🔒Interactive Checklist

Zero Trust Implementation Checklist

Track progress across identity, devices, networks, applications, and data pillars.

30 items0%

Critical items (marked ★) carry 4–5× weight. A Zero Trust programme is only as strong as its weakest pillar — aim for balanced progress across all five.

Pillar 1: Identity

Identity is the new perimeter. Verify every user, every time.

0/6

Multi-factor authentication (MFA) is enforced for all users, including privileged accounts.

★ Critical

1.1

A centralised identity provider (IdP) is in place for all applications.

★ Critical

1.2

Privileged Access Management (PAM) controls are implemented for admin accounts.

★ Critical

1.3

Just-in-time (JIT) and just-enough-access (JEA) principles are applied.

1.4

Identity lifecycle management (joiner, mover, leaver) is automated.

1.5

Continuous authentication and risk-based access policies are configured.

1.6

Pillar 2: Devices

Only known, compliant devices should access corporate resources.

0/6

All corporate devices are enrolled in a Mobile Device Management (MDM) or UEM solution.

★ Critical

2.1

Device compliance policies are enforced as a condition of access.

★ Critical

2.2

Endpoint Detection and Response (EDR) is deployed on all managed endpoints.

2.3

Patch management ensures devices are updated within defined SLAs.

2.4

BYOD devices accessing corporate data are subject to MAM or containerisation policies.

2.5

Device health signals are integrated with conditional access policies.

2.6

Pillar 3: Networks

Assume breach. Segment and monitor all network traffic.

0/6

Micro-segmentation is implemented to limit lateral movement within the network.

★ Critical

3.1

Traditional VPN is being replaced or augmented with Zero Trust Network Access (ZTNA).

3.2

East-west traffic (internal) is inspected, not just north-south (perimeter).

★ Critical

3.3

DNS filtering and web proxy controls are in place for all users.

3.4

Network access control (NAC) prevents unauthorised devices from connecting.

3.5

Software-defined perimeter (SDP) or SASE architecture is evaluated or in progress.

3.6

Pillar 4: Applications

Protect applications regardless of where they are hosted.

0/6

All applications require authentication — no anonymous or implicit trust.

★ Critical

4.1

Application access is granted based on identity, device, and context — not network location.

★ Critical

4.2

Shadow IT applications have been discovered and brought under governance.

4.3

API security controls (authentication, rate limiting, threat protection) are in place.

4.4

Application security testing (SAST/DAST) is integrated into the CI/CD pipeline.

4.5

SaaS applications are governed through a Cloud Access Security Broker (CASB).

4.6

Pillar 5: Data

Protect data wherever it lives — at rest, in transit, and in use.

0/6

Data classification policy is defined and applied to critical data assets.

★ Critical

5.1

Data Loss Prevention (DLP) controls are in place for sensitive data categories.

★ Critical

5.2

Encryption is enforced for data at rest and in transit across all environments.

5.3

Data access is governed by least-privilege principles and reviewed regularly.

5.4

Data residency and sovereignty requirements are documented and enforced.

5.5

A data discovery tool is used to locate and classify unstructured data.

5.6