Zero trust has become a marketing term often divorced from practical implementation. Cut through the hype to understand what the ISM actually requires and how to implement zero trust principles pragmatically.
Zero trust has become one of the most overused terms in cybersecurity marketing. Every vendor claims their product enables zero trust, and every framework now references zero trust principles. The term has become so diluted that it risks meaning nothing at all. For Australian organisations, particularly those subject to the Information Security Manual (ISM), cutting through this noise to understand actual requirements is essential. The good news is that the ISM provides relatively clear guidance on what zero trust means in practice, and much of it aligns with security capabilities organisations should be building regardless of what we call them. This article examines what the ISM actually requires, how these requirements relate to zero trust principles, and how to implement them pragmatically.
At its core, zero trust represents a shift from perimeter-based security models to one where trust is never assumed and always verified. Traditional network security assumed that entities inside the network perimeter were trusted by virtue of their location. Zero trust assumes that any entity - user, device, or application - could be compromised, and therefore access decisions must be made based on verified identity, device health, and other contextual factors. The key principles typically associated with zero trust include: verify explicitly (always authenticate and authorise based on all available data points), use least privilege access (limit access to only what is needed for the current task), and assume breach (minimise blast radius and segment access to limit damage from inevitable compromises). These principles are not new - security professionals have advocated for least privilege and defence in depth for decades. What zero trust adds is a more systematic application of these principles across all access decisions, including internal traffic that traditional models would have trusted implicitly.
The ISM does not mandate zero trust as a specific architecture but includes controls that align strongly with zero trust principles. Identity and access management controls require strong authentication, role-based access, and regular access reviews - a ll consistent with the verify explicitly principle. Network segmentation controls require limiting network connectivity based on operational requirements - consistent with least privilege and assume breach. The ISM's emphasis on multi-factor authentication, particularly for privileged access and remote access, supports explicit verification. Controls around endpoint security, including application whitelisting and hardening, contribute to device trust verification. Logging and monitoring requirements enable detection of anomalous behaviour that might indicate compromise. For organisations subject to the Essential Eight, the relationship to zero trust is even clearer. Application control, patching, restriction of administrative privileges, and multi-factor authentication all support zero trust principles. Achieving Essential Eight maturity level two or three demonstrates significant progress toward a zero trust security posture.
Several misconceptions about zero trust persist despite years of industry discussion. The first is that zero trust requires replacing existing infrastructure with specific products. While some products can accelerate zero trust implementation, the principles can be applied to existing infrastructure through configuration changes, enhanced policies, and improved processes. Organisations do not need to rip and replace their networks to implement zero trust. The second misconception is that zero trust eliminates the need for network security. In fact, zero trust complements rather than replaces network segmentation. Network controls remain important for limiting exposure and reducing attack surface; zero trust adds identity and context verification to these network controls rather than removing them. The third misconception is that zero trust can be achieved through a single project or product purchase. In reality, zero trust is a journey that involves progressive improvement across multiple security domains - identity, network, endpoint, application, and data. Organisations should plan multi-year roadmaps that build zero trust capabilities incrementally rather than expecting immediate transformation.
For Australian organisations implementing zero trust principles, a pragmatic approach starts with assessing current capabilities against ISM controls and Essential Eight requirements. Gaps identified in these assessments often align with gaps in zero trust implementation, providing a clear starting point. Prioritise investments that provide broad benefit: identity infrastructure improvements affect all access decisions; network segmentation limits blast radius across the environment; endpoint security hardening protects the devices from which users access resources. These foundational capabilities enable more advanced zero trust implementations. For government organisations or those working with government, align zero trust initiatives with ISM compliance activities. The controls required for ISM compliance contribute significantly to zero trust posture, so treating these as separate initiatives wastes resources. Present zero trust as the strategic direction and ISM compliance as a milestone along that journey. Finally, be wary of vendors claiming their single product delivers zero trust. Comprehensive zero trust requires capabilities across multiple domains that no single product provides. Evaluate vendor claims against the specific capabilities needed to address your identified gaps.
Zero trust has become marketing jargon, but the underlying principles remain sound and relevant. For Australian organisations, the ISM provides concrete requirements that align well with zero trust principles - verify explicitly through strong authentication, use least privilege through network segmentation and access controls, and assume breach through defence in depth and monitoring. Implementing these controls pragmatically, using existing frameworks like the ISM and Essential Eight as guides, achieves zero trust outcomes without getting lost in vendor-driven hype. Focus on capabilities, not labels, and build incrementally toward a security posture where trust is verified rather than assumed.
Related Projects
Developed an enterprise security architecture model using ArchiMate notation to establish traceability from regulatory drivers through security principles, controls, and technical implementations. The model aligns NIST CSF, AESCSF, and ISO 27001 frameworks with organisational capabilities and threat scenarios.
Developed a comprehensive identity and access management strategy for a Queensland clean energy generator, establishing a unified approach to identity governance across corporate IT and operational technology environments. The engagement delivered an IAM relationship model, persona-based access controls, and a roadmap aligned to AESCSF and IEC 62443 requirements.
Related Reading
Navigate the Australian Energy Sector Cyber Security Framework with actionable guidance on C2M2-based domains, maturity levels, and building a sustainable compliance program aligned with the SOCI Act.
Multiple security frameworks exist, each with different strengths. Understand when to use NIST CSF, ISO 27001, or Essential Eight, and how to combine them effectively for Australian organisations.
A practical guide to implementing NIST SP 800-37 Rev. 2 Risk Management Framework in Australian organisations. Learn how to integrate the seven RMF steps with local frameworks like the ISM, AESCSF, and Essential Eight.