Professional Documents
Culture Documents
ISF - Time To Grow - Using Maturity Models To Create and Protect Value - Report - Ed2-1
ISF - Time To Grow - Using Maturity Models To Create and Protect Value - Report - Ed2-1
Time to Grow
Using maturity models to create and protect value
Published by
Informa on Security Forum Limited
Tel: +44 (0)20 7213 1745
Fax: +44 (0)20 7213 4813
Email: info@securityforum.org
Web: www.securityforum.org
Project team
Ralph Benne
Victoria Melvin
Design
Ross Mackenzie
Warning
This document is confiden al and is intended for the a en on of and use by either organisa ons that are Members of the Informa on Security Forum (ISF) or by persons
who have purchased it from the ISF direct.
If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on info@securityforum.org.
Any storage or use of this document by organisa ons which are not Members of the ISF or who have not validly acquired the report directly from the ISF is not permi ed
and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Informa on Security Forum and the Informa on Security Forum Limited
accept no responsibility for any problems or incidents arising from its use.
Classifica on
Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.
Time to Grow: Using maturity models to create and protect value Information Security Forum
Contents
Using a maturity model for business planning 2
1. Introduc on 5
Maturity: Help or hindrance? 5
The business-focussed benefits of using a maturity model 5
How to gain these benefits 5
6. Conclusion 46
Glossary 47
Appendix: Methodology 48
Information Security Forum Time to Grow: Using maturity models to create and protect value 1
Using a maturity model for business planning
STRATEGIC GOALS
A – DEFINE
us
A1
ns
PREPARE
Pr
se
ior
on
ͻ/ĚĞŶƟĨLJƚŚĞŽƌŐĂŶŝƐĂƟŽŶĂůĐŽŶƚĞdžƚ
itis
ld C
ͻWƌĞƉĂƌĞƚŚĞŵŽĚĞů
e In
A2
Bui
ASSESS
vest
ͻŽŶĚƵĐƚƚŚĞĂƐƐĞƐƐŵĞŶƚ
ͻŽŵƉĂƌĞĂŐĂŝŶƐƚŽƚŚĞƌƐ
ment
A3
DECIDE
ͻŝƐĐƵƐƐƚŚĞƌĞƐƵůƚƐ
ͻŐƌĞĞĂƚĂƌŐĞƚŵĂƚƵƌŝƚLJ
1 2 3 4 5
A4
PLAN
ͻ/ĚĞŶƟĨLJĂĐƟǀŝƟĞƐƚŽ
ĂĐŚŝĞǀĞŵĂƚƵƌŝƚLJ
ͻWƌŽĚƵĐĞĂŶĚĂŐƌĞĞƉůĂŶƐ
Dem s
o n stra te P ro gre s
NHANC MPLEMEN
–E –I
E
D
EVALUATE
C–
ƵƌƌĞŶƚ dĂƌŐĞƚ
Maturity level
ͻhƉĚĂƚĞƉůĂŶ
2 Time to Grow: Using maturity models to create and protect value Information Security Forum
Key moments when
using a maturity model
1. Choosing the right maturity model (pages 13 and 24)
THE MODEL MUST:
Maturity level
1 2 3 4
Maturity level
1 2 3 4
Maturity level
1 2 3 4
focus on organisa onal aims include compliance/audit be the correct type of maturity model
requirements
? ?? ?
?
too much s fles can increase or doesn’t increase big differences units with different
agility decrease evenly over me can signify maturi es can
hidden problems struggle to work
together
COSTS:
there are indirect costs sustaining maturity investment doesn’t scale affects cost
of maturity has a cost ensure maturity
LIMITED: set small increase MODERATE: compare against others HIGH: focus on value, compliance
in few areas and risk
Information Security Forum Time to Grow: Using maturity models to create and protect value 3
4 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
1 Introduction
Maturity: Help or hindrance?
