How to implement zero trust: A 7-step roadmap aligned with NIST

Zero trust is a security framework built on a single principle: never trust, always verify. Unlike traditional perimeter-based security models that assume users and devices inside the network are trustworthy, a zero trust architecture (ZTA) requires continuous verification of every user, device and transaction, regardless of location.

NIST Special Publication 800-207 defines zero trust as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to a focus on users, assets and resources.”

For boards, executives and IT leaders, the value of zero trust extends beyond network security. When implemented with governance integration, zero trust creates the audit trails, access controls and continuous monitoring capabilities that GRC programs require.

This guide covers how to implement zero trust in seven practical steps:

• What zero trust is and why it matters for governance
• A 7-step implementation roadmap aligned to NIST zero trust principles
• A mapping table connecting each step to NIST concepts and stakeholder responsibilities
• What zero trust means for boards and governance oversight
• How governance technology supports zero trust monitoring, compliance and board reporting

Why implementing zero trust is crucial

Zero trust frameworks have grown increasingly central to organizations’ operating models over recent years. According to the Q4 Business Risk Index by Diligent Institute and Corporate Board Member, respondents rated current business risk at 7.9 out of 10, with technology and cyber risk among the top drivers. The conditions making zero trust essential include:

• The Internet of Things has increased the number of devices a business’s network needs to support
• Cloud-based applications and remote data centers are used to host data
• Remote and hybrid working create a “new normal” in the workplace

Combined, the impact of these changes is a network where the perimeter — your potential “attack surface” — can be challenging to define and, therefore, protect. Devising a roadmap for zero trust implementation is the next essential step in your journey to make your network as watertight as possible.

How to implement a zero trust architecture in 7 steps

The good news is that there are recognized steps you can take when implementing a zero trust architecture. The following framework aligns with NIST SP 800-207 principles while remaining practical enough for organizations at any maturity level.

Step 1: Define your protect surface

NIST alignment: Identify critical assets and data flows (NIST ZTA Tenet: focus on resources, not network location)

As the attack surface grows and becomes less distinct, it’s essential to take a different tack and focus on your protect surface; the necessary items to defend.

Therefore, step one in implementing zero trust is defining these critical items. Identify the essential data, assets, applications and services (DAAS) that should make up the non-negotiables you need to protect.

By doing this and defining a protect surface that’s usually significantly smaller than the potential attack surface, organizations can focus their efforts on the most crucial areas.

Examples of DAAS you might include:

• Data: Customer personal or financial information; healthcare data
• Applications: In-house or proprietary software, especially that which would threaten business continuity in the event of a breach
• Assets: These might include the IoT devices mentioned above, specialized equipment or other business-specific assets
• Services: Your domain name system (DNS) or Dynamic Host Configuration Protocol (DHCP)

Defining which of your data, applications, assets and services are most sensitive, critical or at risk can be a challenge — you need to look across your entire organization and take a comprehensive view, something that demands scrupulous oversight.

Step 2: Map your transaction and traffic flows

NIST alignment: Understand data flows before establishing policy enforcement points

Data moves around your network constantly, between devices, applications and assets. When looking at how to implement zero trust, it’s therefore essential to understand this data flow. Where is data coming from and moving to? Who is using it?

Zero trust relies on “no” being the default answer. To identify which data flows should not be trusted, you need to know which are vital to your operations and should be allowed. This mapping of data flow underpins that decision.

Step 3: Architect your zero trust network

NIST alignment: Design policy decision points (PDP) and policy enforcement points (PEP)

Once you have mapped your data flows and identified permitted ones, you invoke the zero trust approach to block everything else.

This requires implementing a zero trust architecture, sometimes referred to as architecting a zero trust network; in other words, building network controls that only allow through legitimate data flows. Your zero trust network sets the rules that determine which flows are allowed and which are not.

Keep proportionality in mind; while in theory you can place controls or filters anywhere in the network you want, in practice you should weigh up the value of the control against the time and expense of putting it in.

Understanding flow intent can help here. Try asking questions like:

• Why is the data moving?
• Who requires it?
• What is the purpose?

