ISF - Time To Grow - Using Maturity Models To Create and Protect Value - Report - Ed2-1

September 2014
Time to Grow
Using maturity models to create and protect value
Published by
Informa on Security Forum Limited
Tel: +44 (0)20 7213 1745
Fax: +44 (0)20 7213 4813
Email: info@securityforum.org
Web: www.securityforum.org
Project team
Ralph Benne
Victoria Melvin
Review and quality assurance

Steve Thorne
Design
Ross Mackenzie
Warning
This document is confiden al and is intended for the a en on of and use by either organisa ons that are Members of the Informa on Security Forum (ISF) or by persons
who have purchased it from the ISF direct.
If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on info@securityforum.org.
Any storage or use of this document by organisa ons which are not Members of the ISF or who have not validly acquired the report directly from the ISF is not permi ed
and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Informa on Security Forum and the Informa on Security Forum Limited
accept no responsibility for any problems or incidents arising from its use.
Classifica on
Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.
Time to Grow: Using maturity models to create and protect value Information Security Forum
Contents
Using a maturity model for business planning 2
Key moments when using a maturity model 3
1. Introduc on 5
Maturity: Help or hindrance? 5
The business-focussed benefits of using a maturity model 5
How to gain these benefits 5
2. How this report helps 6

Readership 7
How a maturity model complements other ISF tools 7
3. What is a maturity model? 8

Introduc on 8
A maturity model is a tool that defines a route of progress 8
Three types of maturity model 10
1) Ac vity maturity model – Progress in ac vi es 10
2) Capability maturity model – Progress in capabili es 11
3) Hybrid maturity model – Combined progress in ac vi es and capabili es 12
Summary of the three types of maturity model 12
Maturity models used in informa on security 13
Selec ng the correct type of model 13
Members’ views of maturity models used in informa on security 14
Insights into maturity and its costs in informa on security 14
4. Using a maturity model for business planning 17

Introduc on 18
The four-phase process: integra on with exis ng business planning 18
Stage A – Define 20
Phase A1 PREPARE 20
Phase A2 ASSESS 25
Phase A3 DECIDE 31
Phase A4 PLAN 36
Stage B – Implement 38
Stage C – Evaluate 39
Stage D – Enhance 39
5. The ISF Maturity Model 40

Introduc on 40
The structure of the ISF Maturity Model 40
Using the ISF Maturity Model 44
6. Conclusion 46
Glossary 47
Appendix: Methodology 48
Information Security Forum Time to Grow: Using maturity models to create and protect value 1
Using a maturity model for business planning
STRATEGIC GOALS
A – DEFINE
us
A1
ns
PREPARE
Pr
se
ior
on
ͻ/ĚĞŶƟĨǇƚŚĞŽƌŐĂŶŝƐĂƟŽŶĂůĐŽŶƚĞǆƚ
itis
ld C
ͻWƌĞƉĂƌĞƚŚĞŵŽĚĞů
e In
A2
Bui
ASSESS
vest
ͻŽŶĚƵĐƚƚŚĞĂƐƐĞƐƐŵĞŶƚ
ͻŽŵƉĂƌĞĂŐĂŝŶƐƚŽƚŚĞƌƐ
ment
A3
DECIDE
ͻŝƐĐƵƐƐƚŚĞƌĞƐƵůƚƐ
ͻŐƌĞĞĂƚĂƌŐĞƚŵĂƚƵƌŝƚǇ
/ŵŵĂƚƵƌĞ^ƚĂƚĞ ƵƌƌĞŶƚ Maturity level dĂƌŐĞƚ DĂƚƵƌĞ^ƚĂƚĞ
1 2 3 4 5
A4
PLAN
ͻ/ĚĞŶƟĨǇĂĐƟǀŝƟĞƐƚŽ
ĂĐŚŝĞǀĞŵĂƚƵƌŝƚǇ
ͻWƌŽĚƵĐĞĂŶĚĂŐƌĞĞƉůĂŶƐ
Dem s
o n stra te P ro gre s
NHANC MPLEMEN
–E –I
E
D
BUSINESS PLANNING CYCLE

B
EVALUATE
C–

ƵƌƌĞŶƚ dĂƌŐĞƚ
Maturity level
ͻhƉĚĂƚĞƉůĂŶ
2 Time to Grow: Using maturity models to create and protect value Information Security Forum
Key moments when
using a maturity model
1. Choosing the right maturity model (pages 13 and 24)
THE MODEL MUST:
Maturity level
1 2 3 4
Maturity level
1 2 3 4
Maturity level
1 2 3 4
focus on organisa onal aims include compliance/audit be the correct type of maturity model
requirements
2. Understanding maturity and its costs (pages 14-16)

MATURITY:
? ?? ?
?
too much s fles can increase or doesn’t increase big differences units with different
agility decrease evenly over me can signify maturi es can
hidden problems struggle to work
together
COSTS:
there are indirect costs sustaining maturity investment doesn’t scale affects cost
of maturity has a cost ensure maturity
3.Deciding target maturity (pages 33-35)

THE APPROACH DEPENDS ON THE LEVEL OF EXPERIENCE OF THE INFORMATION SECURITY FUNCTION:
LIMITED: set small increase MODERATE: compare against others HIGH: focus on value, compliance
in few areas and risk
1 2 3 4 5 6
1 Introduction
Maturity: Help or hindrance?
Does your current informa on security maturity help or hinder your organisa onal strategy? Too li le maturity and you can’t
provide assurance that you’re suppor ng and protec ng the organisa on; too much and you’re over-inves ng. A maturity
model is a tool that helps to target informa on security investments at strategic priori es – helping rather than hindering.
Skillfully deployed, a maturity model acts as a catalyst for engagement between informa on security and the wider
organisa on. It enables the informa on security func on, together with senior management and relevant business units, to
define and agree a cohesive vision that takes a strategic perspec ve, above the transac onal and technical. The informa on
security func on can then translate this vision into ac ons to include within regular business planning.
The business-focussed benefits of using a maturity model

The reasons for using an informa on security maturity model varied greatly among ISF Members. However, collec vely
they were clear on three key benefits that using a maturity model provided:
Benefit 1: BUILD CONSENSUS

by communica ng and engaging with the organisa on to agree a shared vision of how informa on security can
support strategic goals. 82% of Members used a maturity model to engage with the wider organisa on, par cularly
at senior levels, to facilitate business-based discussions with decision-makers.
ONE ISF MEMBER… hired a new CISO who then used a maturity model to engage with senior stakeholders, demonstra ng
the current informa on security posture and helping to agree the func on’s priori es for the coming year. Adept use of the
model led to plans to re-organise the informa on security func on to be er support the business.
Benefit 2: PRIORITISE INVESTMENT

by using a maturity model for planning and priori sing specific ac ons to achieve or support strategic goals. Members
reported that the most common uses of a maturity model were for regular business planning and to develop an
improvement plan, both used to focus investment on areas of value to the organisa on.
ONE ISF MEMBER… used a maturity model to iden fy the informa on security ac vi es that would support an organisa onal
Research & Development goal and develop plans to support it. When implemented, the R&D func on was able to take
advantage of new technologies that they had previously considered insecure, resul ng in quicker me to market for the
product and associated cost reduc on.
Benefit 3: DEMONSTRATE PROGRESS

by using maturity as an informa ve and consistent informa on security metric to measure and compare progress
across different areas of informa on security. According to one study which ranks metrics in twelve informa on
security disciplines (e.g. asset management), maturity is the most useful metric in six disciplines, and in the top three
metrics in all twelve.1 A maturity model also helps the CISO answer senior management ques ons about how the
organisa on compares to its peers and compe tors.
ONE ISF MEMBER… used a maturity model in their business planning cycle to compare between business units and iden fy
‘laggards and centres of excellence’.2 The model provided a consistent yards ck against which all units could be assessed.
How to gain these benefits

This report explains how to make the right decisions about where to develop maturity, and introduces a process to select
and use a maturity model effec vely and efficiently. This four-phase process can be used with any maturity model and is
based on lessons learned from those who have benefi ed from using a maturity model. In tandem, the ISF has developed
a high-level maturity model, aligned with the Standard of Good PracƟce for InformaƟon Security (the Standard), to help
Members save me and money assessing and developing their informa on security maturity.
1 Brotby & Hinson. Pragma c Security Metrics. CRC Press. 2013.

2 This term is from h p://www.forrester.com/
1 2 3 4 5 6
2 How this report helps
46%
Many Members claimed they benefi ed from using a maturity model,
considered themselves
but were s ll concerned they were not ge ng the maximum value out competent at using
of doing so. 91% would recommend using a maturity model but fewer maturity models
than half (46%) considered themselves competent at using maturity
??
?
models. Of those who have used a maturity model, only 16% described
the experience as simple. This report shares best prac ce about
maturity models and maturity, explaining how to get the most out of
using a maturity model as part of regular business planning.
?
This Sec on outlines the specific requirements iden fied by Members
and where they are addressed in the report. It also iden fies the target
readership and how they can get the most from this report. Lastly, it
explains how maturity models complement other ISF deliverables. 1 2 3 4 5
Member requirement Addressed in… Details

1. A clear understanding of Describes the different types of maturity models, their uses
informa on security maturity and limita ons, and how to select the right type for an
models and maturity organisa on’s specific needs. SecƟon 3 also describes the
benefits and costs associated with different levels of maturity
in informa on security.
SecƟon 3
2. Be an informed customer of What is a maturity model? Gives readers an understanding of maturity models and
consultancy services which explains why more maturity is not always posi ve. Members
include a maturity model that have an external party conduct a maturity assessment in
their organisa on will have a deeper understanding of models
and their results.
3. How to use a maturity model to Presents a four-phase process which can be used with
focus on organisa onal value any maturity model. It encourages informa on security
prac oners to support the organisa on’s strategic goals.
4. How to use a maturity model Enables comparison against peers and compe tors. 60%
to compare against peers and of Members told us that their senior management want to
compe tors compare the organisa on’s informa on security maturity
against others. Phase A2 ASSESS outlines five op ons for
SecƟon 4
obtaining comparison data to meet this requirement.
Using a maturity model
for business planning
5. How to choose a target maturity Outlines three approaches to decide an appropriate target
maturity for an organisa on in Phase A3 DECIDE.
6. How the outputs from a maturity Dis ls Member experience of using a maturity model in a
model can fit into the business business planning cycle, allowing other Members to benefit
planning cycle from lessons learned in how to gain consensus, plan ac vi es
and priori se them according to what the organisa on values.
7. A maturity model aligned with the SecƟon 5 Describes the ISF Maturity Model which covers 21 disciplines
ISF’s Standard of Good PracƟce for The ISF Maturity Model of informa on security, based on content from the Standard
InformaƟon Security and input from Members. By using the ISF Maturity Model,
Members can focus their efforts on planning and implemen ng
improvements, rather than spending considerable resources
developing their own.
1 2 3 4 5 6
How this report helps
Readership
This report is wri en with two readerships in mind:
• The informa on security prac oner who uses a maturity model to support business planning, including conduc ng
a maturity assessment. Prac oners will benefit from reading all Sec ons of this report. In par cular, they should find
it helpful to learn how to op mise the process for using a maturity model (SecƟon 4) and to decide if the ISF Maturity
Model (SecƟon 5) meets their requirements.
• The CISO, CIO or equivalent informa on security leader who will decide whether a maturity model should be used
in their organisa on and what it would be used for. Informa on security leaders need to understand what a maturity
model is, what it can (and cannot) be used for, and the benefits that come from using one (SecƟon 3).
A maturity model complements other ISF deliverables

A maturity model is a high-level business planning tool used to translate strategic goals into ac on plans. It can be used
in conjunc on with exis ng ISF tools to provide a consistent view of how the informa on security func on currently
supports the organisa onal strategy, and whether and where improvements can be made. Members who use other ISF
tools could complement their efforts with a maturity model in the following ways:
The ISF’s Benchmark and Security Healthcheck are used to assess and compare the status of security
BENCHMARK
controls within disciplines (e.g. incident management or security architecture). Using a maturity
model offers a complementary insight into the degree their maturity is suppor ng or hindering
SECURITY
Healthcheck these disciplines.
IRAM
The ISF’s InformaƟon Risk Assessment Methodology (IRAM) offers an organisa on that takes a risk-
based approach to informa on security a way to iden fy and assess those risks. A maturity model
can be used to assess the maturity of disciplines used to manage informa on risks and how well
they support the management of informa on risk across the organisa on.
This report encourages informa on security leaders to look beyond managing risk and mee ng compliance requirements,
by considering how their func on can support the organisa on in crea ng value. Using ISF tools and research reports in
conjunc on with a maturity model can help meet these requirements and deliver this value.
Once an organisa on has decided to increase maturity in a discipline (e.g. to increase the maturity of its informa on
security policy), a maturity model provides the high-level steps needed to do so. The Standard, supported by ISF research
reports, can then be used to develop a more detailed improvement plan.
1 2 3 4 5 6
3 What is a maturity model?
Introduction
How would you recognise a great violinist? What would dis nguish them from a beginner? Is it by the music they play?
Is it their technique? Is it how much they prac ce? The various possible answers to this ques on emphasise the difficulty
in consistently iden fying progress. We know it when we see it, but it’s difficult to define and there isn’t a single correct
answer. A maturity model is an a empt to address this problem, to codify progress.
This Sec on explains maturity models and their applica on in informa on security. It explains that a maturity model is a
tool used to define and assess progress. It then describes the three types of maturity model, their uses and limita ons,
and the different ways they provide assurance. It describes how maturity models are used in informa on security. Lastly,
it explores maturity and related costs in informa on security.
Maturity is a measure of progress

Maturity is a measure of progress towards a mature state. It is a measure of progress, not the progress itself. For example,
when maturity is increased in a par cular discipline (e.g. threat intelligence) the benefit comes from the addi onal
ac vi es that are performed (or performed be er), not from the increase in maturity itself. However, maturity cannot
be described without a context; it must relate to a subject. For example, it isn’t possible to describe what mature looks
like, but it is possible to describe what a mature person looks like.
A maturity model is a tool that defines a route of progress

Maturity is defined and assessed using a tool called a maturity model. A maturity model consists of ‘a set of characteris cs,
a ributes, indicators or pa erns that represent progression or achievement in a discipline’3. It maps (and therefore
defines) a route from an immature state to a mature state in a discipline.
Immature State Mature State
ASSET Characteris cs, Characteris cs,

MANAGEMENT a ributes, a ributes,
indicators PROGRESS indicators
or pa erns or pa erns
To iden fy progress towards the mature state, intermediate maturity levels are iden fied that represent steps of progress.
Ideally, these levels of progress are discrete and easy to recognise. A maturity model usually assigns a numerical value to
each level (e.g. 1 to 5) to indicate the order in which they occur.
Immature State Maturity level Mature State
1 2 3 4 5
ASSET Characteris cs, Characteris cs, Characteris cs, Characteris cs, Characteris cs,
MANAGEMENT a ributes, a ributes, a ributes, a ributes, a ributes,
indicators indicators indicators indicators indicators
or pa erns or pa erns or pa erns or pa erns or pa erns
Current Target
This route is then used to iden fy current maturity (where we are) and choose a target maturity (where we want to be).
Plans are then developed to move from the current maturity to the target maturity.
A maturity model should define whether each maturity level builds on and requires the previous level (a cumula ve
maturity scale) or whether each level can be assesed independently and does not require the lower maturity level(s).
NOTE: A maturity model involves a high degree of subjec vity. Both the contents of the model, and the assessment
of maturity, are based on human judgement. The user needs to understand and remember this when making an
assessment and analysing results.
3 Butkovic M. Caralli R. Advancing cybersecurity capability measurement using the CERT-RMM maturity indicator level scale. November 2013. CMU/SEI-2013-TN-028.
1 2 3 4 5 6
What is a maturity model?
Maturity level
1 2 3 4 5
Domain 1 ASSET MANAGEMENT
Sub-domain 1 Iden fy A maturity model is usually sub-divided into smaller sec ons
Assets called domains. In some maturity models these domains are
further divided into sub-domains. This approach structures
Sub-domain 2 Log the subject being assessed. For example, a maturity model
Assets for informa on security is likely to contain domains that will
cover the disciplines that cons tute informa on security such
Sub-domain 3 Monitor as asset management and vulnerability management. This
Assets provides a common structure with which to understand the
subject and aid communica on with others.
For each line at the lowest level in the model (whether Maturity level
at domain or sub-domain level) descrip ons of 1 2 3 4 5
progress at each maturity level are defined, as in this ASSET MANAGEMENT
/ĚĞŶƟĨǇ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕

ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕
ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕
simple diagram (shown right). Some maturity models Assets ĂƩƌŝďƵƚĞƐ͕ŝŶĚŝĐĂƚŽƌƐ
ŽƌƉĂƩĞƌŶƐ
ĂƩƌŝďƵƚĞƐ͕ŝŶĚŝĐĂƚŽƌƐ
ŽƌƉĂƩĞƌŶƐ
ŽƌƉĂƩĞƌŶƐ
ŽƌƉĂƩĞƌŶƐ
ŽƌƉĂƩĞƌŶƐ
also include descrip ons at a higher level which are
summaries of the lower levels.
The assessment of maturity is usually made at the

Maturity level 2 Maturity level 3
lowest level (sub-domains in the example shown right),
These are the
with scores for the higher level (the domains) being • The process for • Iden fying assets characteris cs,
calculated as an average of the lower level scores. iden fying assets is managed within a ributes,
is documented governance indicators
As a maturity model describes the characteris cs of structures and or pa erns
progress, it also gives the user a consistent language • Relevant staff are responsible
stakeholders for and accountable for
to recognise and describe the stages of progress. iden fying assets its performance
have been iden fied
The characteris cs that describe each maturity level will
depend on the type of maturity model being used; the
different types are described later in this Sec on.
NOTE: There is a prac cal difference between the components of a maturity model and the disciplines that cons tute
a subject. In this report, a maturity model is divided up into ‘domains’. A ‘subject’, such as informa on security, is
divided up into ‘disciplines’, such as compliance, risk management, incident response. A maturity model may cover a
whole subject (such as informa on security) or it may cover only one discipline (such as risk management).
Full defini ons can be found in the Glossary.
So, in addi on to a common view of progress, a maturity model provides a common structure and common language
which aids understanding and communica on.
Common view of progress
Maturity level
1 2 3 4 5
ASSET MANAGEMENT
Iden fy Characteris cs, Characteris cs, Characteris cs, Characteris cs, Characteris cs,
Assets a ributes, indicators a ributes, indicators a ributes, indicators a ributes, indicators a ributes,indicators
Common Structure
Log Characteris cs, Characteris cs, Characteris cs, Characteris cs, Characteris cs,
Monitor Characteris cs, Characteris cs, Characteris cs, Characteris cs, Characteris cs,
Common language
1 2 3 4 5 6
Three types of maturity model

There are three different types of maturity model4, each with its own consistent view of progress. It is important to understand
each type so the type of maturity model chosen for an organisa on is correct and the results can be properly interpreted.
The three types, described in more detail below, are:
1 Ac vity maturity model5: which maps progress through ac vi es

2 Capability maturity model: which maps progress in capability
3 Hybrid maturity model: which maps combined progress in ac vi es and capabili es
For each type, the following sub-sec ons describe what type of progress it measures, what increasing maturity gives, the
benefits and drawbacks, what to look for when choosing one, and any other points to note.
1 Activity maturity model – Progress in activities

What it measures: An ac vity maturity model lists ac vi es that are performed and represent progress in a discipline.
The example below depicts a basic ac vity maturity model for riding a bicycle.
Maturity level
1 2 3 4 5
RIDING A BICYCLE Ride a child’s tricycle Ride a child’s Ride a child’s bicycle Ride an adult’s bicycle Ride a racing bicycle
bicycle with without stabilisers
stabilisers
Progress in this example is through the ac vi es that represent a view of progression in learning to ride a bicycle. Each
step is easy to recognise, and it is clear what the next stage of progress looks like. It is important to note that it is not
necessary to achieve the mature state, level 5; not everyone rides, or wants to ride, a racing bicycle. It may be sufficient
to stop progressing once able to ride an adult bicycle. Nor does one have to start at the first ac vity. A child may learn to
ride a bicycle, without having had a tricycle or stabilisers.
An informa on security example (from the Building Security In Maturity Model6 (BSIMM)) is provided below. It shows the
progression of ‘Standards and Requirements’ when developing so ware. (Please note: there are only three maturity levels
in BSIMM).
Maturity level
1 2 3
STANDARDS AND Provide easily accessible security Communicate formally-approved Require risk management
REQUIREMENTS standards and requirements standards internally and to vendors decisions for open source use
Increasing maturity gives: Increasing assurance that the organisa on is conduc ng the same ac vi es as others and in
the same sequence.
Benefits: Ac vity maturity models are seen as ‘prac cal’ as they describe real-world ac vi es, so it is easy to assess
current maturity, and to iden fy the steps to increase maturity. As an ac vity model provides access to a community
view of how to progress in a discipline, they provide a shortcut to iden fy the most common prac ces, giving users
access to years of experience in a discipline.
Drawbacks: There is no overall scale for the maturity model, so there is no way to jus fiably compare maturity levels
between different domains being assessed. Whilst there will usually be a numerical scale, there is no basis to say, for example,
that a ‘3’ represents the same amount of progress in two different domains. Nor do ac vity maturity models give insight
into competence. In the bicycle example above, there is no assessment of how competent the rider is at riding an adult
bicycle. Also, the ac vi es that represent progress will change over me and the model will need to be updated regularly
to represent these changes. In the bicycle example, a few years ago, the ‘adult’s bicycle’ may have been a ‘mountain bike’.
The BSIMM maturity model has been refreshed every year to reflect changes in so ware development6. In a fast-changing
subject like informa on security, an ac vity maturity model could quickly become dated unless updated regularly.
4 Caralli R. Discerning the Intent of Maturity Models from Characteriza ons of Security Posture. January 2012. CMU/SEI-2012-58924.
5 ‘Ac vity’ maturity models are some mes referred to as ‘progression’ maturity models. This report uses the term ‘ac vity’ maturity model.
6 h p://www.bsimm.com/
1 2 3 4 5 6
What to look for: Before using an ac vity maturity model, it is important to understand who developed the list of
ac vi es. Consider whether everyone, or almost everyone, progresses in the way described in the maturity model. In
the bicycle example above, does everyone learn to ride a bicycle in the same way, or are there other ‘equally beneficial’7
ways to progress when riding a bicycle?
NOTE: An organisa on is unlikely to become a world leader if it is only looking at what other organisa ons tend to do.
2 Capability maturity model - Progress in capabilities

What it measures: A capability model shows progress in capability, usually through progress in processes. Capability is
the extent to which the process meets current or projected business goals. A process tends to develop in a par cular
way, with dis nct characteris cs marking each phase of development. This gives rise to a set of generic descrip ons of
how processes mature, an example of which is given below.
Maturity level
1 2 3 4 5
GENERIC The process is The process The process The process The process
PROCESS inconsistent and is planned is managed is measured is con nually
MATURITY unpredictable and controlled improved
These generic process descrip ons are then applied to each domain or sub-domain (depending on the model). A simple
example of how the process of performing backups matures is given below: an increasing maturity gives an indica on of
increasing capability in performing backups. This type of maturity model is only relevant where business processes exist
so the example below reflects this.
Maturity level
1 2 3 4 5
BACKUPS Backups are Backups are Backups are Backups are Backups are
performed planned managed measured and con nually
randomly controlled improved
Increasing maturity gives: Increasing assurance that ac vi es will be consistent, effec ve and resilient.
Benefits: As processes tend to mature in consistent ways in different subjects, the prime benefit of capability models is that
the same scale, with minor adjustments, can be applied to a process in any subject or discipline. This type of model therefore
facilitates comparison between different subjects or disciplines. Also, processes tend to be outcome-focussed, rather than
method-focussed. In a fast-changing subject like informa on security, the desired outcomes of processes will stay more
constant than the methods used to achieve them.8 Capability models therefore require less upda ng than ac vity models.
Drawbacks: The generic descrip ons of process maturity o en require adjustment to make sense for a par cular
subject. The more detailed the maturity model, the more adjustments need to be made for use in different subjects. As
the process descrip ons are generic, it is difficult to iden fy current maturity accurately and difficult to iden fy steps to
increase maturity, as neither are described in specific prac cal terms. Lastly, there will some mes be conflicts between
how an ac vity matures theore cally (following process maturity) and how it tends to mature in the real world. In
a capability model, the theore cal scale always takes precedence for the sake of consistency and in these cases, the
maturity model will contradict what really happens.
What to look for: The purpose of a capability maturity model is to plot progress in capability, so it is important to check
the maturity scale and ensure that the organisa on agrees that higher maturity will actually translate into being more
capable.
NOTE: It is important to understand that having more mature processes is not appropriate for all circumstances and
therefore not always beneficial. More details can be found on page 14 and in SecƟon 4, Phase A3 DECIDE on page 31.
7 Teo, T. S. H. and King, W. R. Integra on between Business Planning and Informa on Systems. Planning: An Evolu onary-Con ngency Perspec ve. Journal of Management Informa on Systems, 14
(1), pp. 185-214. 1997.
8 BSI. Cyber Security Risks, Governance and Management. PAS 555. 2013.
1 2 3 4 5 6
3 Hybrid maturity model - Combined progress in activities and capabilities

What it measures: A hybrid maturity model combines the two previous types of maturity model, assessing progress
in ac vi es and capabili es at the same me. A hybrid model iden fies ac vi es which indicate or represent progress
in capability. An example (from the ES-C2M2 maturity model9) is given below, showing the three levels of progress in
‘Assign Cybersecurity Responsibili es’ which is within the ‘workforce management’ domain.
Maturity level
1 2 3
WORKFORCE MANAGEMENT
Assign Cybersecurity Cybersecurity responsibili es for Cybersecurity responsibili es Cybersecurity responsibili es and
Responsibili es the func on are iden fied are assigned to specific roles, job requirements are reviewed and
Cybersecurity responsibili es incl. external service providers updated as appropriate
are assigned to specific people Cybersecurity responsibili es Cybersecurity responsibili es
are documented are included in job performance
evalua on criteria
Assigned cybersecurity responsibili es
are managed to ensure adequacy and
redundancy of coverage
Increasing maturity gives: Increasing assurance that the organisa on is conduc ng the same ac vi es as others, and
that the organisa on is becoming more capable at those ac vi es.
Benefits: Hybrid models assess two aspects at once: ‘are we doing the same ac vi es as others?’ and ‘how capable are
we at those ac vi es?’
Drawbacks: Hybrid models are new and therefore rare; they have only been developed in a small number of cri cal
infrastructure industries10. Hybrid models combine descrip ons of ac vi es, and how they mature, for each discipline.
In order to combine these two concepts (progress in ac vi es and capabili es) both the descrip on of ac vi es and the
descrip ons of how they mature are high-level. As a result, a hybrid maturity model will only provide the high-level steps
needed to increase maturity.
Because they contain descrip ons of ac vi es, hybrid models also need to be updated more regularly than capability
models. Lastly, as with capability models, there will some mes be conflicts between how an ac vity matures theore cally
(following process maturity) and how it tends to mature in the real world, so it is important to determine which will be
given precedence during the development of the model.
What to look for: Both ac vi es and capabili es need to be considered. It is important to understand who developed
the list of ac vi es and the way that progress in capability is measured in the model.
NOTE: The ISF Maturity Model is a hybrid model which draws on content from the Standard. Organisa ons whose
informa on security ac vi es are aligned with the Standard are likely to benefit from using the ISF Maturity Model.
Summary of the three types of maturity model

The three different types of maturity model provide assurance in different ways:
• An ac vity maturity model provides assurance in ac vi es. As maturity increases, there is increasing assurance that
the organisa on is doing the same ac vi es as others, and in the same order.
• A capability maturity model provides assurance in capabili es, usually by assessing processes. As processes mature
there is increased assurance that the ac vi es will be consistent, effec ve and resilient. They don’t provide absolute
assurance; but they give increased confidence that processes are suppor ng the ac vi es to be consistent, effec ve
and resilient.
• A hybrid maturity model provides assurance in both ac vi es and capabili es. As maturity increases, there is
increasing confidence that the organisa on is doing the same high-level ac vi es as others, and that the processes
are suppor ng those ac vi es to be increasingly consistent, effec ve and resilient.
9 h p://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2-program/electricity-subsector-cybersecurity.
10 h p://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program.
1 2 3 4 5 6
Maturity models used in information security

Maturity models have been used in informa on security for a long me. According to some sources, there has recently
been an increase in their use.11 Just as in other subjects, informa on security maturity models have been developed in
each of the three types: ac vity, capability and hybrid. Below, we give an example of each type.
Example of an ac vity maturity model:

BSIMM is an ac vity maturity model focussed on secure applica on development. It is a collec on of observed prac ces,
those that companies actually conduct, to develop so ware securely. ‘The BSIMM is not a ‘how to’ guide, nor a one-size-
12
fits-all prescrip on. (It) is a reflec on of the so ware security state of the art.’
Example of a capability maturity model:

Capability Maturity Model Integra on (CMMI) is the best known capability maturity model.13 There are currently three
versions for different subjects (acquisi on, development and services) but, currently, there is not one for informa on
security. At a high-level, the maturity levels look simple and are frequently used as a basis for developing new maturity
models. However, there is extensive suppor ng detail in the CMMI model so applying it fully for informa on security is
considered a significant undertaking which requires a great deal of adap on.
Example of a hybrid maturity model:

The Electricity Sub-Sector Cybersecurity Capability Maturity Model (ES-C2M2)14 is designed for use by the US Electricity
Sub-Sector. Despite the name, it is a hybrid maturity model. More industry-specific hybrid maturity models are under
development by the US government for industries in cri cal na onal infrastructure.15
If Members are choosing a maturity model for the first me, or are considering changing from their current one, a list of
informa on security maturity models is available on ISF Live.
Selecting the correct type of model

As the different types of maturity model give assurance in different ways, it is important to choose the type that will
meet the organisa on’s requirements. Whilst most organisa ons would likely choose to use a hybrid maturity model,
few currently exist.
Selec ng a maturity model is complex. However, in simple terms, the selec on can be facilitated by considering which
of the three statements below best represents what the organisa on wants to achieve.
Requirements Model Choice

I want to know what other organisa ons are doing in one Use an ac vity model
specific discipline (e.g. iden ty and access management)
I want to compare our capability across several different Use a capability model
disciplines of informa on security
I want to compare our high-level ac vi es and our Use a hybrid model

capability in those ac vi es across several disciplines
of informa on security
All three types of maturity model can be used to compare maturity internally or externally against other organisa ons
(as long as those being compared against have used the same model).
NOTE: Several Members reported that they had developed their own hybrid models that were specific to their
organisa on. To reduce the overhead for each Member to undertake this type of development, this report and the
associated accelerator tool present the ISF Maturity Model (SecƟon 5), which is a hybrid model.
11 Such as h p://resources.sei.cmu.edu/asset_files/Podcast/2013_016_100_58913.pdf
12 h p://bsimm.com/
13 h p://wha s.cmmiins tute.com/
14 h p://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2-program/electricity-subsector-cybersecurity
15 h p://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program
1 2 3 4 5 6
Members’ views of maturity models used in information security