Does your current informa on security maturity help or hinder your organisa onal strategy? Too li le maturity and you can’t
provide assurance that you’re suppor ng and protec ng the organisa on; too much and you’re over-inves ng. A maturity
model is a tool that helps to target informa on security investments at strategic priori es – helping rather than hindering.
Skillfully deployed, a maturity model acts as a catalyst for engagement between informa on security and the wider
organisa on. It enables the informa on security func on, together with senior management and relevant business units, to
define and agree a cohesive vision that takes a strategic perspec ve, above the transac onal and technical. The informa on
security func on can then translate this vision into ac ons to include within regular business planning.
Information Security Forum Time to Grow: Using maturity models to create and protect value 5
1 2 3 4 5 6
46%
Many Members claimed they benefi ed from using a maturity model,
considered themselves
but were s ll concerned they were not ge ng the maximum value out competent at using
of doing so. 91% would recommend using a maturity model but fewer maturity models
than half (46%) considered themselves competent at using maturity
??
?
models. Of those who have used a maturity model, only 16% described
the experience as simple. This report shares best prac ce about
maturity models and maturity, explaining how to get the most out of
using a maturity model as part of regular business planning.
?
This Sec on outlines the specific requirements iden fied by Members
and where they are addressed in the report. It also iden fies the target
readership and how they can get the most from this report. Lastly, it
explains how maturity models complement other ISF deliverables. 1 2 3 4 5
3. How to use a maturity model to Presents a four-phase process which can be used with
focus on organisa onal value any maturity model. It encourages informa on security
prac oners to support the organisa on’s strategic goals.
4. How to use a maturity model Enables comparison against peers and compe tors. 60%
to compare against peers and of Members told us that their senior management want to
compe tors compare the organisa on’s informa on security maturity
against others. Phase A2 ASSESS outlines five op ons for
SecƟon 4
obtaining comparison data to meet this requirement.
Using a maturity model
for business planning
5. How to choose a target maturity Outlines three approaches to decide an appropriate target
maturity for an organisa on in Phase A3 DECIDE.
6. How the outputs from a maturity Dis ls Member experience of using a maturity model in a
model can fit into the business business planning cycle, allowing other Members to benefit
planning cycle from lessons learned in how to gain consensus, plan ac vi es
and priori se them according to what the organisa on values.
7. A maturity model aligned with the SecƟon 5 Describes the ISF Maturity Model which covers 21 disciplines
ISF’s Standard of Good PracƟce for The ISF Maturity Model of informa on security, based on content from the Standard
InformaƟon Security and input from Members. By using the ISF Maturity Model,
Members can focus their efforts on planning and implemen ng
improvements, rather than spending considerable resources
developing their own.
6 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
How this report helps
Readership
This report is wri en with two readerships in mind:
• The informa on security prac oner who uses a maturity model to support business planning, including conduc ng
a maturity assessment. Prac oners will benefit from reading all Sec ons of this report. In par cular, they should find
it helpful to learn how to op mise the process for using a maturity model (SecƟon 4) and to decide if the ISF Maturity
Model (SecƟon 5) meets their requirements.
• The CISO, CIO or equivalent informa on security leader who will decide whether a maturity model should be used
in their organisa on and what it would be used for. Informa on security leaders need to understand what a maturity
model is, what it can (and cannot) be used for, and the benefits that come from using one (SecƟon 3).
The ISF’s Benchmark and Security Healthcheck are used to assess and compare the status of security
BENCHMARK
controls within disciplines (e.g. incident management or security architecture). Using a maturity
model offers a complementary insight into the degree their maturity is suppor ng or hindering
SECURITY
Healthcheck these disciplines.
IRAM
The ISF’s InformaƟon Risk Assessment Methodology (IRAM) offers an organisa on that takes a risk-
based approach to informa on security a way to iden fy and assess those risks. A maturity model
can be used to assess the maturity of disciplines used to manage informa on risks and how well
they support the management of informa on risk across the organisa on.