Step 4: Create your zero trust policy

NIST alignment: Establish access policies based on identity, context and risk (least-privilege access)

What will you base your zero trust controls on? Organizations often rely on the Kipling Method here: asking who, what, when, where, why and how concerning data access to determine what should be allowed.

This approach can give the granularity needed to identify legitimate data flows and access requirements. Clear policies and strict controls are essential to a successful zero trust implementation; its very nature demands that there is no ambiguity, with clearly-defined and enforced controls.

Step 5: Conduct continuous monitoring

NIST alignment: Continuous diagnostics, monitoring and logging (NIST ZTA Tenet: continuous verification)

Once policies and controls are in place, monitoring becomes your next priority. For this, you need clear visibility across the network and an “always on” approach to monitoring and compliance.

Monitoring your zero trust network to ensure that the controls are operating as they should, and storing a compliant audit trail of records, will position your operation well for any audit or compliance check, whether internal or external.

Accurate and comprehensive data is vital to effective governance, risk and compliance (GRC). When rigorous monitoring and compliance checks are BAU, reporting is straightforward, and you are always prepared for scrutiny.

“Where there’s good governance, there tends to be better cybersecurity performance, and the reverse is also true. Poor performing companies tend to have greater cybersecurity risk.”

— Derek Vadala, Chief Risk Officer at Bitsight Technologies

Step 6: Automate policy enforcement and response

NIST alignment: Automated response and dynamic policy enforcement

Implementing a zero trust architecture is a tremendous job; once you’ve delivered, the last thing you want is to risk the ongoing effectiveness of your approach. Trying to manage a zero trust network manually can be a recipe for disaster; as with many other elements of governance, risk and compliance, automation can be the key to success.

Your zero trust network is a constantly evolving entity; automating the policies and rules that govern new additions to the network is the only way to realistically maintain the rigor and agility needed to keep pace with a changing IT and security environment. Whether it is identifying new DAAS, approving changes or deploying controls across the network, manual intervention risks human error, omissions and cybersecurity gaps. Automation brings consistency, robustness and precision.

Step 7: Iterate and continuously expand

NIST alignment: Continuous improvement and maturity advancement

Developing your zero trust network to include new or additional DAAS should be an ongoing task, an iterative process.

Your network expands all the time, with new devices, users and applications. The initial project to implement a zero trust network may be significant and, as a result, come with substantial cost and, potentially, cause some distraction from, or disruption to, BAU processes.

Ongoing, once your zero trust architecture is in place, you should be able to expand on it with minimal disruption, ensuring the entirety of your network remains as protected as possible.

What zero trust means for boards and governance

Most zero trust guidance is written for CISOs and IT architects. But for directors and governance leaders, zero trust is not just a network security project. It is a governance initiative that affects cyber risk oversight, investment decisions, regulatory compliance and organizational resilience.

According to What Directors Think 2026 by Diligent Institute and Corporate Board Member, 47% of directors say risk-related discussions now consume a greater share of board meeting time than they did three years ago. Cyber risk is consistently among the top categories driving that increase.

“Boards must recognize cybersecurity as a business risk, not just an IT issue. GCs play a vital role in embedding resilience into governance.”

— Kay Pang, General Counsel and Board Director

To fulfill their oversight role, directors should ask management these questions about the organization’s zero trust program:

1. Roadmap and timeline: What is our zero trust implementation roadmap, what phase are we in and what is the timeline for reaching full maturity?
2. Metrics and measurement: What metrics are we using to measure zero trust effectiveness, and how do those metrics translate into business risk reduction?
3. Third-party risk: How does our zero trust architecture extend to third-party vendors and supply chain partners?
4. Regulatory alignment: How does our zero trust program align with applicable regulatory requirements and industry frameworks such as NIST, SEC cyber disclosure rules and sector-specific mandates?
5. Investment and resource adequacy: Are we investing sufficient resources in zero trust implementation relative to our risk appetite and peer benchmarks?

