What is a Zero Trust maturity model?
A Zero Trust maturity model is a structured framework that measures how far an organisation has progressed from perimeter-based security toward identity-based, continuously verified access. The most widely adopted version is the CISA Zero Trust Maturity Model v2.0, which maps progress across five pillars (identity, devices, networks, applications and data) through four levels: Traditional, Initial, Advanced and Optimal. Most mid-market organisations that adopt a SASE architecture move from Initial to Advanced within 6 to 18 months, depending on their starting point and team capacity.
Zero Trust sounds binary. You either trust or you do not. But in practice, every organisation sits somewhere on a spectrum. Some have deployed MFA and call it done. Others enforce identity-based access per application but still have printers and IoT devices on flat network segments. The gap between “we do Zero Trust” and actual maturity is where risk lives.
A maturity model gives you an honest benchmark. It tells you which pillars are strong, which are lagging, and where the next investment will reduce the most risk. CISA built its model on the foundations of NIST SP 800-207, and it applies equally to government agencies and private-sector organisations. This guide walks you through the four levels, gives you a practical self-assessment method, maps maturity to NIS2 requirements, and shows you the steps to move from where you are to where you need to be.
The four maturity levels explained
CISA’s Zero Trust Maturity Model v2.0 defines four stages across five pillars. Each stage builds on the previous one, and progress across pillars is typically uneven. Most organisations are further along on identity than on network segmentation or data controls.
| Level | Identity | Devices | Networks | Applications | Data |
|---|---|---|---|---|---|
| Traditional | Passwords, possibly basic MFA for some systems | Manual or incomplete device inventory | Perimeter firewall, flat internal network | On-premise access, broad permissions | Flat access, minimal classification |
| Initial | MFA and SSO across most applications | Basic inventory, some endpoint protection | Some network segmentation via VLANs | Cloud-aware, role-based access | Role-based access controls, partial encryption |
| Advanced | ZTNA with identity provider integration, device posture checks | Automated posture verification before access | Microsegmentation, identity-based network policies | Per-application access, no broad network entry | Encrypted in transit and at rest, classified by sensitivity |
| Optimal | Continuous risk-based authentication, behavioural analytics | Real-time compliance enforcement, automated isolation | Fully identity-driven, dynamic policy adjustment | Zero standing privileges, just-in-time access | Real-time DLP, automated classification, data tagging |
Three cross-cutting capabilities run through all five pillars: visibility and analytics, automation and orchestration, and governance. An organisation might achieve Advanced maturity in identity but remain at Initial in visibility if logs are scattered across disconnected tools with no centralised analysis.
The practical takeaway: you do not need to reach Optimal across every pillar. The biggest security gains come from moving the weakest pillar from Traditional to Initial, and then from Initial to Advanced. That asymmetry is where most mid-market teams should focus.
How to assess your current level
Self-assessment does not require external consultants or expensive tooling. It requires honesty. The following questions map directly to the CISA pillars and will place your organisation on the maturity spectrum within an hour.
Identity pillar
Can every user access only the specific applications their role requires, or do some users have broader access than necessary? If you cannot answer this question with confidence, you are at Traditional or early Initial. Organisations at Advanced level enforce least-privilege access per application through their identity provider, with policies that adjust based on context.
Devices pillar
Can you name every device connected to your network right now? If the answer is “mostly, except for printers and that one legacy system in the warehouse,” you are at Initial. Organisations at Advanced level run automated device posture checks that verify OS version, disk encryption and endpoint protection before granting any session.
Networks pillar
If an attacker compromised one user’s credentials today, how far could they move laterally? If the answer is “they could reach most internal systems,” you are at Traditional. Initial means VLANs separate some zones. Advanced means microsegmentation restricts movement to the specific applications each identity is authorised to reach.
Applications pillar
Do remote users connect to a VPN that places them on the corporate network, or do they access individual applications directly? VPN-based access is Traditional or Initial. Per-application access through ZTNA, where the rest of the network is invisible to the user, is Advanced.
Data pillar
Is sensitive data classified and encrypted both in transit and at rest? Can you demonstrate which users accessed which data sets in the last 30 days? If data classification is inconsistent and access logs are incomplete, you are at Initial.
