Auditors Can Assess and Advance Their Zero Trust Model with New ISACA Audit Program

SCHAUMBURG, Ill.–(BUSINESS WIRE)–#isaca–For organizations that adopt a Zero Trust approach for their cybersecurity program—adhering to the principles of “never trust, always verify”—it is important to periodically review, test and adjust their model to ensure that all users have the least amount of access to perform their jobs in order to better protect assets and systems. A new audit program from ISACA supports IT auditors in assessing these controls and processes to ensure their Zero Trust models are effective.

A subpar Zero Trust program can lead to major impacts, such as unplanned costs associated with incident response, significant impact resulting from regulatory censure, missed performance targets, system downtime, loss of business-critical data and/or systems, and reputational damage.

ISACA’s Zero Trust Audit Program guides auditors in examining the core focus areas that can reduce the impact of a cyberincident. The program can be used to assess an organization’s ability to secure itself based on Zero Trust policies and procedures, as well as to evaluate related controls and their effectiveness in reducing the likelihood of a cybersecurity incident. The program also hones in on shortcomings pertaining to personnel, processes, technologies and governance, as well as various types of operational risk that could have a reputational impact.

“Organizations are not static, and so their Zero Trust model for their cybersecurity programs should not be either,” says Sampa David Sampa, regional senior IT auditor at World Vision, member of the ISACA Emerging Trends Working Group and a developer of the paper. “When an enterprise’s roles, responsibilities, vendors or infrastructure change, or updates are made to policies, data classification or incident response processes, they also need to adjust their Zero Trust model accordingly to address these and reduce risk.”

The audit program—which includes an Excel file with testing steps—also outlines the specific processes that auditors should consider when assessing the maturity level of a Zero Trust program, including:

  • Continuous authentication validation and risk analysis processes
  • Microperimeter implementations built around and between all critical applications, systems and data stores
  • Just-in-time (JIT) and proportionate access controls
  • Advanced attack protections integrated into application workflows

“Only through a concerted effort involving rigorous testing of controls and monitoring of a range of processes can organizations really have a clear picture of where they stand with their Zero Trust program and how they can continue to strengthen it,” says Paul Phillips, ISACA director, event content development. “ISACA is committed to providing auditors with the support and resources they need to continue refining and advancing their Zero Trust approach to ultimately reduce their risk of and impact from cyberincidents.”

The Zero Trust Audit Program is US$25 for ISACA members and US$49 for non-members and can be accessed at

Additional audit programs and resources can be found at:


For more than 50 years, ISACA® ( has equipped individuals and enterprises with the knowledge, credentials, education, training and community to progress their careers, transform their organizations, and build a more trusted and ethical digital world. ISACA is a global professional association and learning organization that leverages the expertise of its more than 165,000 members who work in digital trust fields such as information security, governance, assurance, risk, privacy and quality. It has a presence in 188 countries, including 225 chapters worldwide. Through its foundation One In Tech, ISACA supports IT education and career pathways for underresourced and underrepresented populations.


Bridget Drufke, [email protected], +1.847.660.5554

Emily Ayala, [email protected], +1.847.660.5512