There was general agreement in workshops and expert interviews that, despite their popularity, exis ng informa on
security maturity models o en fail to fulfil Members’ requirements.
The most popular informa on security maturity models amongst Members are described in brief below along with
Member views of them. It is interes ng to note that almost all of the informa on security models that Members have
used (including all those listed below) are capability maturity models.
CMM/CMMI16: Capability Maturity Model (CMM) and CMMI are capability models which were originally designed for
so ware development, but have since been adapted for use in other subjects. Those Members who have tried to use
CMMI have found it very difficult, par cularly when trying to adapt it for use in informa on security. This is due to the
detailed processes and documenta on that support the model. Many have used the high-level CMMI capability maturity
levels, but s ll needed to provide an informa on security structure to assess against, the most frequent choice being
ISO/IEC 27001/2.
Control Objec ves for Informa on and related Technology (COBIT)17: The most common versions that Members have
used are the capability models in COBIT 4.1 and COBIT 5. Members who have used COBIT 4.1 were generally posi ve.
However, those who have a empted to use COBIT 5 were much less posi ve, finding it overly complex. Because COBIT
is IT-focussed, rather than focussed on informa on security, some Members considered its approach too technical.
Members were also concerned about the considerable me required to complete a full assessment.
The Forrester Informa on Security Maturity Model18: This capability maturity model covers informa on security.
Members liked the high-level nature of this maturity model and thought it contained some useful aspects. They were
frustrated however that the structure and descrip ons of maturity do not align with any standards.
CERT-Resilience Management Model (CERT-RMM)19: Only a small number of Members had used this capability model.
While generally posi ve, they were concerned by the significant amount of work required to conduct an assessment.
Proprietary/Consultant developed: Several Members have conducted assessments using a proprietary maturity model,
usually capability models used as part of a consul ng engagement. Members viewed these models as most useful
when they contained industry best prac ce or if they aligned with exis ng informa on security standards (ideally both).
Members were less posi ve when a model only aligned with the consultants’ approach to informa on security which
they considered to be of li le benefit.
Overall, Members liked some aspects of each of the above maturity models but none seemed to meet the required level
of detail or focus on informa on security. Addi onally, many Members wanted (but didn’t have) a maturity model which
aligns with the Standard. The ISF Maturity Model, described in SecƟon 5, is designed to meet these requirements.
NOTE: The examples given on previous pages (ES-C2M2 and BSIMM) did not feature in the list of most popular
maturity models with Members so are not included here.
Insights into maturity and its costs in information security

ISF research and workshops uncovered a number of important insights about maturity and its benefits and costs in
informa on security. As most informa on security maturity models are capability maturity models, these insights are
par cularly relevant to maturity in these types of model.
It is easy to jump to the wrong conclusion about maturity, assuming more is always posi ve. For each proposed increase
in maturity, a cost/benefit analysis should be undertaken to answer the ques ons: is there a benefit by increasing
maturity to that point, and what is the cost of doing so? The insights come in two groups, those about maturity and
those about the associated costs.
16 h p://wha s.cmmiins tute.com/

17 The IT Governance Ins tute (ITGI). h p://www.itgi.org
18 h p://www.forrester.com/
19 h p://www.cert.org/resilience/products-services/cert-rmm/
1 2 3 4 5 6
NOTE: A common reason given for se ng a high maturity target (in a capability maturity model) is to achieve
efficiency savings gained from mature processes, in par cular those subject to con nuous improvement.20 The
ISF has not iden fied any independent research which demonstrates that efficiency savings outweigh the costs of
achieving and maintaining high maturity levels in informa on security. Rather, the benefits gained by achieving high
maturity are o en ‘overshadowed by cost’.21 However, this only refers to high maturity (levels 4 to 5) and ‘very few
organisa ons are over-achieving when it comes to maturity’.22
Maturity insights
Insight Explana on So what?

Too much More maturity is not always posi ve. More mature Users need to understand
maturity processes bring increased consistency, effec veness and the maturity scale so they
can s fle agility resilience to the ac vi es they support, but too much are able to set a target
process can also s fle agility and responsiveness.23 Each maturity that provides
organisa on will need to find the appropriate level of sufficient assurance, but
maturity that provides sufficient assurance of the ac vi es, which doesn’t introduce
but doesn’t s fle agility. undue process.
Maturity can If an organisa on considers itself to be too mature in When deciding a target
decrease as well a discipline, usually due to changing organisa onal maturity, consider whether
as increase priori es, maturity can be reduced over me. This is best the target could be below
achieved by taking ac ve steps such as removing process, your current maturity.
re ring documenta on, re-assigning staff or reducing
oversight. If an organisa on decides it is too mature in a
discipline following an assessment, this represents an over-
investment. A reduc on in maturity to an appropriate level
would result in a cost saving.
Maturity does There is a pa ern to how maturity increases over me.24 Don’t aim too high with
not increase Achieving higher maturity levels typically takes longer than a target maturity, and
evenly over achieving lower maturity levels. The exact pa ern of how don’t over-promise on
me maturity increases will depend on the maturity scale used. what you will deliver.
A significant Many informa on security disciplines are interdependent When deciding a target
difference (e.g. vulnerability management and asset management). maturity, include
in maturity Whilst these disciplines are assessed separately in a maturity dependencies in
between model, there are likely to be significant interdependencies your thinking.
disciplines can between them. Members should be wary of a large disparity
signify hidden in maturity scores for disciplines that are interdependent as
problems it may indicate a problem: e.g. if vulnerability management
is mature, but asset management is immature, the
organisa on will only be managing vulnerabili es on the
assets it knows about; there may be other assets of which
it has no visibility. Note: this is why the ISF Maturity Model
iden fies which disciplines are interdependent.
Business units One Member warned that there can also be problems if When planning how to
with different different business units with significantly different maturity achieve target maturi es,
maturi es can levels have to work together as they may have incompa ble consider business unit
struggle to work working prac ces. interac ons in the plans.
together Don’t forget the human
“If areas have widely different maturity,
element!
they just don’t understand each other.”
20 ISF Briefing: Informa on Security Maturity Models. July 2010.

21 h p://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2014/apr/Rate-your-security-but-dont-aim-too-high_1378076.html
22 h p://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2014/apr/Rate-your-security-but-dont-aim-too-high_1378076.html
23 HP. Business White Paper: State of Security Opera ons. January 2014.
1 2 3 4 5 6
Cost insights
Insight Explana on So what?

Sustaining Many of the ac vi es assessed by maturity models are Make sure the ongoing
maturity ongoing ac vi es and therefore have an ongoing cost to costs are included in the
requires ongoing sustain them in addi on to the ini al start-up cost. cost/benefit analysis.
investment
There is an In addi on to the direct cost of achieving a higher maturity, Iden fy the costs that will
indirect cost there is also an indirect cost to the remainder of the be incurred by other parts
of increasing organisa on of implemen ng new or enhanced security of the business. Ensure
maturity requirements. This indirect cost has been es mated these are included in the
between 2% and 25% of IT spend.25 cost/benefit analysis.
Scale affects The cost of increasing maturity will depend on the proposed Considera ons of scale need
cost ac vi es and the complexity of implemen ng them in the to be included when se ng
organisa on. In a small organisa on, documen ng a process target maturity.
that is already performed could take a few hours. In a global
organisa on with many business units it could take many
months to achieve consistency in a single ac vity.
Increasing There are examples of organisa ons that spend large Don’t assume that
investment amounts of money on informa on security, but this does increased investment in
does not not translate into increased maturity.26 For example, an area leads to maturity.
automa cally investments made on technical equipment may not If your aim is to increase
lead to increased translate into more capability in using it. maturity, make sure
maturity investments are focussed
on achieving it.
Information security maturity models and compliance

Organisa ons’ a tudes to compliance vary greatly depending upon their industry, country, regulator and culture.
Whilst some warn that ‘a focus on compliance sets a dangerously low bar’27, during workshops many Members
emphasised that compliance requirements and consequences are extremely important to their organisa ons.
However, research indicates that there is a no single way to address compliance in a maturity model. The following
three approaches were suggested by Members. Each organisa on should decide which approach, if any, is most
appropriate for them:
• Assess the maturity of compliance prac ces. An informa on security maturity model will usually support a
maturity assessment of compliance prac ces. This is the simplest approach and makes best use of the maturity
model.
• Plot every compliance requirement in each discipline. This may be possible (although me consuming) in a
detailed maturity model, but most maturity models do not contain sufficient detail to allow users to iden fy
the exact maturity level required to meet a specific compliance requirement. Many Members suggested that
compliance should be directly assessed against the relevant requirements, rather than via the extra intermediate
step of the maturity model. One compromise is to highlight the disciplines in which there is a compliance
requirement. This informs those making any decisions that there is a compliance requirement to be taken into
account but doesn’t overload the model with unnecessary informa on.
• Use a maturity model aligned with compliance ac vi es. Several Members suggested that the choice of maturity
model must support specific regulatory/audit/compliance requirements relevant to the organisa on. For example,
if an organisa on has a regulatory requirement to demonstrate compliance with a par cular standard (e.g. ISO/IEC
27001/2 or NIST Cybersecurity Framework) they should choose a maturity model that is based on that standard.
25 WEF/McKinsey. Risk and Responsibility in a Hyperconnected World. January 2013.

1 2 3 4 5 6
4 Using a maturity model

for business planning
STRATEGIC GOALS
A – DEFINE
us
A1
ns
PREPARE
Pr
se
ior
on
itis
ld C
e In
A2
Bui
ASSESS
vest
ment
A3
DECIDE
/ŵŵĂƚƵƌĞ^ƚĂƚĞ ƵƌƌĞŶƚ Maturity level dĂƌŐĞƚ DĂƚƵƌĞ^ƚĂƚĞ
1 2 3 4 5
A4
PLAN
Dem s
o n stra te P ro gre s
NHANC MPLEMEN
–E –I
E
D
BUSINESS PLANNING CYCLE

B
EVALUATE
C–

ƵƌƌĞŶƚ dĂƌŐĞƚ
Maturity level
ͻhƉĚĂƚĞƉůĂŶ
1 2 3 4 5 6
Introduction
This Sec on explains how to use an informa on security maturity model in a regular business planning cycle to focus on
organisa onal value. ISF research confirmed that how to use a maturity model and deciding target maturity levels for
disciplines is just as important as deciding which maturity model to use.
“We need to improve the details of how to use a maturity model.”
Our research iden fied that there are four phases common to using a maturity model, each of which is explained in detail
in this Sec on. The four-phase process works with any maturity model, including the ISF Maturity Model in SecƟon 5.
This four-phase process brings together Member experience from their use of maturity models, allowing Members to
learn from others. It is deliberately not prescrip ve because detailed approaches can be found elsewhere28. The four-
phase process (par cularly A1 PREPARE and A2 ASSESS) will support the requirements for conformity with ISO/IEC
15504:2004, the accepted standard for conduc ng process maturity assessments. If Members need to demonstrate
conformity with ISO/IEC 15504, for example due to organisa onal policy or a compliance requirement, full details can
be found in the ISO/IEC standard.29
The four-phase process: integration with existing business planning

This report uses the four-stage planning cycle from the Standard ‘Define, Implement, Evaluate, Enhance’. This cycle
could be triggered either as part of regular business planning or to develop plans in response to a significant change or
need for improvement. The four-phase process for using a maturity model described in this Sec on sits within the first
Stage (A – Define) of a regular business planning cycle.
An overview of the business planning cycle is shown below:
Stage A – Define: This Stage contains the four-phase process:
A1 PREPARE – the maturity model and the organisa on

A2 ASSESS – current maturity and, if necessary, determine the maturity of others
A3 DECIDE – on an appropriate target maturity for the organisa on
A4 PLAN – how to achieve target maturity
Stage B – Implement: In this Stage, the plans are implemented.
Stage C – Evaluate: The informa on security func on uses the maturity model to assess progress against plans.
Stage D – Enhance: The planned improvements from the previous Stage are implemented.
NOTE: As a maturity model is a business planning tool, most of this Sec on of the report concentrates on Stage
A – Define where the maturity model is used for planning. A maturity model can also be used to check progress,
so Stage C – Evaluate is also covered in some detail. Consequently Stages B – Implement and D – Enhance, in which
plans are implemented, are covered in less detail.
28 For example: ISO/IEC 15504 (2004) or Standard CMMI Appraisal Method for Process Improvement (SCAMPI) A, Version 1.3: Method Defini on Document. March 2011. CMU/SEI-2011-HB-001.
29 ISO/IEC 15504-1, 15504-2 (2003), 15504-3 (2004). Available from www.iso.org. This is a set of requirements for conduc ng maturity assessments.
1 2 3 4 5 6
The ISF process

Each phase of the four-phase process consists of steps and related tasks for conduc ng a successful maturity assessment.
Business planning cycle Stage: A – Define, B – Implement, C – Evaluate, D – Enhance
Four-phase process Phase: A1 PREPARE; A2 ASSESS; A3 DECIDE; A4 PLAN
Step: e.g. 1. Iden fy the organisa onal context 2. Prepare the model
Task: e.g. 1.1 Understand strategic goals;

1.2 Scope the assessment; 1.3 Iden fy stakeholders;
1.4 Sell the idea and engage stakeholders
A er each step is explained in detail, covering the required tasks, the phase concludes with a short summary of what has
been accomplished and introduces the next phase.
NOTE: It is unlikely that an individual ISF Member would need to carry out every task of every step of the process
(although it can be used in that way). Rather, the process is designed to be modular and used in that way, or used as
a reference where necessary to augment exis ng efforts. Similarly, while a Member may wish to follow the Phases in
the order they are presented, some of the steps and tasks within each Phase are likely to be conducted concurrently.
Key roles in using a maturity model

ISF research has iden fied a number of key roles required to use an informa on security maturity model effec vely.
However, who fulfils them and the level of authority they hold will vary by organisa on. The list of roles described in the
table below is only intended as a guide. In some cases, the same individual may perform more than one of these roles.
Role Descrip on
Sponsor The individual who decides a maturity model will be deployed. This individual is likely to be
a member of the senior management team who represents informa on security in the
organisa on. This individual is also responsible for the resourcing and budget sign-off for using
a maturity model.
Lead The individual responsible for the use of the maturity model and who plans, co-ordinates and
promotes its use across the organisa on. In small organisa ons this may be the Sponsor. In
larger organisa ons, it is likely to be an individual who reports to the Sponsor.
Assessor(s) The individual (or team) who conducts maturity assessments, gathers informa on, and interprets
the results to assess maturity. Thought should be given to the skills and experience the Assessor(s)
will require, which are likely to include an understanding of informa on security, business acumen,
communica on and analysis skills, and an understanding of the maturity model being used.
Stakeholder(s) An individual or group of individuals who can affect or be affected by the use of the maturity
model.30
Assessed The individual or business unit from which informa on is being collected. This informa on forms
the basis of the maturity assessment.
The role tles in the table above are used throughout the remainder of this report.
30 Financial Times Lexicon, h p://lexicon. .com/Term?term=stakeholders
1 2 3 4 5 6
STAGE A – DEFINE
This Stage produces the plans that will be implemented in the second Stage (Stage B – Implement). The four-phase
process explains how to use a maturity model to do this. This Stage is where the benefits iden fied in SecƟon 1 can
be gained. The maturity model is used to build consensus on how the informa on security func on can support the
organisa on achieve its goals. The func on can then use this consensus to priori se investments on strategic goals
and demonstrate progress towards these agreed goals.
Phase A1 PREPARE
This Phase describes the prepara on required and the issues to address before
A – DEFINE using a maturity model. It looks at aligning the use of a maturity model with the
organisa onal context and preparing the maturity model for the assessment. It
A1
PREPARE
• Prepare the model
assumes that the Lead has the required authority to proceed with a maturity
A2
ASSESS
• Conduct the assessment
• Compare against others
assessment. If this is not the case, the Lead should use informa on from SecƟons
1-3 to gain the necessary buy-in.
A3
DECIDE
• Discuss the results
• Agree a target maturity
mature State Current Maturity level Target Mature State
1 2 3 4 5
“We need a process for choosing and developing

