866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

How Your Zero Trust Environment Affects Your Compliance Assessment Blog Feature
Sully Perella

By: Sully Perella

Print/Save as PDF

How Your Zero Trust Environment Affects Your Compliance Assessment

Cybersecurity Assessments | Payment Card Assessments | NIST | PCI DSS

Published: Jun 30, 2021

Last Updated: May 12, 2025

These days, you can never have too many cybersecurity measures in place, particularly given how regularly threats continue to escalate and grow in sophistication. Now, many organizations are turning to, or considering adopting, Zero Trust (ZT)—a less traditional security model based on the principle of "never trust, always verify.”  

And while such a shift in your environment would strengthen your security—for reasons we’ll explain shortly—it would also impact your organization’s approach to compliance assessments. Therefore, it’s important to understand what exactly you’d be getting your organization into before committing. As compliance assessors experienced across a broad range of frameworks, we at Schellman are tasked with evaluating various environments against numerous standards, giving us valuable perspective and insights.

In this blog post, we’ll discuss in more detail what Zero Trust is before exploring the effects of its implementation—both positive and negative—on your compliance assessments so that you’ll know, going forward, what to expect upon your first audit cycle with ZT. 

What is (and isn’t) Zero Trust?  

First coined in 1994 by Stephen Marsh in his doctoral thesis, Formalising Trust as a Computational Concept, the concept of Zero Trust was then popularized by research analyst John Kindervag, but only truly became mainstream after tech giant Google announced its internal implementation of ZT architecture.  

But what is Zero Trust? What does its core principle— “never trust, always verify”—truly mean? 

ZT breaks from traditional security models that assume everything inside a network is trustworthy—rather, it assumes that threats could exist both outside and inside your network, so every user, device, and system must continuously prove they are trustworthy before being granted access to resources. 

More specifically, the tenets of Zero Trust include the following, as defined in the NIST Special Publication 800-207: 

  • All data sources and computing services are resources. 
  • All communication is secured regardless of network location. 
  • Access to individual resources is granted on a per-session basis. 
  • Access to resources is determined by dynamic policy, including the observable state of client identity, application/service, and the requesting asset – this evolves to include behavioral and environmental attributes. 
  • The enterprise monitors and measures the integrity and security posture of all owned and associated assets. 
  • All resource authentication and authorization are dynamic and strictly enforced before permitting access. 
  • The enterprise actively collects information about the current state of assets, network infrastructure, and communications for use in improving its security posture. 

These tenets are simply that—concepts or principles. You may have heard a common, yet major misconception that Zero Trust indicates a single type of architecture, but in fact, any actual implementation of Zero Trust in your organization’s enterprise security model will vary based on implementation. 

Hence the distinction between pure Zero Trust and hybrid Zero Trust—the former is an all-encompassing ZT strategy, the latter allows for the coexistence of systems designed with traditional Defend-the-Moat security structures interacting with those designed with Zero Trust principles.  

For example, a hybrid approach might look like applying Zero Trust principles specifically in Amazon Web Services (AWS), Google Cloud Platform (GCP), or an Azure cloud environment supporting a software-as-a-service (SaaS) application while also running a traditional environment to support corporate systems such as e-mail, human resources, and accounting applications, intranets, file servers, etc. 

How Does Zero Trust Affect Your Audit? 

Whether or not you choose to implement a pure or hybrid model, shifting your environment to Zero Trust has ramifications on your compliance audits. 