This report encourages informa on security leaders to look beyond managing risk and mee ng compliance requirements,
by considering how their func on can support the organisa on in crea ng value. Using ISF tools and research reports in
conjunc on with a maturity model can help meet these requirements and deliver this value.
Once an organisa on has decided to increase maturity in a discipline (e.g. to increase the maturity of its informa on
security policy), a maturity model provides the high-level steps needed to do so. The Standard, supported by ISF research
reports, can then be used to develop a more detailed improvement plan.
Information Security Forum Time to Grow: Using maturity models to create and protect value 7
1 2 3 4 5 6
Introduction
How would you recognise a great violinist? What would dis nguish them from a beginner? Is it by the music they play?
Is it their technique? Is it how much they prac ce? The various possible answers to this ques on emphasise the difficulty
in consistently iden fying progress. We know it when we see it, but it’s difficult to define and there isn’t a single correct
answer. A maturity model is an a empt to address this problem, to codify progress.
This Sec on explains maturity models and their applica on in informa on security. It explains that a maturity model is a
tool used to define and assess progress. It then describes the three types of maturity model, their uses and limita ons,
and the different ways they provide assurance. It describes how maturity models are used in informa on security. Lastly,
it explores maturity and related costs in informa on security.
To iden fy progress towards the mature state, intermediate maturity levels are iden fied that represent steps of progress.
Ideally, these levels of progress are discrete and easy to recognise. A maturity model usually assigns a numerical value to
each level (e.g. 1 to 5) to indicate the order in which they occur.
Immature State Maturity level Mature State
1 2 3 4 5
ASSET Characteris cs, Characteris cs, Characteris cs, Characteris cs, Characteris cs,
MANAGEMENT a ributes, a ributes, a ributes, a ributes, a ributes,
indicators indicators indicators indicators indicators
or pa erns or pa erns or pa erns or pa erns or pa erns
Current Target
This route is then used to iden fy current maturity (where we are) and choose a target maturity (where we want to be).
Plans are then developed to move from the current maturity to the target maturity.
A maturity model should define whether each maturity level builds on and requires the previous level (a cumula ve
maturity scale) or whether each level can be assesed independently and does not require the lower maturity level(s).
NOTE: A maturity model involves a high degree of subjec vity. Both the contents of the model, and the assessment
of maturity, are based on human judgement. The user needs to understand and remember this when making an
assessment and analysing results.
3 Butkovic M. Caralli R. Advancing cybersecurity capability measurement using the CERT-RMM maturity indicator level scale. November 2013. CMU/SEI-2013-TN-028.
8 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
What is a maturity model?
Maturity level
1 2 3 4 5
Domain 1 ASSET MANAGEMENT
Sub-domain 1 Iden fy A maturity model is usually sub-divided into smaller sec ons
Assets called domains. In some maturity models these domains are
further divided into sub-domains. This approach structures
Sub-domain 2 Log the subject being assessed. For example, a maturity model
Assets for informa on security is likely to contain domains that will
cover the disciplines that cons tute informa on security such
Sub-domain 3 Monitor as asset management and vulnerability management. This
Assets provides a common structure with which to understand the
subject and aid communica on with others.
For each line at the lowest level in the model (whether Maturity level
at domain or sub-domain level) descrip ons of 1 2 3 4 5
progress at each maturity level are defined, as in this ASSET MANAGEMENT
NOTE: There is a prac cal difference between the components of a maturity model and the disciplines that cons tute
a subject. In this report, a maturity model is divided up into ‘domains’. A ‘subject’, such as informa on security, is
divided up into ‘disciplines’, such as compliance, risk management, incident response. A maturity model may cover a
whole subject (such as informa on security) or it may cover only one discipline (such as risk management).
Full defini ons can be found in the Glossary.
So, in addi on to a common view of progress, a maturity model provides a common structure and common language
which aids understanding and communica on.