Cross-cutting: visibility
Do your security logs from identity, network and endpoint tools feed into a single view, or are they scattered across separate consoles? Fragmented visibility is the most common bottleneck preventing organisations from reaching Advanced maturity, even when their individual pillar controls are strong.
Score yourself honestly across all five pillars. Your overall maturity is effectively limited by your weakest pillar. The Forrester ZTX model makes this explicit: if any pillar falls below a threshold, it caps your entire score. An organisation with Advanced identity controls but Traditional network segmentation still has a Traditional-level blast radius for lateral movement.
What most mid-market organisations get wrong
The most common mistake is equating MFA deployment with Zero Trust maturity. MFA is a single control within the identity pillar. It is necessary but nowhere near sufficient. An organisation that has MFA across all applications but still runs a flat network with VPN-based remote access and no device posture checks is at Initial maturity at best.
Research from Zscaler found that the vast majority of IT decision-makers believe their cyber resilience measures are effective, yet more than half expect a significant breach within the next year. This confidence gap is a direct consequence of measuring inputs (we deployed MFA, we bought a firewall) rather than outcomes (can an attacker move laterally after compromising one account?).
The second mistake is vertical investment in a single pillar. Organisations pour budget into identity because it is the most visible and understood pillar, while network segmentation and data classification remain neglected. This creates an uneven maturity profile where the weakest pillar determines actual risk exposure. A strong identity layer means nothing if a compromised printer on a flat network segment can reach your file server.
The third mistake is treating Zero Trust as a project with an end date. The CISA model explicitly describes maturity as a continuous journey. Threat landscapes shift, new applications get deployed, employees join and leave. Policies that were Advanced six months ago may be Initial today if they have not been reviewed and updated. Our guide on 10 common ZTNA mistakes covers the implementation-specific pitfalls that stall progress.
Moving from Initial to Advanced: the practical steps
This is the transition that delivers the most risk reduction for mid-market organisations. Moving from Traditional to Initial is about deploying baseline controls. Moving from Initial to Advanced is about connecting those controls into a coherent, identity-driven architecture.
Step 1: Replace VPN with ZTNA (weeks 1-4)
VPN places users on your network. ZTNA gives them access to specific applications without network exposure. This single change eliminates the broad lateral movement risk that defines Traditional and Initial network maturity. Start with remote workers and external contractors, then expand to all users. The Zero Trust architecture guide covers sequencing in detail.
Step 2: Activate device posture checks (weeks 2-6)
Before any session is established, verify that the connecting device meets your baseline: current OS, disk encryption enabled, endpoint protection running. Devices that fail receive restricted access or no access. This moves your devices pillar from Initial to Advanced. Platforms like Jimber bundle ZTNA and device posture checks in a single console, which means an IT team of three can enforce these controls without managing separate tools for each function.
Step 3: Implement microsegmentation (weeks 4-12)
Move from VLAN-based network zones to identity-based policies that restrict communication to explicitly allowed paths. The goal is reducing blast radius: if one device or account is compromised, the attacker cannot reach systems outside that specific scope. Jimber’s approach uses inline isolation and application-level access rather than complex firewall rule sets, which keeps the operational overhead manageable for small teams.
Step 4: Integrate your identity provider (weeks 1-4, parallel)
Connect your IdP (Microsoft Entra ID, Okta, Google Workspace) to your ZTNA layer so that directory groups drive access policies across all applications. This creates a single source of truth for who can reach what. When someone leaves the organisation, disabling their IdP account immediately revokes access everywhere.
Step 5: Centralise logging and visibility (weeks 6-12)
Feed identity, device, network and application logs into a single view. This is the cross-cutting capability that transforms disconnected controls into a coherent security posture. Without centralised visibility, you cannot detect anomalies, investigate incidents efficiently, or provide the audit evidence that regulators expect.
Realistic timeline: Most mid-market organisations with 50 to 400 users can move from Initial to Advanced within 6 to 12 months. If your team currently manages separate tools for VPN, web filtering and firewall policies, consolidating into a single SASE platform is the fastest path. It eliminates the integration work that typically stretches timelines.