A4 PLAN
• Produce and agree plans
the maturity model before we actually use it.”
THE STEPS AND RELATED ACTIVITIES FOR PHASE A1 PREPARE ARE:
STEP 1
IDENTIFY THE ORGANISATIONAL CONTEXT
Tasks
1.1 Understand strategic goals 1.3 Iden fy stakeholders
1.2 Scope the assessment 1.4 Sell the idea and engage stakeholders
STEP 2
PREPARE THE MODEL
Tasks
2.1 Select the model 2.2 Adapt the model
MEMBER TOP TIP
One Member cau oned against rushing the preparatory phases and going straight into the
maturity assessment. They designed and distributed a maturity assessment without first
iden fying the key areas that were important to the business. Following low par cipa on from
business, the assessment was cancelled and had to be re-planned in a more focussed way.
1 2 3 4 5 6
STEP 1 – Identify the organisational context
Task 1.1 How organisa ons document and share their strategic goals, what they value and what they are
trying to achieve, will ‘vary enormously and they will have different ways of ar cula ng what is
UNDERSTAND
important to them’.31 These goals may be recorded in an organisa onal strategy, and may also
STRATEGIC
be reflected in an informa on security strategy.32 Regardless of the format, every outcome of
GOALS
using the model needs to support the organisa on’s strategic goals. The Lead should ensure that
they personally, as well as those involved in the assessment, are confident they fully understand
the strategic goals. The Lead can then inves gate how the organisa on intends to achieve those
goals. This offers an excellent opportunity to engage with the wider organisa on to iden fy new
opportuni es for the informa on security func on to enable or support these ac vi es.
Task 1.2 The Lead should scope the maturity assessment so it assesses the disciplines related to the
organisa on’s strategic goals iden fied in Task 1.1. In addi on to the disciplines to be included
SCOPE THE
in the assessment, the scope should also define which business units will be assessed. This will
ASSESSMENT
influence the choice of maturity model later in Task 2.1.
TIP
The Lead should strike a balance between the breadth of disciplines covered
and the depth of assessment desired. Whilst recognising this balance will
depend on individual circumstances, a number of ISF Members suggested
keeping the scope as narrow as possible, as too wide a scope can create a
barrier to stakeholder involvement.
Too wide: “If you turn this (the assessment) into an industry, people won’t do it.”
Too narrow: “Being too selec ve can lead to difficul es later. When you
revisit the assessment, you can’t provide measurement or a reference
against all areas in response to ques ons from the board or auditors.”
The scope should also define whether single or mul ple assessments will be conducted. A
single assessment involves each discipline being assessed once in the organisa on. A mul ple
assessment is where each discipline is assessed separately within each in-scope business unit.
NOTE: In a single organisa on, there may be a combina on of single and mul ple assessments:
single assessments for disciplines that are centralised, and mul ple assessments for disciplines
that are managed separately by business units.
TIP
WHY DOES THE GOVERNANCE STRUCTURE MATTER?
An organisa on’s choice between single and mul ple assessments will depend
on how the organisa on governs its processes. For example, it is imprac cal to
separately assess the maturity of asset management in ten business units, if it is
handled centrally. In this case a single assessment would be appropriate to avoid
wasted resources and duplicated effort. It is likewise imprac cal to assess the
maturity of asset management centrally if responsibility and decisions are made
separately by individual business units, so in this case mul ple assessments
would be appropriate.
Many of the choices made during the scoping, and the budget that is available for using a model,
will affect the choices made in Phase A2 ASSESS, Step 1 for how the assessment is conducted.
Make sure these choices are considered before the scope is finalised.
Once the scope is produced it should be documented, validated and signed off by the Sponsor. This is
required to secure the buy-in, credibility and authority to conduct a successful maturity assessment.
31 ISF. Engaging with the Board: Balancing cyber risk and reward. April 2013.
32 ISF. Informa on Security Strategy: Transi oning from alignment to integra on. May 2014.
1 2 3 4 5 6
Task 1.3 A maturity assessment typically involves a wide range of stakeholders across the organisa on, each
of whom are expected to contribute in varying ways. To ensure they all play their part and that all
IDENTIFY
relevant informa on is included in the assessment, a stakeholder mapping exercise is helpful. A
STAKEHOLDERS
simple ‘RACI’ stakeholder assessment can be used to iden fy everyone who should be involved in
the maturity assessment and whether they are:
• Responsible: Who is carrying out the assessment? Who will they report to?
• Accountable: Who will make decisions based on the outcome of the assessment? Who holds
ul mate responsibility for the assessment? Who holds decision-making and sign-off power?
• Consulted: Who are the experts? Which representa ves from in-scope business units will be
asked for input?
• Informed: Who else could be interested or be affected by the results of the assessment and
therefore should be kept informed of the progress and results of the assessment?
The Lead should work with the Sponsor to ensure that all relevant stakeholders have been iden fied
so that each can be engaged appropriately.
Task 1.4 NOTE: It might be necessary to educate the Sponsor about the maturity model being used
SELL THE as they may have to advocate or defend its use to senior stakeholders. Gaining this senior
IDEA AND buy-in facilitates the assessment by giving it organisa onal credibility.
ENGAGE
STAKEHOLDERS “Make sure it’s about something the organisa on
wants. Get senior management buy-in.”
The Lead should now sell the use of a maturity model to stakeholders. The sales pitch should
focus on the purpose of the assessment, their involvement in it and the organisa onal benefits of
par cipa on. The Lead should frame this conversa on in terms that resonate with the organisa on’s
language and culture and, in par cular, with stakeholders’ personal and organisa onal mo va ons.
If all in-scope business units are willing to invest sufficient me in the assessment, the informa on
gathered is likely to be of a much higher quality.
“One of the biggest challenges of a maturity

model is persuading people to par cipate!”
It is impera ve that the Lead and the Assessor keep stakeholders involved throughout the assessment.
Senior stakeholders will need to be engaged at key decision points in the four-phase process such
as se ng the direc on of the assessment and deciding target maturity. Stakeholders in business
units that are being assessed should be engaged beforehand and throughout the assessment. They
will need to understand how the assessment will be made, who will make it, and what will happen
with the results. The Lead should be sure to reiterate the organisa onal benefits of carrying out the
assessment whilst managing expecta ons about the benefits stakeholders can realis cally expect.
“People don’t like a list of ques ons – share with

them the purpose of why you are asking the
ques ons and they are more likely to help.”
1 2 3 4 5 6
Task 1.4 “This can get very poli cal – especially

SELL THE
IDEA AND
when a department is assessed as poor.”
ENGAGE Effec ve stakeholder engagement involves understanding the prevailing culture, poli cs and
STAKEHOLDERS personali es in the organisa on. People’s mo va ons are complex and will affect how they respond
(con nued) to the assessment. Members warned that the Assessed some mes report a maturity score above
(too high) or below (too low) their actual level. The Assessor needs to be aware of whether par cular
business units or people may respond in this way and consider ways to introduce accuracy to the
results. This will affect the choices made in Phase A2 ASSESS.
dŽŵŽƌĞĞīĞĐƟǀĞůǇ
engage with stakeholders, the
TOO HIGH Lead and the Assessor should TOO LOW
They want ƵŶĚĞƌƐƚĂŶĚƚŚĂƚƉĞŽƉůĞ͛ƐŵŽƟǀĂƟŽŶƐ They want to
improvement in how they interact and respond to an demonstrate
focus to go assessment are complex. Respondents improvement
elsewhere ĐĂŶƐŽŵĞƟŵĞƐĂŝŵƚŽŽŚŝŐŚŽƌƚŽŽůŽǁ͘ ŶĞǆƚƟŵĞ
or or
The Lead and Assessor need to consider
They are They want extra
ǁŚĞƚŚĞƌƉĂƌƟĐƵůĂƌĂƌĞĂƐŽƌƉĞŽƉůĞ
immature and help or funding
might respond in this way and try
don’t understand for their area
to introduce accuracy to
what’s being asked
the results based on
ƚŚĞƐĞĮŶĚŝŶŐƐ͘
“I think the low-balling on the self-assessment was based on

the principle that they knew they’d be expected to demonstrate
improvement; they kept some back so those orange boxes
would turn green over the improvement period.”
WARNING
This report does not provide any specific guidance on stakeholder engagement
other than to encourage Members to engage fully with interested parts of the
business. The stakeholder mapping exercise suggested in Task 1.3: IdenƟfy
stakeholders and the ISF report Engaging with the Board: Balancing cyber
risk and reward can help address these issues.
1 2 3 4 5 6
STEP 2 – Prepare the model
MEMBER TOP TIP
LEARN FROM PREVIOUS ASSESSMENTS

The Lead should inves gate whether a maturity model has been used previously in the organisa on. If
possible, the Lead should try and speak with those involved and learn from the process and outcomes
of the assessment: Did it achieve its objec ves? What were its shortcomings? How did those involved
find the process? What affected its success or failure?
Task 2.1 The Lead will need to select a maturity model that meets the needs ar culated in the scope. If the
Lead has not hired a consultant to conduct the assessment, they must choose between using an
SELECT
exis ng maturity model and developing a new one. When making this decision, the Lead should
THE MODEL
consider the poten al costs of using an exis ng model (e.g. ini al cost of model, training to use it,
skills to analyse results) and of developing a new one (e.g. me and people resource).
Both the type of maturity model (for more details see SecƟon 3) and the disciplines it covers (for
example, is it discipline-specific or a general informa on security maturity model?) should be
considered. To help choose a maturity model, a list of exis ng models, including the ISF Maturity
Model, is available to Members on ISF Live.
NOTE: The ISF Maturity Model is aligned with the Standard and is available on ISF Live.
Members can use the high-level ISF Maturity Model as is, or as the basis for developing their
own maturity model.
MEMBER TOP TIP
Don’t forget to take any compliance requirements into account when choosing
the maturity model. See ‘Informa on security maturity models and compliance’
(page 16) for more details.
Task 2.2 It is likely that the Lead will need to adapt the maturity model to the specific circumstances in which it
will be used. For instance, there may be no requirement to use every domain of a maturity model so
ADAPT
the Lead will need to select the domains and sub-domains to cover only those disciplines in the scope.
THE MODEL
It may also be necessary to adapt the descrip ons of maturity and ac vi es in the model to fit the
organisa on’s language or terminology. The Lead should change any terms in the maturity model
if it helps the Assessed understand what is being asked. If the Lead doesn’t easily understand what
is being asked, it is unlikely others will.
MEMBER TOP TIP
One Member suggested a trial of the assessment ques ons before conduc ng
a full assessment, par cularly if conduc ng mul ple assessments. This way the
Lead can get an early indica on of whether others are likely to understand the
inten on of the ques ons, whether the length of the assessment is acceptable,
and to iden fy any other changes that could facilitate the process.
Summary
At this point in the process, the Lead has laid the groundwork for a successful maturity assessment. This includes an
understanding of the organisa onal context both from a strategic and cultural perspec ve. The Lead now has a documented
and signed off scope document that outlines which business units and disciplines will be assessed. The Lead, and poten ally
the Sponsor, are engaging stakeholders. Lastly, the model has been selected and adapted for use.
The next Phase, A2 ASSESS, takes the direc on from Phase A1 PREPARE to build and conduct a maturity assessment.
1 2 3 4 5 6
Phase A2 Assess
This Phase covers conduc ng the maturity assessment and, if required, how
A – DEFINE to obtain results for other organisa ons to enable comparison. Step 1 outlines
the four factors that need to be considered before execu ng the assessment.
A1
PREPARE
These choices reflect the organisa on’s circumstances, including whether the
A2
ASSESS
scope calls for a single or mul ple assessments. For those who want or need to
compare against other organisa ons, Step 2 explains five op ons for obtaining
A3
DECIDE
comparison data.
ĂƚƵƌĞ^ƚĂƚĞ Current Maturity level dĂƌŐĞƚ DĂƚƵƌĞ^ƚĂƚĞ
1 2 3 4 5
A4 PLAN
THE STEPS AND RELATED ACTIVITIES FOR PHASE A2 ASSESS ARE:
STEP 1
CONDUCT THE ASSESSMENT
Tasks
1.1 Tailor the assessment 1.2 Execute the assessment
STEP 2
COMPARE AGAINST OTHERS
Task 1.1 The ISF iden fied four factors that should be considered when tailoring an assessment. The Lead’s
decisions will be informed by how much assurance stakeholders need in the results and the prac cal
TAILOR THE constraints for the assessment(s). The table below shows these four factors, and the considera ons
ASSESSMENT that will affect the decisions.
INDEPENDENCE INTERACTION EVIDENCE VALIDATION

INCREASING Self assessment Transac onal Opinion None
ACCURACY
INCREASING Internal assessment Interview Targeted evidence Passive
COST
External assessment Workshop All evidence Ac ve
The Lead must choose at least one op on from each column. The decision made in each column
should take into account the scope and the intended outcomes, which will dictate the level of
confidence required in the results’ accuracy. It will also reflect the prac cali es of how much me
and money is available for the assessment. The Lead can use more than one op on from each
column, dependent on circumstances (for example, if some business units need more support to
gain an accurate assessment). As indicated by the arrow, the increasing assurance in the results
comes at an increased cost.
“There’s a challenge in ge ng people to assess consistently – people

are shocked by how low they are when they think they are good.”
The following tables present each of these four factors, the op ons available and the associated
benefits and drawbacks.
1 2 3 4 5 6
INDEPENDENCE The Lead needs to choose how independent the Assessor will be from the Assessed.
“Self-assessment doesn’t work. They lie – probably not deliberately.”
Op on What it is Benefits Drawbacks

Self assessment The Assessed conduct(s) Allows for mul ple Requires substan al support
the assessment. Results assessments to be carried for the Assessed and the
are collated centrally out simultaneously, results produced may be
by the Assessor(s). speeding up the of ques onable accuracy.
assessment process.
Internal An individual or Gives consistency in Poten al for bias in the

assessment team from within the results as the same results as the Assessor is
organisa on conducts person (or people) from within the organisa on.
the assessment(s). carries out the
assessments.
External An individual or team Offers impar ality and O en associated with a

assessment from outside the external exper se. May considerable cost. Raises
organisa on conducts also include access the poten al for inaccurate
the assessment(s). to a set of external assessment as the external
comparison data. Assessor may not fully
understand the organisa on.
NOTE: If a maturity model is being used to gain accredita on (e.g. as part of a tender for business) it may require
a qualified Assessor to conduct the assessment. An organisa on wishing to gain this type of accredita on should
ensure the Assessor has any necessary qualifica ons, as dictated by the accredi ng organisa on. For example,
certain types of CMMI accredita on s pulate that the maturity assessment is conducted by a qualified Assessor.
MEMBER TOP TIP
Produce a list of ques ons to ensure consistent assessment of different respondents and business
units. The ques ons don’t need to be followed verba m, but should be used to ensure all relevant
areas are covered with all the Assessed.
1 2 3 4 5 6
INTERACTION The Lead needs to decide how much interac on there will be between the Assessor and the Assessed.
“Be smart in how you talk to people – in a conversa on people
will give you 90% of what you need and not even realise.”

Transac onal All assessment Allows for many Requires substan al support
ques ons are asked at assessments to be for the Assessed and results
once, usually via email conducted in parallel produced may be inaccurate
or a spreadsheet. This within a short me frame. and inconsistent.
format is common
amongst organisa ons
conduc ng mul ple
assessments.
Interview The Assessor holds Offers the ability for Incurs a cost associated with
an interview with in-person, in-depth holding interviews as they are
the Assessed. It may discussion which resource intensive.
involve follow up generally yields strong
interviews a er an results. Provides an
assessment is made opportunity to clarify any
to validate findings areas of uncertainty.
(see ‘VALIDATION’).
Workshop The Assessor arranges Produces in-depth, May be a significant cost

workshops during rigorous results. Offer an associated with se ng up
which all aspects of opportunity for collec ve and holding the workshops.
maturity are discussed input and discussion Difficult to ensure
in detail. between relevant par es. a endance, par cularly of
mul ple members of senior
management.
MEMBER TOP TIP
One Member suggested holding a one-hour interview with the Assessed. They were able to
gather all the necessary informa on in a short period which they could then validate in another
short interview later. They believed this to be an efficient method of gathering the necessary
informa on.
1 2 3 4 5 6
EVIDENCE The Lead needs to decide how much evidence should be used to support the maturity assessment.
Evidence will usually take the form of documenta on that an ac vity is planned or has been
performed (to a given standard).

Opinion The assessment is Assessment(s) is quick Results of assessments may
en rely based on with no overheads for not be trustworthy. Results
opinion without collec ng and verifying will not be validated.
requiring proof for evidence.
any asser ons.
Targeted The Assessor asks for Evidence requests can May be difficult to strike a
Evidence opinion and requests be targeted at business balance between accuracy and
evidence in some units or specific domains the associated administra ve
circumstances. that need more support burden. Assessors need
to achieve an accurate experience to know what
assessment. evidence to request and then
to understand and verify that
Alterna vely, the evidence.
Assessor could ask for a
certain level/number/
pieces/quota of evidence
per discipline.
All evidence The Assessor requires There is a high degree of The administra ve burden is
evidence for each assurance in the results, drama cally increased both
asser on made. as every asser on has for the Assessed (to find the
been evidenced. evidence) and for the Assessor
(to analyse and verify the
evidence).
MEMBER TOP TIP
Several Members stated that the Assessors merely sugges ng that evidence may be requested
was o en enough to encourage the Assessed to consider their answers more carefully. This
increased the accuracy of the results for li le overhead.
1 2 3 4 5 6
VALIDATION The Lead needs to decide the extent to which the maturity score will be validated with the
Assessed, a er it has been decided.

