudonymisation where appropriate, retention and accountability.

Auditor lensLikely questionEvidence that answers it
ISO/IEC 27001:2022 auditorIs Zero Trust risk-based, approved and reflected in the SoA?Risk register, SoA, risk treatment plan, policy approvals, management review minutes
NIST CSF assessorAre governance, identity, protection, detection, response and recovery outcomes integrated?CSF profile, gap plan, IAM controls, logging use cases, response playbooks, recovery tests
DORA reviewerDoes Zero Trust support ICT risk management and resilience of critical functions?ICT asset inventory, dependency map, testing program, incident classification, supplier register
GDPR/privacy auditorIs personal data access limited and demonstrably protected?Role-to-data matrix, access reviews, encryption evidence, breach procedures, processing records
COBIT 2019/ISACA auditorAre responsibilities, metrics and control performance governed?RACI, KPIs, exception register, audit findings, remediation tracker

The same control can satisfy multiple questions, but only if the evidence is organized.

Supplier, Cloud and ICT Third-Party Risk

Zero Trust does not stop at the firewall, and in cloud environments there may be no traditional firewall boundary at all. Identity providers, cloud platforms, CI/CD tools, managed detection providers, payment processors, API gateways and outsourced development teams all become part of the trust fabric.

NIS2 Article 21 explicitly includes supply chain security for direct suppliers and service providers, including supplier vulnerabilities, product and service resilience, supplier cybersecurity practices and secure development procedures.

DORA requires ICT third-party risk to be managed as part of the ICT risk management framework, with a register of ICT service contracts, pre-contract due diligence, assessment of criticality, concentration risk, contractual security requirements, incident assistance, authority cooperation, audit rights, termination rights, exit strategies and transition plans.

For Zero Trust, the practical rule is simple: do not trust a supplier connection just because it is contractual. Require technical controls and evidence.

A customer API integration should have scoped tokens, rate limits, monitoring, rotation, ownership and revocation. A managed service provider should use MFA, named accounts, least privilege, session logging and time-bound access. A cloud provider relationship should have shared responsibility mapping, encryption configuration, logging retention, backup testing and exit planning.

This is why supplier and cloud evidence belongs inside the Zero Trust model rather than in a separate procurement folder.

Metrics That Prove Zero Trust Is Operating

Boards and auditors do not want architecture diagrams only. They want operating evidence and improvement trends.

Useful Zero Trust metrics include:

  • Percentage of privileged accounts protected by MFA.
  • Percentage of users covered by conditional access.
  • Number of standing privileged accounts compared with just-in-time accounts.
  • Number of overdue access reviews.
  • Percentage of endpoints compliant with posture requirements.
  • EDR coverage across critical assets.
  • Number of denied access attempts due to device or location risk.
  • Mean time to detect suspicious privileged activity.
  • Mean time to revoke access after termination.
  • Percentage of inter-zone firewall rules reviewed in the last quarter.
  • Number of critical suppliers with current security evidence.
  • Number of Zero Trust exceptions past remediation date.
  • Percentage of critical applications sending logs to SIEM.
  • Incident simulation results for credential compromise.

These metrics support ISO/IEC 27001:2022 continual improvement, NIS2 effectiveness assessment, DORA testing and remediation expectations, and GDPR accountability.

Common Zero Trust Evidence Failures

The most frequent failures are not caused by lack of tools. They are caused by weak traceability.

First, organizations implement MFA but cannot prove privileged accounts are fully covered. Service accounts, break-glass accounts and local admin accounts often remain outside the control.

Second, access reviews are performed manually but not tied to business roles, data sensitivity or risk owners. The evidence shows that someone clicked “reviewed,” not that unnecessary access was removed.

Third, network segmentation exists in diagrams but not in tested rules. Auditors will ask whether inter-segment access is denied by default and whether exceptions are approved.

Fourth, logs are collected but not actionable. A SIEM without defined use cases, alert triage and response procedures does not prove continuous monitoring.

Fifth, supplier access is unmanaged. Vendors may use shared accounts, persistent VPN access or broad cloud roles without session monitoring.

Sixth, privacy evidence is separated from security evidence. GDPR requires demonstrable protection of personal data, so identity and access controls must connect to data categories and processing purposes.

Finally, exceptions are undocumented. Zero Trust can tolerate exceptions if they are risk-assessed, approved, time-bound and monitored. It cannot tolerate invisible exceptions.

Build Your Zero Trust Evidence Pack With Clarysec

Zero Trust Architecture in 2026 is not a slogan. It is a compliance operating model that links identity, devices, applications, network segmentation, least privilege, continuous monitoring, supplier control and privacy safeguards into one auditable system.

If you are preparing for ISO/IEC 27001:2022 certification, responding to NIS2 customer inquiries, aligning with DORA ICT risk management or proving GDPR Article 32 security of processing, start with traceability.

Use Zenith Blueprint: An Auditor’s 30-Step Roadmap to map Zero Trust risks into your risk register, treatment plan and SoA. Use Zenith Controls: The Cross-Compliance Guide to align access control, identity management and monitoring with cross-framework expectations. Use Clarysec’s policy library, including Enterprise Access Control Policy, Enterprise User Account and Privilege Management Policy, Enterprise Network Security Policy, Enterprise Logging and Monitoring Policy, Enterprise Information Security Policy and Data Protection and Privacy Policy - SME, to turn architecture into enforceable governance.

Your next practical step is to select one high-risk scenario, such as compromised privileged access to customer data, and build a complete Zero Trust evidence chain around it. If you can prove that scenario end to end, you have the foundation for a scalable, auditable and regulator-ready Zero Trust program.

Download the Clarysec policy bundles or schedule a strategy call to see how Zenith Blueprint and Zenith Controls can transform Zero Trust from an audit risk into a compliance advantage.

Frequently Asked Questions

About the Author

Igor Petreski

Igor Petreski

Compliance Systems Architect, Clarysec LLC

Igor Petreski is a cybersecurity leader with over 30 years of experience in information technology and a dedicated decade specializing in global Governance, Risk, and Compliance (GRC).Core Credentials & Qualifications:• MSc in Cyber Security from Royal Holloway, University of London• PECB-Certified ISO/IEC 27001 Lead Auditor & Trainer• Certified Information Systems Auditor (CISA) from ISACA• Certified Information Security Manager (CISM) from ISACA • Certified Ethical Hacker from EC-Council

Share this article

Related Articles

Secure Remote Access and VPN Governance for NIS2 and DORA

Secure Remote Access and VPN Governance for NIS2 and DORA

Remote access is no longer a narrow IT topic. In 2026, VPN, MFA, supplier access, endpoint posture, logging and patch evidence must satisfy ISO 27001 auditors, NIS2 management accountability, DORA ICT risk rules and GDPR Article 32 security obligations.

CI/CD Pipeline Security Governance for 2026 Audits

CI/CD Pipeline Security Governance for 2026 Audits

A practical CISO guide to governing CI/CD pipelines as auditable software supply chain systems, with build provenance, hardened runners, signed artifacts, deployment evidence and Clarysec policy mappings.