Common view of progress
Maturity level
1 2 3 4 5
ASSET MANAGEMENT
Iden fy Characteris cs, Characteris cs, Characteris cs, Characteris cs, Characteris cs,
Assets a ributes, indicators a ributes, indicators a ributes, indicators a ributes, indicators a ributes,indicators
Common Structure
Log Characteris cs, Characteris cs, Characteris cs, Characteris cs, Characteris cs,
Assets a ributes, indicators a ributes, indicators a ributes, indicators a ributes, indicators a ributes,indicators
or pa erns or pa erns or pa erns or pa erns or pa erns
Monitor Characteris cs, Characteris cs, Characteris cs, Characteris cs, Characteris cs,
Assets a ributes, indicators a ributes, indicators a ributes, indicators a ributes, indicators a ributes,indicators
or pa erns or pa erns or pa erns or pa erns or pa erns
Common language
Information Security Forum Time to Grow: Using maturity models to create and protect value 9
1 2 3 4 5 6
What is a maturity model?
For each type, the following sub-sec ons describe what type of progress it measures, what increasing maturity gives, the
benefits and drawbacks, what to look for when choosing one, and any other points to note.
Maturity level
1 2 3 4 5
RIDING A BICYCLE Ride a child’s tricycle Ride a child’s Ride a child’s bicycle Ride an adult’s bicycle Ride a racing bicycle
bicycle with without stabilisers
stabilisers
Progress in this example is through the ac vi es that represent a view of progression in learning to ride a bicycle. Each
step is easy to recognise, and it is clear what the next stage of progress looks like. It is important to note that it is not
necessary to achieve the mature state, level 5; not everyone rides, or wants to ride, a racing bicycle. It may be sufficient
to stop progressing once able to ride an adult bicycle. Nor does one have to start at the first ac vity. A child may learn to
ride a bicycle, without having had a tricycle or stabilisers.
An informa on security example (from the Building Security In Maturity Model6 (BSIMM)) is provided below. It shows the
progression of ‘Standards and Requirements’ when developing so ware. (Please note: there are only three maturity levels
in BSIMM).
Maturity level
1 2 3
STANDARDS AND Provide easily accessible security Communicate formally-approved Require risk management
REQUIREMENTS standards and requirements standards internally and to vendors decisions for open source use
Increasing maturity gives: Increasing assurance that the organisa on is conduc ng the same ac vi es as others and in
the same sequence.
Benefits: Ac vity maturity models are seen as ‘prac cal’ as they describe real-world ac vi es, so it is easy to assess
current maturity, and to iden fy the steps to increase maturity. As an ac vity model provides access to a community
view of how to progress in a discipline, they provide a shortcut to iden fy the most common prac ces, giving users
access to years of experience in a discipline.
Drawbacks: There is no overall scale for the maturity model, so there is no way to jus fiably compare maturity levels
between different domains being assessed. Whilst there will usually be a numerical scale, there is no basis to say, for example,
that a ‘3’ represents the same amount of progress in two different domains. Nor do ac vity maturity models give insight
into competence. In the bicycle example above, there is no assessment of how competent the rider is at riding an adult
bicycle. Also, the ac vi es that represent progress will change over me and the model will need to be updated regularly
to represent these changes. In the bicycle example, a few years ago, the ‘adult’s bicycle’ may have been a ‘mountain bike’.
The BSIMM maturity model has been refreshed every year to reflect changes in so ware development6. In a fast-changing
subject like informa on security, an ac vity maturity model could quickly become dated unless updated regularly.
4 Caralli R. Discerning the Intent of Maturity Models from Characteriza ons of Security Posture. January 2012. CMU/SEI-2012-58924.
5 ‘Ac vity’ maturity models are some mes referred to as ‘progression’ maturity models. This report uses the term ‘ac vity’ maturity model.
6 h p://www.bsimm.com/
10 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
What is a maturity model?
What to look for: Before using an ac vity maturity model, it is important to understand who developed the list of
ac vi es. Consider whether everyone, or almost everyone, progresses in the way described in the maturity model. In
the bicycle example above, does everyone learn to ride a bicycle in the same way, or are there other ‘equally beneficial’7
ways to progress when riding a bicycle?