None There is no valida on No me or investment Provides no mechanism for error
of results with the required. checking. Offers no mechanism
Assessed. for feedback from the Assessed
which could cause fric on in
subsequent assessments.
Passive The Assessed are Offers an opportunity Relies on the Assessed to

informed of the for the Assessed to review the results to see if they
assessment results, iden fy errors or agree or iden fy where they
but the Assessor waits provide feedback on disagree. If they do not have
for them to raise any the assessment. As a sufficient me or mo va on to
concerns. result they may be more do so, it is equivalent to having
‘bought-in’. no valida on.
Ac ve The Assessor ac vely Provides assurance that Requires the Assessed to have
asks the Assessed every result has been an in-depth understanding
whether they agree verified and that error of the assessment criteria for
with the assessment checking exists. feedback to be meaningful. This
and why. approach is resource intensive.
Task 1.2 The maturity model and the assessment are now ready to deploy. It is now me to put all the
planning into prac ce and assess the current maturity.
EXECUTE THE
ASSESSMENT Several ISF Members recommended asking the Assessed for a preliminary indica on of maturity at
the start of a formal assessment. They saw educa onal benefit in this ac vity, as it iden fies the gap
between where the Assessed think they are, and where they actually are following the assessment.
This task also provides the Assessed an opportunity to voice their opinions and engage early on with
the process, whilst giving the Assessor an opportunity to emphasise that the maturity score will be
an output from a formal assessment.
NOTE: This is the only me that the Assessor directly asks the Assessed about maturity. Regardless
of the model selected in Phase A1 PREPARE, once the formal assessment begins, the Assessor will
restrict themselves to ques ons about ac vi es and capabili es. The answers to these ques ons
are then used to determine a maturity score. This is deliberate. It moves the assessment away
from opinion towards a more structured, evidence-based assessment of maturity.
STEP 2 – Compare against others

Some Members may want or need to compare their maturity against other organisa ons. This desire to compare against
others (to benchmark) is o en strong, par cularly amongst senior stakeholders – evidenced by 60% of Members who had
compared the results of a maturity assessment against external par es (such as compe tors, customers, suppliers or partners).
NOTE: Members who rated themselves at a high maturity level considered the desire to benchmark a sign of rela ve
immaturity. They stated that as there are so many factors that vary between organisa ons (size, opera ng loca ons,
culture, industry, regula ons, specific threats, etc.) that comparisons are not only of li le use but also poten ally
misleading. Many believed a mature organisa on should focus on its own maturity requirements rather than comparing
against others. See Phase A3 DECIDE, Step 2 (page 34) for the details of how organisa ons have done this.
1 2 3 4 5 6
“It’s based on the assump on that (those we’re comparing against)

know what they’re doing. I’m not sure that’s the case.”
Whatever the mo va on, it is always difficult to obtain an accurate assessment of another organisa on or to know the
extent to which the results can be trusted. This table offers five poten al op ons for obtaining comparison data, listed in
order of decreasing accuracy and assurance, each with examples of how ISF Members have used that op on.
Op on Descrip on Member example

Regulator If the organisa on operates in a regulated industry, The Dutch financial regulator, De Nederlandsche
required or the regulator may require or facilitate the use of a Bank (DNB) requires the organisa ons it
maturity model amongst all regulated organisa ons, regulates (including some ISF Members) to use a
enabled for example, in retail banking. As the ac vity is maturity model. Members have found that this
mandated by a regulator, the results are more likely moves away from a purely technical discussion
to be accurate. However, the regulator may not towards more meaningful discussions with the
share the anonymised results of these assessments, regulator. Organisa ons can also use this data
so the organisa on may s ll need to request the pool to compare their maturity against others
results directly from others. in their industry.
Trade An independent body arranges for several Several ISF Members in the same country
body/ISF organisa ons to conduct a maturity assessment. and sector agreed for their trade body to
They could, if necessary, collate and anonymise co-ordinate using the Security Healthcheck.
the results, before sharing amongst those who This gave a consistent approach for comparison
par cipated. The results are obviously of most use between organisa ons. (This example
if all the organisa ons use the same maturity model demonstrates this type of co-opera on is
and domains, making direct comparison possible. possible, even though the Security Healthcheck
is not a maturity model.)
Third party The organisa on pays for access to a third party set Many ISF Member organisa ons say they have
data of data. paid for access to a third party collec on of
maturity assessment data, with some even
This is usually performed using consultants who selec ng consultants based on the quality
already have a collec on of maturity results for the and size of their data set.
INCREASING
maturity model they use (o en their own proprietary
maturity model). As long as there was sufficient data available ACCURACY
(e.g. tens of sets of results) and there were AND
An alterna ve is paying to access a benchmarking site several similar organisa ons (in terms of ASSURANCE
such as the IREC maturity benchmarking website.33 geography/industry/size), Members believed
the results were likely to be accurate, or at least
consistent (as all assessments were conducted
by the same third party organisa on).
Ask Organisa ons ask their compe tors or partners, Several Members have done this, but while this
either directly or via a third party (usually has some mes produced results, many believed
consultants), for their maturity scores. that these results could not be trusted as it was
feasible that they had been deliberately rated
too highly, and there was no assurance
of accuracy.
Guess This will be based on previous knowledge or One ISF Member reported a cau onary tale.
experience (e.g. former employees), using the An organisa on’s maturity results were being
professional exper se of those involved. Even so, compared to the (much higher) maturity results
there are obvious dangers associated with this of a compe tor. The disparity in maturity was
approach. The organisa on will need to decide given as jus fica on for investment. When
whether the benefit gained (having data to compare challenged about the source of the compe tor’s
against) is worth the significant risks associated with maturity results (by someone who knew it to be
it (making the wrong decisions based on poten ally incorrect), the presenter was forced to admit,
inaccurate data). Most importantly, it is essen al to in front of the board, that they had guessed.
be open and honest with decision makers about the
source of informa on.
Summary
Upon comple on of Phase A2 ASSESS, the Lead and the assessment team should have gathered the necessary informa on.
The next Phase, A3 DECIDE, involves analysing and presen ng the results to relevant decision makers and deciding the
target maturity level for the organisa on to meet its strategic goals.
33 h p://irec.wordpress.com/. The benchmarking website requires membership and sign-up.
1 2 3 4 5 6
Phase A3 Decide
This Phase explains how to present the results from Phase A2 ASSESS to
A – DEFINE decision-makers and how to choose a target maturity.
A1
PREPARE
ͻWƌĞƉĂƌĞƚŚĞŵŽĚĞů Many ISF Members reported real benefit in discussing and deciding target
maturity as it forces those involved to think carefully about what they are trying
A2
ASSESS
to achieve and why, keeping organisa onal value front of mind.
A3 DECIDE
This Phase refers to se ng a ‘target maturity’ but in reality this will almost always
ĂƚƵƌĞ^ƚĂƚĞ Current
1 2
Maturity level
3 4
dĂƌŐĞƚ
5
DĂƚƵƌĞ^ƚĂƚĞ
be se ng ‘target maturi es’ as a target will usually be set in each of the domains
of the maturity model, rather than se ng a single target for the whole model.
A4 PLAN
ͻWƌŽĚƵĐĞĂŶĚ ĂŐƌĞĞƉůĂŶƐ These targets may also vary between business units. Before the discussion which
sets the target maturity, the Lead and Sponsor should decide the level at which
the target maturi es should be set i.e. domain or sub-domain level.
THE STEPS AND RELATED ACTIVITIES FOR PHASE A3 DECIDE ARE:
STEP 1
DISCUSS THE RESULTS
Tasks
1.1 Group the results 1.2 Prepare and present results
STEP 2
AGREE A TARGET MATURITY
Tasks
2.1 Iden fy ideal maturity 2.2 Set a target maturity
STEP 1 – Discuss the results

Before deciding a target maturity, decision makers need to understand and consider the current maturity. This Step outlines
how to prepare to present or report the results of Phase A2 ASSESS. Once these prepara ons have been made, the results
will be presented, usually as a pre-cursor to the decision about target maturity.
The person presen ng the results may be the Lead (presen ng to the Sponsor) or the Sponsor (presen ng to senior
stakeholders), or both. Whoever the audience is, the results must be presented in a format, and at a level of detail, that is
relevant to them.
NOTE: The first task in Phase A1 PREPARE was to understand the organisa on’s strategic goals. This is where the
Lead can highlight the link between those strategic goals and how informa on security is helping those responsible
for achieving them. The ISF’s Engaging with the Board: Balancing cyber risk and reward report also highlights the
need to speak the language of those you are presen ng to.
1 2 3 4 5 6
Task 1.1 The maturity assessment results for different domains should be summarised and grouped in a way
that is relevant to the audience and simple for them to understand, with suppor ng detail available,
GROUP if required. Members suggested that the groupings may change dependent on the audience. Three
THE RESULTS possible ways to group the disciplines are according to:
• why the ac vity is carried out: this could be a general grouping (for example, “these ac vi es
keep our customers safe”) or it could be a specific grouping (“these ac vi es will enable us to
meet strategic objec ve X”). Several Members said this approach has the biggest impact with
senior management as it is speaking the language of the business, not of informa on security.
• organisa onal structure: the disciplines being assessed can be grouped to reflect the
organisa onal structure.
• similar disciplines: groups the domains which cover similar disciplines, even where these
disciplines cross organisa onal boundaries (e.g. strategy and governance).
Task 1.2 ISF Members emphasised that senior audiences o en wanted to see the main results of the
maturity assessments displayed graphically. Some examples are shown below:
PREPARE
AND PRESENT
RESULTS
The Lead should inves gate how the organisa on (and in par cular, senior management) prefers
to have informa on presented.
MEMBER TOP TIP
One Member suggested examining the annual report or audit reports to

see how they graphically represent informa on.
MEMBER TOP TIP
ISF Members suggested that those presen ng should prepare for common
or challenging ques ons.
Some common ques ons are: How this report can help answer them:
Q. How do we compare against  See Phase A2 ASSESS, Step 2
others?
Q. I thought we were good, why  See SecƟon 3
aren’t we ‘5’ in everything?
Q. What do you think we should do?  See next Phase A3 DECIDE, Step 2
Q. How much will it cost to increase  See SecƟon 3
maturity?
Q. What is maturity? What does it  See SecƟon 3
mean? What are we measuring?
1 2 3 4 5 6
STEP 2 – Agree a target maturity
Choosing an appropriate target maturity for an organisa on was o en iden fied by Members as the most important
aspect of using a maturity model.
NOTE: Several Members reported that the discussion between informa on security and business decision-makers in
the organisa on about target maturity was the most informa ve and produc ve aspect of using a maturity model.
When iden fying a target maturity, many Members were wary of easy answers (e.g. “you must be a 4”). Rather, they favoured
a more flexible and pragma c approach based on informed discussions (in which all par cipants understand maturity) and
consensus building (between the informa on security func on, senior management and other decision-makers).
“If it’s propor onate and appropriate, so what if we’re a 3 and not a 5?”
Points to support target setting

When deciding a target maturity, a visual aid can provide a framework for the discussion. Members suggested plo ng
several points on each discipline, shown on the diagram below. There will be one of these visual aids prepared for each
line where a target is being set (as men oned before, this may be each discipline or sub-discipline).
Immature State Maturity level Mature State
1 2 3 4 5
ASSET Characteris cs, Characteris cs, Characteris cs, Characteris cs, Characteris cs,
MANAGEMENT a ributes, a ributes, a ributes, a ributes, a ributes,
indicators indicators indicators indicators indicators
Minimum Current Target Ideal

maturity maturity maturity maturity
The points to plot for each discipline are:
Current This is the result of the maturity assessment conducted in Phase A2 ASSESS.
maturity
This is the lowest possible maturity the organisa on will tolerate. This sets the lower boundary
Minimum for the target maturity. This minimum could be lower or higher than current maturity, but
maturity should be based on a specific requirement (for example, a compliance requirement that a
process is documented and implemented).
Ideal This is the maturity level that the organisa on would wish to achieve if there were no resource
maturity constraints. This point marks the upper boundary for the target maturity.
This is the maturity level that is agreed between relevant stakeholders and is the target to
be achieved. The target maturity can be moved up and down the scale, between the lower
Target (minimum maturity) and upper (ideal maturity) bound to aid the discussion before being
maturity agreed and fixed. For example, “what would the consequences and costs be if our target
maturity in incident management were ‘2’ rather than ‘3’”.
There are many other possible points which can be used to support the discussion. These can
Other points include: interim targets (for different me scales), the maturity of others (if this is required and
to plot the informa on is available), what the organisa on is able to achieve internally (without the
need for external support), or whether there are dependencies on other disciplines.
More details on how to decide the ideal maturity and target maturity are in Task 2.1 and Task 2.2 of this Step.
1 2 3 4 5 6
Task 2.1 An ideal maturity is the op mum maturity level that the organisa on would choose to support
its objec ves if there were no prac cal constraints (constraints are taken into account in the next
IDENTIFY task). The ideal maturity will not necessarily be the top of the maturity scale and will depend on the
IDEAL organisa on’s requirements. All par es involved in deciding the ideal maturity need to understand
MATURITY the maturity scale and the effects of increases or decreases in maturity in each domain. (More
details about this can be found in SecƟon 3.)
NOTE: This ideal maturity should s ll be based on crea ng or protec ng value for the
organisa on, not solely on informa on security requirements.
ISF research revealed three op ons for choosing an ideal maturity. The approach an organisa on
takes will depend upon its level of experience in informa on security. Does the organisa on consider
itself to be star ng out in informa on security (limited experience), competent and improving at
informa on security (moderate experience) or world leading (highly experienced)? The different
approaches are presented below with the associated level of experience.
The Lead should consider the following three op ons to iden fy an ideal maturity and decide which
is most appropriate for their organisa on. The organisa on’s maturity scores may give a strong
indica on of which op on is appropriate. For example, if all maturity scores are very low, it is likely
OpƟon 1 will be appropriate.
Op on 1 CONCENTRATE ON INCREASING THE MATURITY BY A SET AMOUNT IN A NUMBER OF

(Limited ESSENTIAL DISCIPLINES
experience):
Those organisa ons which considered themselves to have limited experience wanted to improve
but were o en resource constrained and did not want to overstretch themselves. Such organisa ons
tended to choose between three and five disciplines (which they agreed with the organisa on were
the most important) and aimed to increase maturity in each by a set amount.
“We gave less mature teams a default
(target maturity) to move them forward.”
Op on 2 COMPARE ORGANISATIONAL MATURITY AGAINST OTHERS AND USE THIS AS THE BASIS
(Moderate FOR DECIDING THE IDEAL MATURITY
experience):
Several Members reported that their organisa ons aim to be as mature as their compe tors, but
ideally to achieve this with fewer resources. Some organisa ons may also aim to be ‘world leading’
in one of two disciplines of strategic importance. For example, an organisa on with a large online
presence may wish to be world leading at vulnerability management and encryp on (to protect
customer data) but at a similar level of maturity to their compe tors in other disciplines.
“Just as good as everyone else… but cheaper.”
TIP
If a Member considers their organisa on to have moderate experience, but
doesn’t want to compare against others, the ISF would encourage them to work
towards OpƟon 3.
Op on 3 CHOOSE AN IDEAL MATURITY THAT SUPPORTS CREATING AND PROTECTING VALUE, MEET
(Highly COMPLIANCE REQUIREMENTS AND MANAGES INFORMATION SECURITY RISKS34
experienced):
Many informa on security professionals focus on compliance and some on risk management, but
lose sight of the primary objec ve of the organisa on, and their role in suppor ng it, which is to
create and protect value. A recent report warned that ‘senior execu ves are becoming concerned
about the nega ve business impact of informa on security. In par cular, the delay in exploi ng value
from new technologies such as cloud and mobile compu ng’.35 ‘The real cost of cyber… stems from
delayed or lost technological innova on’.36
34 Leading Edge Founda on. 2013.