How one CISO moved from spreadsheets to NIST-aligned risk management

For James Wade, First Vice President and CISO at MCS, the path to stronger risk oversight started with a familiar problem: years of audit and risk processes trapped in spreadsheets. MCS, a property services provider, had a security team that understood its risk landscape but lacked the infrastructure to manage it systematically or report on it at the board level.

Wade's team replaced that spreadsheet-based approach with Diligent IT Risk Management. The impact was immediate. Using built-in templates for NIST, CIS and SOC frameworks, Wade converted legacy policies in a single day, work that had previously consumed weeks of manual effort. Internal and external audit programs that once required extensive manual coordination became streamlined workflows with centralized evidence collection and automated reporting.

The most significant shift was in board communication. Instead of translating spreadsheet data into presentation slides for each board meeting, Wade's team could surface risk posture and control effectiveness directly through Diligent's reporting tools, giving directors the visibility they needed to ask informed questions about the organization's security maturity.

Watch the full MCS customer story

For organizations building a zero trust program, MCS illustrates a practical truth: the technical controls only deliver governance value when they connect to the risk management and board reporting infrastructure that makes them visible and auditable.

How Diligent supports zero trust governance and compliance

Zero trust implementation generates continuous data on access decisions, policy enforcement and control effectiveness. The challenge for most organizations is connecting that operational data to the governance, risk and compliance workflows that boards and regulators expect. That connection is where Diligent’s platform adds value.

Diligent IT Risk Management: Centralizes IT risk assessment, control mapping and remediation tracking. For zero trust programs, this means a single view of control effectiveness across your protect surface, with automated risk scoring that translates technical control data into the business risk language boards understand.

IT Compliance: Maps zero trust controls to compliance frameworks including NIST CSF, SOC 2 and ISO 27001. Automated evidence collection captures the audit trails that zero trust monitoring generates, streamlining compliance reporting and reducing manual effort during audits.

Diligent Boards (GovernAI): Delivers the monitoring and audit trail data from zero trust operations directly into board and audit committee reporting workflows. Smart Builder can synthesize IT risk and compliance data into board-ready materials, ensuring directors receive the information they need to fulfill their cyber oversight responsibilities.

The ever-changing and growing threats to your network demands organizations understand how to implement zero trust. The steps set out above provide a practical, NIST-aligned roadmap that extends beyond network security to address the governance, compliance and board oversight dimensions that most zero trust guides overlook. Organizations that treat zero trust as a governance initiative, not just a security project, are better positioned to demonstrate accountability, satisfy regulatory expectations and build long-term resilience.

Discover how Diligent’s integrated GRC platform connects zero trust operations to board-level governance. Schedule a demo.

Frequently asked questions about zero trust implementation

Where do I start with zero trust?

Start by defining your protect surface: the critical data, assets, applications and services (DAAS) your organization must defend. This is typically much smaller than your total attack surface, allowing you to focus security investments where they matter most. From there, map transaction flows, design policy enforcement points and build outward.

How long does it take to implement zero trust?

Zero trust is not a single project with a fixed end date. Initial implementation of core controls can take six to eighteen months depending on organizational complexity, but zero trust is inherently iterative. Most organizations operate on a maturity model, expanding coverage and refining policies continuously.

Can you implement zero trust with legacy systems?

Yes, but it requires careful planning. Legacy systems that cannot support modern authentication or micro-segmentation may need compensating controls, such as network isolation, enhanced monitoring or gateway-based access proxies. The key is to start with what you can control and address legacy gaps as part of your maturity roadmap.

Is zero trust required by any regulations?

No single regulation explicitly mandates zero trust by name, but many regulatory frameworks align closely with zero trust principles. U.S. federal agencies are required to adopt zero trust under Executive Order 14028. The SEC’s cybersecurity disclosure rules and frameworks like NIST CSF and ISO 27001 emphasize the continuous verification, least-privilege access and monitoring that zero trust provides.

Build a zero trust program that satisfies both security and governance requirements. Schedule a demo to see how Diligent connects zero trust operations to board-level oversight.