NOTE: An organisa on is unlikely to become a world leader if it is only looking at what other organisa ons tend to do.
These generic process descrip ons are then applied to each domain or sub-domain (depending on the model). A simple
example of how the process of performing backups matures is given below: an increasing maturity gives an indica on of
increasing capability in performing backups. This type of maturity model is only relevant where business processes exist
so the example below reflects this.
Maturity level
1 2 3 4 5
BACKUPS Backups are Backups are Backups are Backups are Backups are
performed planned managed measured and con nually
randomly controlled improved
Increasing maturity gives: Increasing assurance that ac vi es will be consistent, effec ve and resilient.
Benefits: As processes tend to mature in consistent ways in different subjects, the prime benefit of capability models is that
the same scale, with minor adjustments, can be applied to a process in any subject or discipline. This type of model therefore
facilitates comparison between different subjects or disciplines. Also, processes tend to be outcome-focussed, rather than
method-focussed. In a fast-changing subject like informa on security, the desired outcomes of processes will stay more
constant than the methods used to achieve them.8 Capability models therefore require less upda ng than ac vity models.
Drawbacks: The generic descrip ons of process maturity o en require adjustment to make sense for a par cular
subject. The more detailed the maturity model, the more adjustments need to be made for use in different subjects. As
the process descrip ons are generic, it is difficult to iden fy current maturity accurately and difficult to iden fy steps to
increase maturity, as neither are described in specific prac cal terms. Lastly, there will some mes be conflicts between
how an ac vity matures theore cally (following process maturity) and how it tends to mature in the real world. In
a capability model, the theore cal scale always takes precedence for the sake of consistency and in these cases, the
maturity model will contradict what really happens.
What to look for: The purpose of a capability maturity model is to plot progress in capability, so it is important to check
the maturity scale and ensure that the organisa on agrees that higher maturity will actually translate into being more
capable.
NOTE: It is important to understand that having more mature processes is not appropriate for all circumstances and
therefore not always beneficial. More details can be found on page 14 and in SecƟon 4, Phase A3 DECIDE on page 31.
7 Teo, T. S. H. and King, W. R. Integra on between Business Planning and Informa on Systems. Planning: An Evolu onary-Con ngency Perspec ve. Journal of Management Informa on Systems, 14
(1), pp. 185-214. 1997.
8 BSI. Cyber Security Risks, Governance and Management. PAS 555. 2013.
Information Security Forum Time to Grow: Using maturity models to create and protect value 11
1 2 3 4 5 6
What is a maturity model?
Maturity level
1 2 3
WORKFORCE MANAGEMENT
Assign Cybersecurity Cybersecurity responsibili es for Cybersecurity responsibili es Cybersecurity responsibili es and
Responsibili es the func on are iden fied are assigned to specific roles, job requirements are reviewed and
Cybersecurity responsibili es incl. external service providers updated as appropriate
are assigned to specific people Cybersecurity responsibili es Cybersecurity responsibili es
are documented are included in job performance
evalua on criteria
Assigned cybersecurity responsibili es
are managed to ensure adequacy and
redundancy of coverage
Increasing maturity gives: Increasing assurance that the organisa on is conduc ng the same ac vi es as others, and
that the organisa on is becoming more capable at those ac vi es.
Benefits: Hybrid models assess two aspects at once: ‘are we doing the same ac vi es as others?’ and ‘how capable are
we at those ac vi es?’
Drawbacks: Hybrid models are new and therefore rare; they have only been developed in a small number of cri cal
infrastructure industries10. Hybrid models combine descrip ons of ac vi es, and how they mature, for each discipline.
In order to combine these two concepts (progress in ac vi es and capabili es) both the descrip on of ac vi es and the
descrip ons of how they mature are high-level. As a result, a hybrid maturity model will only provide the high-level steps
needed to increase maturity.