36 McKinsey. The rising strategic risks of cybera acks. May 2014.
1 2 3 4 5 6
Op on 3 The Member organisa ons that considered themselves highly experienced believed they were able
(Highly to iden fy an ideal maturity that was specific and appropriate to their organisa on, its situa on and
experienced) strategic goals. They were not interested in comparison against others, believing this to distract from
con nued: a thorough assessment of their own requirements. Through engagement with the organisa on, they
believed they were able to iden fy a level of maturity that would support the organisa on to achieve
its strategic aims balanced against the cost of achieving it.
“Our great discovery was to target maturity at value.”
NOTE: Whilst many Members agreed this approach (OpƟon 3) is likely to produce the most
appropriate ideal maturity for each organisa on, there was concern that few organisa ons
were currently experienced enough to support this kind of decision making. However, all
agreed that this type of decision making should be the aspira on and that Members should
work towards this approach.
Task 2.2 The target maturity (i.e. the maturity that the organisa on commits to achieving) will be the
combina on of the ideal maturity tempered by prac cal constraints. Target maturity is best
SET A TARGET defined through discussion between informa on security and decision makers in the rest of the
MATURITY organisa on. The agreed target should come from a discussion about what the organisa on needs
and what informa on security can realis cally achieve given the available me and resources.
The points below outline the main prac cal constraints to consider:
Budget There will be a cost associated with every ac vity that increases a maturity score. For example,
increasing maturity in asset management could incur costs rela ng to managing the process
around documenta on of assets. If outside par es (e.g. consultants) are used, there can be a
considerable ini al and ongoing cost to increasing maturity. (See SecƟon 3 for more details on
the costs associated with maturity.)
Skills / Many informa on security disciplines require specialist skills and experience. The organisa on
Experience will need to consider whether it has the requisite skills and/or experience or whether it will need
to recruit, develop or purchase these skills from outside the organisa on. It is also important to
remember that each op on could have a considerable cost a ached. Therefore, resourcing and
budget should not be considered in isola on.
Time Target maturi es are typically not achieved quickly. The organisa on will need to plan for the long
term (usually three to five years) but with interim checkpoints to assess progress and re-assess
targets, and consequently different target maturi es for different me frames (e.g. the target is ‘1’
in six months, and ‘3’ in two years). The informa on security func on will also need to consider
that projects which require me from other func ons of the business may pose a constraint.
“If it’s from my team, it’s ok. If it’s money, it’s usually ok. When I need
resources from another part of the organisa on, that’s when it’s difficult.”
Inter- Many informa on security disciplines are interdependent (as discussed in SecƟon 3, page 15). It
dependency is important to recognise these interdependencies and understand how raising maturity in one
discipline may affect another. For example, it would be of limited benefit increasing the maturity
in network monitoring (iden fying suspicious ac vity on the network) if incident management
(dealing with incidents of suspicious ac vity) remained immature.
Summary
The outcome of Phase A3 DECIDE should be an agreed target maturity, or set of target maturi es for in-scope disciplines.
These decisions should be based on informed discussion about where the organisa on wants its informa on security maturity
to be to enable strategic goals. Ideally, the targets will be agreed between informa on security and the business, but in cases
where agreement is not possible, a target must s ll be defined. Who makes the final decision will depend on the organisa on’s
structure but will usually be the Sponsor. The next Phase involves developing plans to achieve the target maturity.
1 2 3 4 5 6
Phase A4 Plan
This Phase describes how to produce plans to achieve the target maturity or
A – DEFINE target maturi es. It does not include general project management advice,
instead focussing on aspects specific to using a maturity model: consequently,
A1
PREPARE
the Steps in this Phase do not include detail at the task level.
A2
ASSESS
NOTE: While many organisa ons will have an established project process
A3
DECIDE
which can be ini ated at this point, the Steps below should be considered
ŵĂƚƵƌĞ^ƚĂƚĞ Current
1 2
Maturity level
3 4
Target
5
DĂƚƵƌĞ^ƚĂƚĞ
to support or complement such an approach.
A4
PLAN
NOTE: As men oned in Phase A3 DECIDE, in most cases several target
maturi es will have been set. Furthermore, if the target maturi es were set
at a high level then the Lead will need to produce target maturi es for each
of the lower-level components (e.g. if target maturi es were agreed at the
discipline level, the Lead will need to ensure that a target maturity is set for
the sub-disciplines that make up each discipline).
THE STEPS AND RELATED ACTIVITIES FOR PHASE A4 PLAN ARE:
STEP 1
IDENTIFY ACTIVITIES TO ACHIEVE MATURITY
STEP 2
PRODUCE AND AGREE PLANS
STEP 1 – Identify activities to achieve maturity

The details of the ‘characteris cs, a ributes or indicators’ (characteris cs) in the maturity model provides the basis for
the Lead to begin to iden fy what needs to happen to move from a current maturity to the target maturity (gap analysis).
For example, if the current maturity in a par cular domain is ‘1’ and the target maturity is ‘3’, the intermediate characteris cs
will be those listed at maturity level ‘2’ and ‘3’. This gives a list of intermediate characteris cs which must now be achieved.
NOTE: If the maturity scale is cumula ve, each maturity level builds upon what has been achieved in the
previous levels. A en on should be given to how exis ng characteris cs are maintained whilst achieving the new
characteris cs.
Whichever op on was used to determine a target Maturity level

1 2 3 4 5
maturity, decision makers s ll need to understand
ASSET MANAGEMENT
whether or how it is beneficial to achieve each /ĚĞŶƟĨǇ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕
ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕
characteris c. Thus, two ques ons should be Assets ĂƩƌŝďƵƚĞƐ͕ŝŶĚŝĐĂƚŽƌƐ

ŽƌƉĂƩĞƌŶƐ
ŽƌƉĂƩĞƌŶƐ
ŽƌƉĂƩĞƌŶƐ
ŽƌƉĂƩĞƌŶƐ
ŽƌƉĂƩĞƌŶƐ
asked for each characteris c:
• Does the organisa on benefit from achieving

this characteris c: that is, does it help to achieve Maturity level 2 Maturity level 3
the organisa on’s goals? • The process for • Iden fying assets
iden fying assets is managed within
• Is another characteris c dependent upon this is documented governance
characteris c? structures and List of
If the answer is ‘yes’ to either of these ques ons, the

• Relevant
stakeholders for
+ staff are responsible = characteris cs
to be achieved
and accountable for
characteris c should be included in the list of those iden fying assets its performance
have been iden fied
to be achieved. If the answer is ‘no’, it should be
considered for dele on from the list.
1 2 3 4 5 6
The Lead then needs to iden fy all of the ac vi es that need to be undertaken to achieve these intermediate characteris cs.
For example, if one of the characteris cs from a model is ‘staff have sufficient skills and experience’, the Lead will need to
iden fy the ac vi es needed to achieve that characteris c, such as iden fying what those skills and experience are, and then
plan how the organisa on will ensure it has suitable staff.
This list of intermediate ac vi es will inform the Lead’s planning and budge ng for how to achieve target maturity levels.
MEMBER TOP TIP
Get informa on security considera ons locked into exis ng projects in different parts of the organisa on
wherever possible. Make sure you seek out these opportuni es as part of the project planning process.
“Run security in another project, not just for security’s sake.”

“Look for other ini a ves you can e into for the planning phase.”
STEP 2 – Produce and agree plans

The previous Step produces a list of high-level ac vi es that need to be undertaken to reach the target maturity (or maturi es).
Once all these ac vi es have been iden fied, they need to be priori sed. The priority allocated to each ac vity should reflect
the organisa onal goals discussed in the previous Phases. Organisa ons are likely to have a standard method to decide how
to priori se the iden fied ac vi es. In general, these methods focus on a combina on of how important the ac vity is, how
urgent it is, and the resources required to achieve it.
MEMBER TOP TIP

URGENT NON URGENT
1 2
One Member recommended using the Eisenhower Method for IMPORTANT
priori sing the ac vi es.

Important Important
and urgent but not urgent
This involves plo ng all ac vi es against two axes: ‘Urgent/Non-
Urgent’ and ‘Important/Not important’. The ac vi es within each
3 4
NOT IMPORTANT
segment are completed in the sequence indicated on the diagram.

Other basic methods for priori sa on can be found in general Not important Not important
project management material. but urgent and not urgent
The list of ac vi es derived from the maturity model will likely be high-level and o en focussed on an outcome (rather
than defining how to achieve the outcome). For each ac vity, the Lead will need to inves gate how the organisa on can
achieve the outcome.
For example, one of the ac vi es derived from a maturity model might be to ‘document the process’ but consulta on may
be required to iden fy what should be included in the documented process. This consulta on should include all stakeholders
and other relevant inputs such as applicable internal policies. The specific details on what to include in the documented
process can be iden fied through discussions with subject ma er experts, experienced staff, other ISF Members and from
relevant sec ons in the Standard.
The priori sed list of ac vi es should then be recorded in formal plans which outline all the basic project informa on
including who is responsible, meframes, agreed metrics and allocated budget.
NOTE: The Lead may have to take an itera ve approach to determine which plans to implement depending on available
resources and budget and to what degree the ac vi es enable the organisa on’s strategy.
Finally, and before implementa on can begin, the plans and associated budgets should be signed off at an appropriate
level. The Sponsor may sign off the plans or they may be responsible for obtaining sign-off from other business units.
Summary
This Phase has created priori sed plans which will now be implemented in the remaining business planning stages.
1 2 3 4 5 6
THE REMAINING STAGES OF THE BUSINESS PLANNING CYCLE (B-D)

While using a maturity model is o en part of an ongoing, itera ve business planning and improvement process, it also
offers a method to track progress and ensure that plans remain aligned with organisa onal goals. As described on page 18,
the four-phase process in Stage A – Define should integrate fully into the first Stage of a regular business planning cycle.
The following sub-sec ons briefly describe each of the remaining three Stages of the business planning cycle.
NOTE: The Lead should ensure that the informa on security func on con nues to work within the organisa on’s
established business planning and governance structures in order to be effec ve and to maintain high-level
commitment to agreed plans.
A – DEFINE
A1 PREPARE
A2 ASSESS
A3 DECIDE
Maturity level
1 2 3 4 5
A4 PLAN
NHANC L
IMP EME
–E –
D
NT
E
ALUAT
– EV E
C
Cu
Current Target
Maturity level
STAGE B – IMPLEMENT
MPLEMEN
–I This Stage focuses on implemen ng the business plans that resulted from the four-phase
B
process in Stage A – Define. To a certain extent, the Lead’s role in implementa on will depend
on whether the plans involve a standalone informa on security project or form part of another
business unit’s project (or both). In the event that it is an individual informa on security
project, the Lead is more likely to be involved in its implementa on, including monitoring
resources (people, me and budget), maintaining engagement with stakeholders, ensuring
the project meets agreed milestones and managing associated risks to comple on.
If the informa on security plans form a component of another business unit’s project, the Lead’s role is more likely to be
advisory in nature, offering guidance, knowledge, skills or resources and monitoring associated risks. Regardless of the
level of involvement in implementa on, the Lead should endeavour to engage fully with those implemen ng the plans
and maintain visibility and accountability of progress.
1 2 3 4 5 6
STAGE C – EVALUATE
Because the use of a maturity model is o en part of an itera ve process, the Lead should plan to regularly re-assess targets,
the progress towards target maturity and the effec veness of implementa on. This gives an opportunity both to check and
demonstrate progress and value to stakeholders. Three key steps for the evalua on are:
STEP 1 – Verify strategic goals

The evalua on phase allows the Lead to scru nise the underlying assump ons for
each plan on a regular basis. This is important because the organisa onal goals could EVALUATE
C–
have changed if the organisa on has taken a new strategic direc on. If the goals have
changed, plans will need to be renewed.
TIP Current
C Target
Maturity level
Matu
The Lead should take this opportunity to re-visit and deepen engagement • Update plan
with the organisa on, both to demonstrate progress to date and to

agree how informa on security will help support the new goals.
STEP 2 – Check progress

The project plans created in Phase A4 PLAN are likely to have included agreed key
performance indicators and key risk indicator measurement criteria. If this is the EVALUATE
C–
case, then progress should also be assessed against these measurements. The Lead
may either want to check progress against agreed plans or carry out a new maturity
assessment to check whether maturity is progressing as expected.
Current
C Target
If the informa on security ini a ves e into other business units’ plans rather than Maturity level
Matu
standalone projects, the role of the informa on security func on may be limited to • Update plan
evalua ng progress of the informa on security aspects. Even in these instances, the Lead
should engage with relevant stakeholders to ensure they have visibility of the results.
STEP 3 – Update plans

In light of the results of the previous Steps, the Lead may need to update exis ng plans.
If strategic goals have changed, another round of engagement with the organisa on
EVALUATE
(using the four-phase process) will be required to agree new target maturi es and C–
plans to achieve them. If the strategic goals remain the same, the plans will s ll likely
require upda ng, reflec ng lessons learned when the plans meet reality.
The ISF report InformaƟon Security Strategy: TransiƟoning from alignment to Current Target
Matu
urity level
integraƟon suggests that business plans ‘should adapt to accommodate changing
• Update plan
requirements, whether they are coming from the business, changes in the threat
landscape or from other internal or external factors. Being constantly engaged with
stakeholders means the CISO can an cipate changes in the environment and adjust plans
accordingly.’ A maturity model supports this type of engagement, enabling informa on
security to remain suppor ve of organisa onal needs as circumstances change.
NHANC
STAGE D – ENHANCE
–E
E
D
This Stage focuses on implemen ng the updated plans from Stage C – Evaluate. Just as in Stage B
– Implement, the detail of these plans will depend on the decisions made in the preceding Stages.
As the updated plans are implemented, the business planning cycle returns to the first Stage
where the maturity model can be used to support the next round of engagement and planning.
1 2 3 4 5 6
The ISF Maturity Model
5 The ISF Maturity Model
Introduction
This Sec on describes the ISF Maturity Model, a hybrid maturity model which allows Members to assess their maturity
across 21 disciplines of informa on security drawn from the Standard. The ISF Maturity Model can be found in the ISF
Maturity Model Accelerator Tool on ISF Live.
NOTE: While the ISF Maturity Model should fit seamlessly into exis ng ac vi es for Members who have based their
informa on security policies and procedures on the Standard, it is also adaptable for use by Members using other standards.
This Sec on describes the components of the model, including the maturity scale, the disciplines it covers, and how to
use it to conduct a maturity assessment.
The context for using the ISF Maturity Model A – DEFINE
The ISF Maturity Model should be used as part of the business planning cycle A1 PREPARE
described in the previous Sec on, which focuses resources on organisa onal A2 ASSESS
value (shown as Stage A – Define in the diagram). As described in SecƟon 4, A3 DECIDE
Maturity level
the four phases of the process which sits in the Define Stage are: 1 2 3 4 5
A4 PLAN
A1 PREPARE – the maturity model and the organisa on –E

NHANC
–
L
IMP EME
D
NT
E
B
A2 ASSESS – current maturity and, if necessary, – EV
ALUAT
E
C
determine the maturity of others
A3 DECIDE – on an appropriate target maturity for the organisa on Cu

Current
Maturity level
Target
A4 PLAN – how to achieve target maturity

Carrying out a maturity assessment (in Phase A2 ASSESS above) is only one of the four phases. To gain the most value
from using the ISF Maturity Model all phases, and how they fit together, should be considered before star ng.
The ISF Maturity Model can also be used in Stage C – Evaluate to check progress and updates plans.
The structure of the ISF Maturity Model

The ISF Maturity Model is sub-divided into domains. Each domain covers a discipline of informa on security (examples
of disciplines include asset management and vulnerability management).
For each domain, there is an objec ve statement which explains the purpose of the discipline covered (i.e. what does the
organisa on gain or achieve by doing that discipline). Where possible, the objec ve statements are the same as in the Standard.
EXAMPLE: For the domain that covers the discipline of Security Strategy, the objec ve statement is ‘To ensure the
organisa on’s approach to informa on security contributes to the organisa on’s success’.
Each domain lists between one and four goals (i.e. what organisa ons are trying to achieve in that discipline).
EXAMPLE: For Security Strategy there are two goals: ‘Develop an Informa on Security Strategy’ and ‘Demonstrate
stakeholder value’.
For each goal, a small number of specific ac vi es to achieve that goal are listed. The number of specific ac vi es listed
varies depending on the goal.
EXAMPLE: Within Security Strategy, for the goal ‘Develop an Informa on Security Strategy’, there is one specific
ac vity, ‘An Informa on Security Strategy is produced’.
The maturity scale assesses the maturity of the processes which support these specific ac vi es.
1 2 3 4 5 6
The maturity scale

Maturity is assessed using the maturity scale developed by the ISF, drawing widely on accepted good prac ce including the
CERT-RMM Maturity Indicator Level (MIL) scale37. The maturity scale combines the specific ac vi es from the Standard
with the established concept of process maturity. It is therefore a ‘hybrid’ model (more details can be found in SecƟon 3).
EXAMPLE ISF MATURITY MODEL:

Discipline: 16. Security Event Management
Discipline/ Objective: To identify unauthorised activity on information systems.
ASSESSMENT BOX Maturity Level

Objec ve 1
Perfomed
2
Planned
3
Managed
4
Measured
5
Tailored
The activity is performed The activity is performed, and supported by The activity is performed, planned, and has The activity is performed, planned, The activity is performed, planned,
planning (which includes engagement of sufficient organisational resources to managed, and is monitored managed, measured, and subject to
stakeholders and relevant standards and support and manage it continuous improvement and is tailored to
guidelines) specific areas
Goals: Specific Activities
Security event logs exist, are

16.1 Log security events
normalised and analysed. MET SELECT… SELECT… SELECT… SELECT…
Assessment 16.2 Monitor the system

and network
Systems and networks are
monitored. PARTIALLY MET SELECT… SELECT… SELECT… SELECT…
Box 16.3 Detect intrusions

Intrusion detection mechanisms are
applied to critical systems and PARTIALLY MET SELECT… SELECT… SELECT… SELECT…
networks.
Information leakage protection

16.4 Detect information
leakage
mechanisms are applied on MET SELECT… SELECT… SELECT… SELECT…
systems and networks.
MATURITY = 0.75
DETAILS
1 2 3 4 5
Goal Perfomed Planned Managed Measured Tailored
Security event logs exist, are normalised The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
and analysed. necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.1 Log security events procedures are followed. including policy and staff being responsible security and business activities.
and accountable for the activities.
Stakeholders have been identified, know of Necessary resources, including sufficiently Metrics for the activities have been Regular cycles of improvement are applied
their role, and contribute to the documented skilled and experienced staff, and funding identified, are used and regularly analysed, to the activities; lessons learned and
process. are available to perform and manage the and results are reported to all relevant improvements are documented and shared
activities. stakeholders. across the organisation.
All relevant requirements and inputs have Risks relating to the activities are identified Some improvements to the activities are Business units adapt the standardised
been identified and included in the and managed. made in response to results. activities to meet their specific needs.
documented process.
Systems and networks are monitored. The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.2 Monitor the system procedures are followed. including policy and staff being responsible security and business activities.
and network and accountable for the activities.
Details their role, and contribute to the documented skilled and experienced staff, and funding
process. are available to perform and manage the
activities.
identified, are used and regularly analysed,
and results are reported to all relevant
stakeholders.
to the activities; lessons learned and
improvements are documented and shared
across the organisation.
Box All relevant requirements and inputs have Risks relating to the activities are identified Some improvements to the activities are Business units adapt the standardised
documented process.
Intrusion detection mechanisms are applied The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
on critical systems and networks. necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.3 Detect intrusions procedures are followed. including policy and staff being responsible security and business activities.
documented process.
Information leakage protection mechanisms The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
are applied on systems and networks. necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.4 Detect information procedures are followed. including policy and staff being responsible security and business activities.
leakage and accountable for the activities.
documented process.
Related disciplines: Threat Intelligence, Human Resources Security, Incident Repsonse, Crisis Management, Asset Management
Other Related areas in ISF

Standard of Good
Practice CF10.4: Security Event Logging, CF10.5: System / Network Monitoring, CF10:6: Intrusion Detection, CF8.7 Information Leakage Protection
Informa on
Related ISF deliverables: Security Event Logging - Full Report
Information Security Incident Management - Full Report
Notes:
NOTE: While it has some superficial similari es to the CMMI maturity scale, significant altera ons have been made
to make it applicable to the subject of informa on security. As a result, maturity assessment scores from the ISF
Maturity Model should not be directly compared against CMMI results.
The maturity scale in the ISF Maturity Model is cumula ve; that is, each level of maturity builds on the previous, lower
level. When maturity is assessed, it builds from maturity level 0. The maturity assessment will indicate the highest
maturity level for which all the requirements are met and all the preceding requirements are met. In prac ce this means
all requirements for each preceding maturity level must be achieved and sustained before a higher level can be reached.
The ISF Maturity Model uses increments to demonstrate progress between maturity levels. Increments of 0.5 are used
to indicate that a maturity level is ‘PARTIALLY MET’. For example, if the requirements for maturity level 1 and level 2 are
‘MET’, and the requirements for level 3 are ‘PARTIALLY MET’, the maturity score is 2.5.
As another example, if the requirements for level 1 are ‘MET’, and the requirements for level 2 are ‘PARTIALLY MET’, the
maturity score will be 1.5. Even if the requirements for level 3 are ‘MET’, the maturity assessment will s ll be 1.5 as level
2 has not been ‘MET’.
NOTE: Do not assume that the same maturity score from different business units means that those business units
are performing iden cal ac vi es. For example, two business units could each have a score of 2.5, but they may
not have completed the same requirements to give them the 0.5 increment. The two business units will have
comparable results up to 2 (as they will both have completed all the requirements to achieve level 2), but they may
have completed different ac vi es to gain the 0.5 increment.
37 Butkovic M. Caralli R. Advancing cybersecurity capability measurement using the CERT-RMM maturity indicator level scale. November 2013. CMU/SEI-2013-TN-028.
1 2 3 4 5 6
The maturity levels

The generic descrip ons below show how each maturity level refers to the specific ac vi es (men oned earlier) and
how the requirements (the generic prac ces that must be performed) demonstrate the increasing levels of process
maturity. The requirements are generic prac ces that apply to all disciplines in the same way and are used to iden fy
different levels of maturity. For example, one of the requirements is ‘the ac vi es have been documented in plans/
procedures, with necessary approval, and these plans/procedures are followed’. This requirement is one of three
requirements to meet maturity level 2 irrespec ve of the discipline.
Maturity Name Brief descrip on Requirements for maturity level

Level of maturity level
0 Incomplete The ac vity is not

performed
1 Performed The ac vity is The specific ac vity for each goal is performed.
performed
2 Planned The ac vity is The ac vity has been documented in plans/procedures,

performed, and with necessary approval, and these are followed.
supported by planning Stakeholders have been iden fied, know of their role,
(which includes and contribute to the documented process.
engagement of
All relevant requirements and inputs have been
stakeholders and
iden fied and included in the documented process.
relevant standards
and guidelines)
3 Managed The ac vity is The ac vity is governed within the organisa on’s
performed, planned, governance structure, including policy and staff being
and has sufficient responsible and accountable for the ac vity.
organisa onal Necessary resources, including sufficiently skilled and
resources to support experienced staff, and funding are available to perform
and manage it and manage the ac vity.
Risks rela ng to the ac vity are iden fied and
managed.
4 Measured The ac vity is Measurable targets for the ac vity have been iden fied,
performed, planned, agreed and set.
managed, and is Metrics for the ac vity have been iden fied, are
monitored used and regularly analysed, and results are reported
to all relevant stakeholders.
Some improvements to the ac vity are made in
response to results.
5 Tailored The ac vity The ac vity is integrated (are supported and provide
is performed, support) with other informa on security and business
planned, managed, ac vi es.
measured, and Regular cycles of improvement are applied to the
subject to con nuous ac vity; lessons learned and improvements are
improvement and is documented and shared across the organisa on.
tailored to specific areas
Business units adapt the standardised ac vity
to meet their specific needs.
1 2 3 4 5 6
As can be seen from the maturity level descrip ons opposite, the ISF Maturity Model, as a hybrid maturity model, aids
understanding in two ways.
1. The change from maturity level 0 to level 1: shows that the specific ac vity to achieve the goal is being performed.
Thus, achieving maturity level 1 gives assurance that the generally accepted ac vity is being performed.
2. The change from maturity levels 1 to level 5: shows how mature the processes that support the specific ac vity are.
Achieving each higher level indicates that the processes that support the ac vity are increasingly mature, giving increased
assurance that the ac vity will be effec ve, consistent and resilient (i.e. it will have the desired outcome).
The disciplines covered

The ISF Maturity Model has 21 domains, each covering one informa on security discipline with content drawn from the
Standard. These were selected by ISF Members in ISF workshops and analysed for consistency and balance by the ISF.
The disciplines covered by the ISF Maturity Model are listed below along with their suggested groupings. These groupings
are intended to help the Lead iden fy interdependent disciplines and communicate results of an assessment in a logical
way to senior audiences (for more informa on see Phase A3 DECIDE).
DISCIPLINE SUGGESTED GROUPINGS
1. Security Strategy
2. Security Governance
3. Informa on Risk Management
4. Compliance STRATEGIC
5. Security Audit
6. Informa on Security Policy
7. Iden ty & Access Management

8. Vulnerability Management
9. System Development Management
TECHNICAL
10. Asset Management
11. Change Management
12. Security Architecture
13. Digital Connec ons (Customer Access)

14. External Supplier Management CONNECTIONS
15. Threat Intelligence

16. Security Event Management
17. Incident Management CRISIS
18. Crisis Management
19. Business Con nuity
20. Security Behaviour & Awareness

PEOPLE
21. Human Resources Security
Ten disciplines have been marked as ‘essen al’ (in bold above) to help users priori se when it comes to planning ac vi es.
These were chosen by Members who considered them to be the fundamental disciplines of informa on security.
NOTE: Whilst Members tended to agree that informa on security governance and security awareness are essen al,
views diverged on whether the next most essen al aspects were technical (e.g. iden ty and access management) or
crisis-related (e.g. incident management). Consequently, Members should review the essen al disciplines above to
select those which reflect their organisa onal circumstances and priori es.
1 2 3 4 5 6
Using the ISF Maturity Model

SecƟon 4 describes the key factors to consider and choices to make concerning how to conduct a maturity assessment.
This sub-sec on augments that informa on by describing the issues that are specific to using the ISF Maturity Model to
conduct a maturity assessment.
The ISF Maturity Model Accelerator Tool

The ISF Maturity Model is contained in a spreadsheet accelerator tool which is available on ISF Live and contains the
relevant informa on for each discipline. This tool calculates maturity scores automa cally and can be adapted easily by
each Member to meet their specific requirements.
The tool is divided into introductory informa on, results pages and the domains. The introductory informa on explains
the structure of the maturity model and how to use it to conduct a maturity assessment (repea ng much of the
informa on below).
Each domain (an example is shown below) is divided into three main areas: the assessment box, the detail box, and other
informa on.
ISF MATURITY MODEL:

Discipline: 16. Security Event Management
Objective: To identify unauthorised activity on information systems.

1 2 3 4 5
Assessment box: Perfomed

The activity is performed
Planned
planning (which includes engagement of

stakeholders and relevant standards and
Managed
sufficient organisational resources to

support and manage it
Measured
The activity is performed, and supported by The activity is performed, planned, and has The activity is performed, planned,
managed, and is monitored
Tailored
The activity is performed, planned,
managed, measured, and subject to
continuous improvement and is tailored to
The assessment box contains the cells that affect the Goals: Specific Activities
Security event logs exist, are
maturity assessment for that discipline. The assessment 16.1 Log security events
16.2 Monitor the system

normalised and analysed.
Systems and networks are

MET SELECT… SELECT… SELECT… SELECT…
PARTIALLY MET SELECT… SELECT… SELECT… SELECT…

box gives a summary of maturity at each level. There is and network
16.3 Detect intrusions

monitored.
Intrusion detection mechanisms are

applied to critical systems and PARTIALLY MET SELECT… SELECT… SELECT… SELECT…
one line for each specific ac vity. Some goals have more 16.4 Detect information
networks.
Information leakage protection

mechanisms are applied on MET SELECT… SELECT… SELECT… SELECT…
than one specific ac vity associated with its a ainment.
leakage
systems and networks.
MATURITY = 0.75
DETAILS
1 2 3 4 5
Goal Perfomed Planned Managed Measured Tailored
Security event logs exist, are normalised The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
and analysed. necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.1 Log security events procedures are followed. including policy and staff being responsible security and business activities.
Detail box:
documented process.
Systems and networks are monitored. The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
The detail box gives a more detailed descrip on of the 16.2 Monitor the system
and network
necessary approval, and these plans /
procedures are followed.
organisation’s governance structure,
including policy and staff being responsible
been identified, agreed and set. and provide support) with other information
security and business activities.
requirements at each maturity level for each specific Stakeholders have been identified, know of Necessary resources, including sufficiently Metrics for the activities have been
process. are available to perform and manage the and results are reported to all relevant
Regular cycles of improvement are applied
improvements are documented and shared
ac vity. All relevant requirements and inputs have

been identified and included in the
Risks relating to the activities are identified Some improvements to the activities are
and managed. made in response to results.
Business units adapt the standardised
activities to meet their specific needs.
documented process.
Intrusion detection mechanisms are applied The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
on critical systems and networks. necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.3 Detect intrusions procedures are followed. including policy and staff being responsible security and business activities.
documented process.
Information leakage protection mechanisms The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
are applied on systems and networks. necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.4 Detect information procedures are followed. including policy and staff being responsible security and business activities.
leakage and accountable for the activities.
Other informa on: Stakeholders have been identified, know of Necessary resources, including sufficiently Metrics for the activities have been
are available to perform and manage the

activities.
and results are reported to all relevant
stakeholders.
Regular cycles of improvement are applied
process. improvements are documented and shared
across the organisation.
At the top of the sheet, this includes the discipline All relevant requirements and inputs have
been identified and included in the
documented process.
Risks relating to the activities are identified Some improvements to the activities are
and managed. made in response to results.
Business units adapt the standardised
activities to meet their specific needs.
covered and the purpose statement. At the bo om of Related disciplines: Threat Intelligence, Human Resources Security, Incident Repsonse, Crisis Management, Asset Management
the sheet, this includes details of related disciplines, Related areas in ISF
Standard of Good
Practice CF10.4: Security Event Logging, CF10.5: System / Network Monitoring, CF10:6: Intrusion Detection, CF8.7 Information Leakage Protection
related ISF deliverables, and other notes for the Assessor. Related ISF deliverables: Security Event Logging - Full Report
Information Security Incident Management - Full Report
Notes:
Conducting a maturity assessment

This sub-sec on describes how to use the ISF Maturity Model for each domain. Organisa ons should only use the
domains that cover disciplines that are relevant and important to them (see SecƟon 4 for more details on how to choose
the relevant disciplines).
The maturity assessment is carried out at the level of specific ac vi es, so the Assessor needs to work at that level. The
maturity results are then aggregated upwards to give a maturity assessment for the discipline. The maturity score starts
at maturity level 0 (even though this is not shown in the assessment box) and increases based on the selec ons made.
For each specific ac vity, the Assessor assesses whether the requirements at that maturity level are ‘MET’, ‘PARTIALLY
MET’ or ‘NOT MET’.
1 2 3 4 5 6
If the specific ac vity meets all (or nearly all, more than 85%) of the requirements set for that
MET maturity level, select ‘MET’.
If the specific ac vity meets some (but not all, between 15% and 85%) of the requirements set for
PARTIALLY MET
that maturity level, select ‘PARTIALLY MET’.38
If none of the requirements (or almost none, less than 15%) for that maturity level are met, select
NOT MET
‘NOT MET’.
NOTE: The percentages provided above come from the ISO/IEC standard and are intended only as a guideline.
The overall maturity score requires the maturity level for every specific ac vity to be ‘MET’ before a higher maturity level
can be achieved. If all the requirements for a par cular maturity level are ‘MET’ for every specific ac vity, the maturity
level is ‘MET’ for that discipline.
1 2 3 4 5
Perfomed Planned Managed Measured Tailored
The activity is performed The activity is performed, and supported by The activity is performed, planned, and has The activity is performed, planned, The activity is performed, planned,
planning (which includes engagement of sufficient organisational resources to support managed, and is monitored managed, measured, and subject to
stakeholders and relevant standards and and manage it continuous improvement and is tailored to
Goals: Specific Activities
1.1 Direct information security with An information security
a strategy strategy is produced MET PARTIALLY MET NOT MET SELECT… SELECT…
Stakeholder value is
1.2 Provide stakeholder value
demonstrated MET MET NOT MET SELECT… SELECT…
LEVEL COMPLETE MOVE TO NEXT LEVEL ->
MATURITY = 1.75
In the example above, the maturity score is 1.75. All the requirements for maturity level 1 for both specific ac vi es have
been ‘MET’. As a result, the cell underneath displays ‘LEVEL COMPLETE MOVE TO NEXT LEVEL’. At level 2, the Assessor has
assessed that the requirements for level 2 are ‘MET’ for one specific ac vity (the bo om one) and ‘PARTIALLY MET’ for the
other (the top one). The addi onal 0.75 increment is an average of the scores for maturity level 2 (MET = 1, PARTIALLY MET
= 0.5, average of these two is 0.75). The Assessor has not completed level 3 or above because level 2 has not been ‘MET’
for every specific ac vity.
Presenting the results