How NIS2 maps to Zero Trust maturity levels
For European organisations, Zero Trust maturity is no longer just a security decision. It is a compliance requirement. NIS2 Recital 89 explicitly names zero-trust principles as a baseline cyber hygiene practice. Article 21 requires documented access controls, incident containment capabilities and supply chain security measures. The question is: which maturity level satisfies the regulation?
Traditional = non-compliant. Perimeter-only security with flat internal networks does not meet NIS2’s expectations for access governance, segmentation or incident containment. Organisations at this level face enforcement action and fines up to EUR 10 million.
Initial = partially compliant. MFA and basic segmentation address some NIS2 requirements, but gaps in device management, logging and incident response leave significant exposure. Auditors will flag the absence of continuous verification and documented access policies.
Advanced = compliant for most organisations. Identity-based access, device posture checks, microsegmentation and centralised logging cover the technical requirements of NIS2 Article 21. This is the target level for mid-market organisations classified as “important” or “essential” entities.
Optimal = exceeds requirements. Continuous authentication, automated response and real-time data classification go beyond what NIS2 mandates. This level is aspirational for most mid-market teams but relevant for organisations handling highly sensitive data.
In Belgium, the CyberFundamentals (CyFun) framework translates NIS2 into four levels: Small, Basic, Important and Essential. The mapping is not one-to-one, but there is clear alignment. CyFun Basic corresponds roughly to Initial maturity across most pillars. CyFun Important aligns with Advanced maturity in identity, devices and networks. The CyFun self-assessment guide covers the specific documentation Belgian organisations need to prepare. For a broader view of what auditors expect, the NIS2 compliance checklist maps each requirement to practical controls.
Jimber’s built-in logging, device posture verification and identity-based access cover the NIS2 requirements that map to Advanced maturity. Because these capabilities live in a single console rather than across separate tools, the evidence trail is consistent and audit-ready by design.
Frequently asked questions
Is MFA enough for Zero Trust?
No. MFA is one control within the identity pillar. Zero Trust requires least-privilege access, device posture verification, microsegmentation, continuous monitoring and centralised governance. MFA alone leaves your organisation at Initial maturity. The zero trust principles guide covers what else the model requires.
How long does it take to move from Initial to Advanced?
For mid-market organisations with 50 to 400 users, the transition typically takes 6 to 12 months. The timeline depends on your starting point, team capacity and whether you consolidate tools or integrate point solutions. Organisations using a unified SASE platform generally reach Advanced faster because the integration work is already done.
Which Zero Trust maturity level does NIS2 require?
NIS2 does not reference the CISA model directly, but its technical requirements align with Advanced maturity. Identity-based access, device posture checks, microsegmentation and centralised logging are the controls that satisfy Article 21. Traditional and Initial maturity levels leave documented compliance gaps.
Can small IT teams achieve Advanced maturity?
Yes, but tool consolidation is the prerequisite. A three-person IT team cannot manage six separate security consoles and still have time for policy tuning, incident response and compliance documentation. Consolidating ZTNA, web security, firewall policies and device management into a single platform reduces the operational overhead enough to make Advanced maturity realistic.
What is the difference between the CISA and Forrester models?
Both frameworks measure Zero Trust maturity across similar domains. CISA uses five pillars (identity, devices, networks, applications, data) with four levels (Traditional, Initial, Advanced, Optimal) and three cross-cutting capabilities. Forrester’s ZTX model covers seven domains and uses a scoring methodology where the weakest pillar caps your overall score. The CISA model is vendor-neutral and freely available, making it the more practical starting point for most organisations. Forrester’s approach adds quantitative rigour but requires their assessment tooling.
How does a SASE platform accelerate maturity growth?
A unified SASE platform bundles the controls needed for Advanced maturity (ZTNA, device posture, microsegmentation, SWG, centralised logging) in a single architecture. This eliminates the integration gaps between point solutions that typically slow progress. It also means policy changes propagate across all pillars simultaneously rather than requiring updates in multiple disconnected consoles.
Ready to benchmark your Zero Trust maturity and close the gaps that matter most? Book a demo and walk through your environment with a Jimber specialist. No complex projects, no hidden costs, just a clear view of where you stand and what to do next.