Advantages of Zero Trust in Compliance 

When it comes to compliance, there are advantages to be gained from implementing both kinds of Zero Trust approaches, as adopting ZT principles can help strengthen key aspects of your adherence to many different frameworks, such as: 

  • Data Protection: Safeguarding sensitive data against breaches and unauthorized exposure is generally the primary goal of any compliance standard and ZT—and the related, necessary controls to implement it—help you do so while meeting compliance requirements, given that it requires encryption and micro-segmentation. 
  • Access Controls: Because ZT enforces least privilege access—ensuring users only access what they need— implementing strong identity verification (e.g., MFA), device validation, and access monitoring controls will set you up nicely to comply with regulations that place particular focus on such (including HIPAA, PCI DSS, GDPR). 
  • Monitoring and Logging: Implementing ZT means that your organization continuously assesses whether to grant movement through your network. There are plenty of logs and data trails regarding the monitoring of user behavior, device health, and data access patterns (this simplifies meeting the related requirements of standards such as SOC 2 and ISO 27001).  
  • Risk Management: ZT operates on an "assume breach" mentality—i.e., behaving as if your network is or will be compromised—which means that your organization will not just be focused on preventing breaches. These actions place special emphasis on quickly responding and minimizing the impact of incidents, assisting in compliance with standards like NIST 800-53 and FISMA.  

A Zero Trust approach will aid in simplifying your compliance scoping efforts. In most audits, one of the primary challenges is identifying the scope of the assessment. Even when using a hybrid ZT implementation—that includes micro-segmentation of the enterprise’s assets—you can identify “in-scope” systems more easily, due to segmentation efforts which are logically implemented and clearly defined. 

Challenges of Zero Trust Architecture When Undergoing an External Audit 

Zero Trust presents unique hurdles when it comes to compliance—some even built into the architecture itself, including: 

  • AI Risks: Because Zero Trust uses artificial intelligence to make and apply policy administration decisions, there is an increased risk of both false positives and false negatives—i.e., identifying normal actions as attacks or identifying attacks as normal actions, respectively. These must be accounted for within your organization’s risk management process 
  • Bring-your-own-device (BYOD) Complications: Zero Trust architecture can also make it trickier to achieve compliance around BYOD policies. These devices—considered resources within Zero Trust—add diversity and variability into an environment. Given that your organization does not own nor manage them conflicts with ZT’s strict security controls and challenges you to proactively perform any required up-to-date risk analysis, patching, and behavior analysis on these devices. 
  • Increased Policy Scrutiny: Because your policy engine and policy administration functions wield increased power within Zero Trust architectures, extra and intentional attention must be given to crafting them when aligning with a standard.  
  • Possible Token and Key Risks: More scrutiny is obligatory for those organizations using Zero Trust while also utilizing temporary security tokens for accessing sensitive resources and securely sharing API and SSH keys for programmatically accessing computing resources. Your chosen compliance framework may address those related risks directly, but if not, you’ll have to account for the extra risks related to the use of temporary security tokens and trust certificates within Zero Trust. 

Given these challenges, you’ll need to adequately consider the risks related to the architectural change and determine if you have the necessary controls and procedures in place to sufficiently address and document those risks.  

Moving Forward with the Transition to Zero Trust 

Though Zero Trust implementation includes advantages and new challenges for your compliance initiatives, it’s evident that making the switch—whether it be a pure or hybrid approach—will result in audits that include some combination of more preventative controls, easier scoping tasks, and proper addressing of the dynamic threats that organizations face in this advanced cybersecurity age.  

It is not an easy transition from traditional architecture to that of Zero Trust. Many continue to make the move in an effort to improve their information security and resiliency practices—particularly in the payment card industry. If you have additional questions or would like to learn more about the process or how ZT affects your compliance assessment, Schellman can help. Contact us today and we’ll get back to you shortly. 

For those organizations who are making the switch and are subject to PCI DSS, we’ve put together more specific guides on compliance aspects that can help make maintaining compliance amidst that transition a little easier:  

About Sully Perella

Sully Perella is a Senior Manager at Schellman who leads the PIN and P2PE service lines. His focus also includes the Software Security Framework and 3-Domain Secure services. Having previously served as a networking, switching, computer systems, and cryptological operations technician in the Air Force, Sully now maintains multiple certifications within the payments space. Active within the payments community, he helps draft new payments standards and speaks globally on payment security.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.