The results for all the domains are recorded in the results table in a separate sheet. The table also has space to input an
ideal maturity and an agreed target maturity (as described in SecƟon 4). The results of all domains are plo ed in graphs
found in tabs towards the front of the ISF Maturity Model Accelerator Tool. The results are also plo ed in suggested
groups. All of these groups and graphs can be altered by Members to meet their specific requirements.
What to do after a maturity assessment

A er an organisa on has conducted a maturity assessment following Phase 1 and 2 of the ISF’s four-phase process
(SecƟon 4) it then needs to DECIDE a target maturity and PLAN how to achieve it. More details of how to decide an
appropriate target maturity (Phase A3) and how to achieve it (Phase A4) can be found in SecƟon 4.
38 ISO/IEC 15504-2:203 defines the need for four ra ngs, rather than three. Members warned that this o en creates confusion amongst respondees who were unable to differen ate between the
middle two op ons. As a result, this model only has three op ons.
1 2 3 4 5 6
Conclusion
6 Conclusion
Using a maturity model is not an end in itself; rather it is a business planning tool that helps organisa ons target maturity
in the areas that create or protect value. Using a maturity model helps informa on security build consensus, priori se
investment and demonstrate progress. To get the balance of maturity correct, an understanding is needed of both the
effects of maturity and the costs of achieving it.
Using a maturity model also acts as a catalyst for engagement with the wider business through the process of deciding
where to target maturity and agreeing the appropriate maturity level. It provides a framework and common language
for discussion and debate on how informa on security can enable the organisa on to achieve its goals. A key aim for
the informa on security func on and its leader should be to engage with the organisa on to agree a target maturity
that will support organisa onal goals, meet compliance requirements and manage informa on risk. This report provides
the necessary detail on the benefits and limita ons of using a maturity model, and how to use one to focus me and
investment on value.
This report also provides an ISF Maturity Model, aligned with the Standard, which can be adapted to suit the needs of
individual Members. The ISF encourages Members to use it and share feedback and sugges ons for improvement with
other Members and the ISF Global Team on ISF Live.
Glossary
Assessed: The individual or business unit from which informa on is being collected during the maturity assessment.
Assessment: See maturity assessment.
Assessor(s): The individual (or team) who conducts maturity assessments, gathers informa on (either remotely
or in person), and makes the assessment of maturity.
Business unit: The sub-divisions of the organisa on.
Discipline: An area of ac vity within a subject. In the subject of informa on security, examples of disciplines
are change management and asset management.
Domain: The highest-level sub-divisions of a maturity model.
Goal: The stated aim of specific ac vi es within a discipline. A discipline may have more than one goal.
Lead: The individual responsible for the use of the maturity model and who plans, co-ordinates and
promotes its use across the organisa on. In small organisa ons this may be the Sponsor. In larger
organisa ons, it is likely to be an individual who reports to the Sponsor.
Mature state: The most advanced state. The state or condi on of being fully mature. The mature state may
change over me.
Maturity: A measurement of progress between an immature state and a mature state. For example: ‘what
is your maturity in vulnerability management’ means ‘how much progress have you made in
vulnerability management from the immature state to the mature state?’. This is the meaning
used with maturity models generally and in this report.
NOTE: This can be confusing because the common usage and dic onary defini on of
‘maturity’ means ‘the mature state’ which is described above.
Maturity assessment: An evalua on of maturity, usually performed using a maturity model.

Maturity model: A tool used to define and assess maturity in a subject or discipline.
Organisa on: The en re organisa on.
Phase: The four sub-divisions of the process for using a maturity model. The four phases are: PREPARE,
ASSESS, DECIDE, PLAN. All four phases sit within the ‘Define’ Stage of the business planning cycle.
Process: A set of interrelated or interac ng ac vi es which transforms inputs into outputs.
Specific ac vi es: In the ISF Maturity Model these are the ac vi es that are performed to achieve a goal.
Sponsor: The individual who decides a maturity model will be deployed. This individual is likely to be a
member of the senior management team who represents informa on security in the organisa on.
This individual is also responsible for the resourcing and budget sign-off for using a maturity model.
Stage: The highest level sub-divisions of the business planning cycle as described in the Standard. The
four Stages are: DEFINE, IMPLEMENT, EVALUATE, ENHANCE.
Stakeholder(s): An individual or group of individuals who can affect or be affected by the use of the maturity model.
Step: The sub-divisions of the phases in the four-phase process.
Sub-discipline: The sub-divisions of a discipline. Many maturity models divide the disciplines up further in sub-
disciplines.
Sub-domain: The sub-divisions of a domain within a maturity model.
Subject: A high level area of ac vity. A subject is made up of different disciplines. In this report, the subject
is ‘informa on security’.
Appendix: Methodology
This report is based on:
• ISF Member development workshops held in London (x2), Oslo, Helsinki, Toronto, New York and Amsterdam
• Discussions and interviews with ISF Members worldwide
• Informa on submi ed by ISF Members via ISF Live
• Input from subject ma er experts
• Books, news ar cles, conference presenta ons, blogs and online research
• Thought leadership provided by the ISF Global Team.
Acknowledgements
The ISF would like to thank all ISF Members and external experts who contributed to this report by being interviewed,
emailing ideas and pos ng comments on ISF Live.
We would specifically like to thank those Members who contributed to the data gathering and valida on phases by
par cipa ng in workshops and those who commented on pre-publica on dra s.
ISF MEMBERS COMPANY ISF MEMBERS COMPANY

John Velissarios Accenture Rune Røkke Evry Nordic Opera ons
Lies Alderlieste-de Wit Aegon Mark Brown EY
Florence Ballard Airbus Antonio Mar radonna EY
Sandeep Kumar Alvarez & Marsal Ja n Sehgal EY
Jaap Halfweeg AP Moller Maersk Willem Scheeres EY
Terje Andre Olson Arbeids-og velferdsetaten Topias Salminen Finnair
Robert Dixon Barclays Peter Merker Firmenich
Theresa Cas llo-Lalonde Bell Canada Frank Steffero Firmenich
Iouri Petoukhov Bell Canada Juha Harkonen Fortum
Abel Ferreira BP Jarmo Huhta Fortum
Ross Wells BP James Gosnold Fujitsu Services
Richard Baker BT John Swanson Fujitsu Services
Craig Peach Capgemini Ma hew Vale Fujitsu Services
Sam Smith Capgemini David Williams Giesecke & Devrient
Alex Stezycki Capgemini Chris Baker GlaxoSmithKline
Pippa Sullivan Capgemini Steve Williamson GlaxoSmithKline
Ed Bronner CGI Richard Wright GlaxoSmithKline
Rob Janssens CGI Bhrugvish Gore Goldman Sachs
Mike Brown CIBC Jeff Warren Government of Victoria
David Charing CIBC Zaki Abbas Great-West Life Assurance
Ross Zekic CIBC Anna-S na Berg Svenska Handelsbanken
Richard Berger CIGNA Nigel Burnford Hewle Packard
Kim Aarenstrup Deloi e Frank Stoermer Hewle Packard
Georg Wambach Deutsche Telekom Simon Blades HSBC
Lillian Røstad DiFi Tom Mellor IBM Global Services
Arun Jose Direct Line Group Stephan Rook IBM Global Services
Ed Parkins Direct Line Group Stefaan Van Daele IBM Global Services
William Perry Direct Line Group Werner Gutau Infineon Technologies
Ed Parkins DirectLine Ton Diemont ING Group
Gaurav Kumar eHealth Ontario Jaewon Lee ING Group
Prakash Wadhwa eHealth Ontario Claire Vishik Intel
John Davies Euroclear Kimmo Helaskoski Itella
ISF MEMBERS COMPANY ISF MEMBERS COMPANY
Rob Bickmore Jaguar Land Rover Samantha Beesley RBS
Paul Atmore John Lewis Partnership James Chambers RBS
David Fu er JP Morgan Chase & Co Jill Trebilcock RBS
Henrik Smit KPMG John Fonteijn Royal Ahold
Pieter van Houten KPMG Bilal Khurshid Royal Mail Group
Rob Meijer KPN Mikhail Tolchelnikov SABMiller
Adrian Seccombe Leading Edge Forum Henri Eklund Samlink
Gary Emberson LV Markku Lindberg Samlink
Ma hew Bo omley Lloyds Banking Group Jari Pirhonen Samlink
Gareth Carrigan Lloyds Banking Group Mar n Eichhoff Sanlam Capital Markets
Dave Leather Lloyds Banking Group Jeroen de Boer Shell Interna onal
David Sewell Lloyds Banking Group Erik Pols Shell Interna onal
Andrew Wortley Lloyds Banking Group Nikola Holyer Skandia UK
Dirk Loomans Loomans & Matz James Thornton Smiths Group
Me e Fjellsa Paulsen Ministry of Foreign Affairs (Norway) Tomi Mar nen SOK
Ian Benfell Morgan Sindall Renate Thoreid SpareBank 1DA
Raymond Causton NETS Michael Constable SSE Services
Bjorn-Arild Kydland NETS Olutosin Fabode SSE Services
Darren Hepburn Network Rail Agnivesh Sathasivam SSE Services
Kirsty Benn-Harris NIHR Tim Shum SSE Services
Jarkko Rautula Microso Mobile Olutoson Fabode SSE Services
Terry Stern Microso Mobile Emmeren a du Plooy Standard Bank
Niels Andersen Nordea Bank Beverley Allen Steria
Pierre Schwartz Nordea Bank Alistair Young Steria
Kay Behnke NXP Semiconductors Agneta Mar nelle Swedbank
John Pendleton Old Mutual Ma hew Billowes Symantec
Colin Alexander Phoenix Life Holdings James Hanlon Symantec
Michelle Duff Procter & Gamble Lisa Burns-Peake Tesco Stores
Hubert Kirchgaessner Procter & Gamble Nadia Boreux Tesco Stores
Carole Embling Pruden al Robert Dunn Tesco Bank
Kevin Flood Pruden al Wyn Moseley Thames Water
Craig McGann Pruden al Erkki Helio Tieto
James Thomas Pruden al Veijo Pirhonen Tieto
John Crompton PwC Mark Ellis TNSI
George Draper PwC Andy Cassin Towers Watson
Ravin Gautam PwC Marios Nicolaou TUI Travel
Hannah Gore PwC Ellie Gentle Unilever
Roar Gulbrandsen PwC Neil Loader Unilever
Kristen Hayduk PwC Alan Willcox Vanguard
Jorge Melendez PwC Mar n Beumer Va enfall
Muhammad Mian PwC John Rudolph Verizon
Paul Midian PwC Petri Puhakaihen Vero
Opeyemi Ore PwC Darren Desmond Virgin Media
Ian Todd PwC Phillip Gregory Virgin Money
Grega Vrhovec PwC James Redhead Virgin Money
Grant Waterfall PwC Patrick Hendrick Vodafone
Adrie Janssen Steenberg Rabobank Nederland Johnson Tamakloe Vodafone
Rob Moniuk Royal Bank of Canada Satu Simonen Wärtsilä
Amalia Steiu Royal Bank of Canada Karen Gadd Worldpay
David Aubrey-Jones RBS
As always, because ISF Members are providing informa on that may be about their own organisa on, their contribu ons
are anonymous. Please accept our apologies for any omissions from the list.
The views, opinions and comments in this report are not necessarily those of contributors or of ISF Member organisa ons.
Founded in 1989, the Informa on Security Forum (ISF) is an independent, not-for-profit associa on of leading
organisa ons from around the world. It is dedicated to inves ga ng, clarifying and resolving key issues in cyber,
informa on security and risk management and developing best prac ce methodologies, processes and solu ons
that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and prac cal experience drawn from within
their organisa ons and developed through an extensive research and work program. The ISF provides a confiden al
forum and framework, which ensures that Members adopt leading-edge informa on security strategies and solu ons.
And by working together, Members avoid the major expenditure required to reach the same goals on their own.
For further informa on contact:
Informa on Security Forum

Tel: +44 (0)20 7213 1745
Fax: +44 (0)20 7213 4813
Email: info@securityforum.org
Web: www.securityforum.org
Reference: ISF 14 09 01 Copyright © 2014 Information Security Forum Limited. All rights reserved.

ISF - Time To Grow - Using Maturity Models To Create and Protect Value - Report - Ed2-1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISF - Time To Grow - Using Maturity Models To Create and Protect Value - Report - Ed2-1

Uploaded by

Copyright:

Available Formats

September 2014

Review and quality assurance

Key moments when using a maturity model 3

2. How this report helps 6

3. What is a maturity model? 8

4. Using a maturity model for business planning 17

5. The ISF Maturity Model 40

/ŵŵĂƚƵƌĞ^ƚĂƚĞ ƵƌƌĞŶƚ Maturity level dĂƌŐĞƚ DĂƚƵƌĞ^ƚĂƚĞ

BUSINESS PLANNING CYCLE

2. Understanding maturity and its costs (pages 14-16)

3.Deciding target maturity (pages 33-35)

The business-focussed benefits of using a maturity model

Benefit 1: BUILD CONSENSUS

Benefit 2: PRIORITISE INVESTMENT

Benefit 3: DEMONSTRATE PROGRESS

How to gain these benefits

1 Brotby & Hinson. Pragma c Security Metrics. CRC Press. 2013.

2 How this report helps

Member requirement Addressed in… Details

A maturity model complements other ISF deliverables

3 What is a maturity model?

Maturity is a measure of progress

A maturity model is a tool that defines a route of progress

ASSET Characteris cs, Characteris cs,

/ĚĞŶƟĨǇ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕

The assessment of maturity is usually made at the

or pa erns or pa erns or pa erns or pa erns or pa erns

Three types of maturity model

The three types, described in more detail below, are:

1 Ac vity maturity model5: which maps progress through ac vi es

1 Activity maturity model – Progress in activities

2 Capability maturity model - Progress in capabilities

3 Hybrid maturity model - Combined progress in activities and capabilities

Summary of the three types of maturity model

Maturity models used in information security

Example of an ac vity maturity model:

Example of a capability maturity model:

Example of a hybrid maturity model:

Selecting the correct type of model

Requirements Model Choice

I want to compare our high-level ac vi es and our Use a hybrid model

Members’ views of maturity models used in information security

Insights into maturity and its costs in information security

16 h p://wha s.cmmiins tute.com/

Insight Explana on So what?

20 ISF Briefing: Informa on Security Maturity Models. July 2010.

Insight Explana on So what?

Information security maturity models and compliance

25 WEF/McKinsey. Risk and Responsibility in a Hyperconnected World. January 2013.

4 Using a maturity model

/ŵŵĂƚƵƌĞ^ƚĂƚĞ ƵƌƌĞŶƚ Maturity level dĂƌŐĞƚ DĂƚƵƌĞ^ƚĂƚĞ

BUSINESS PLANNING CYCLE

“We need to improve the details of how to use a maturity model.”

The four-phase process: integration with existing business planning

An overview of the business planning cycle is shown below:

Stage A – Define: This Stage contains the four-phase process:

A1 PREPARE – the maturity model and the organisa on

The ISF process

Business planning cycle Stage: A – Define, B – Implement, C – Evaluate, D – Enhance

Four-phase process Phase: A1 PREPARE; A2 ASSESS; A3 DECIDE; A4 PLAN

Task: e.g. 1.1 Understand strategic goals;

Key roles in using a maturity model

/ŵŵĂƚƵƌĞ^ƚĂƚĞ ƵƌƌĞŶƚ Maturity level dĂƌŐĞƚ DĂƚƵƌĞ^ƚĂƚĞ

/ĚĞŶƟĨǇ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕ ŚĂƌĂĐƚĞƌŝƐƟĐƐ͕

/ŵŵĂƚƵƌĞ^ƚĂƚĞ ƵƌƌĞŶƚ Maturity level dĂƌŐĞƚ DĂƚƵƌĞ^ƚĂƚĞ