Because they contain descrip ons of ac vi es, hybrid models also need to be updated more regularly than capability
models. Lastly, as with capability models, there will some mes be conflicts between how an ac vity matures theore cally
(following process maturity) and how it tends to mature in the real world, so it is important to determine which will be
given precedence during the development of the model.
What to look for: Both ac vi es and capabili es need to be considered. It is important to understand who developed
the list of ac vi es and the way that progress in capability is measured in the model.
NOTE: The ISF Maturity Model is a hybrid model which draws on content from the Standard. Organisa ons whose
informa on security ac vi es are aligned with the Standard are likely to benefit from using the ISF Maturity Model.
• An ac vity maturity model provides assurance in ac vi es. As maturity increases, there is increasing assurance that
the organisa on is doing the same ac vi es as others, and in the same order.
• A capability maturity model provides assurance in capabili es, usually by assessing processes. As processes mature
there is increased assurance that the ac vi es will be consistent, effec ve and resilient. They don’t provide absolute
assurance; but they give increased confidence that processes are suppor ng the ac vi es to be consistent, effec ve
and resilient.
• A hybrid maturity model provides assurance in both ac vi es and capabili es. As maturity increases, there is
increasing confidence that the organisa on is doing the same high-level ac vi es as others, and that the processes
are suppor ng those ac vi es to be increasingly consistent, effec ve and resilient.
9 h p://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2-program/electricity-subsector-cybersecurity.
10 h p://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program.
12 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
What is a maturity model?
If Members are choosing a maturity model for the first me, or are considering changing from their current one, a list of
informa on security maturity models is available on ISF Live.
Selec ng a maturity model is complex. However, in simple terms, the selec on can be facilitated by considering which
of the three statements below best represents what the organisa on wants to achieve.
I want to compare our capability across several different Use a capability model
disciplines of informa on security
All three types of maturity model can be used to compare maturity internally or externally against other organisa ons
(as long as those being compared against have used the same model).
NOTE: Several Members reported that they had developed their own hybrid models that were specific to their
organisa on. To reduce the overhead for each Member to undertake this type of development, this report and the
associated accelerator tool present the ISF Maturity Model (SecƟon 5), which is a hybrid model.
11 Such as h p://resources.sei.cmu.edu/asset_files/Podcast/2013_016_100_58913.pdf
12 h p://bsimm.com/
13 h p://wha s.cmmiins tute.com/
14 h p://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2-program/electricity-subsector-cybersecurity
15 h p://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program
Information Security Forum Time to Grow: Using maturity models to create and protect value 13
1 2 3 4 5 6
What is a maturity model?
The most popular informa on security maturity models amongst Members are described in brief below along with
Member views of them. It is interes ng to note that almost all of the informa on security models that Members have
used (including all those listed below) are capability maturity models.
CMM/CMMI16: Capability Maturity Model (CMM) and CMMI are capability models which were originally designed for
so ware development, but have since been adapted for use in other subjects. Those Members who have tried to use
CMMI have found it very difficult, par cularly when trying to adapt it for use in informa on security. This is due to the
detailed processes and documenta on that support the model. Many have used the high-level CMMI capability maturity
levels, but s ll needed to provide an informa on security structure to assess against, the most frequent choice being
ISO/IEC 27001/2.
Control Objec ves for Informa on and related Technology (COBIT)17: The most common versions that Members have
used are the capability models in COBIT 4.1 and COBIT 5. Members who have used COBIT 4.1 were generally posi ve.
However, those who have a empted to use COBIT 5 were much less posi ve, finding it overly complex. Because COBIT
is IT-focussed, rather than focussed on informa on security, some Members considered its approach too technical.
Members were also concerned about the considerable me required to complete a full assessment.
The Forrester Informa on Security Maturity Model18: This capability maturity model covers informa on security.
Members liked the high-level nature of this maturity model and thought it contained some useful aspects. They were
frustrated however that the structure and descrip ons of maturity do not align with any standards.
CERT-Resilience Management Model (CERT-RMM)19: Only a small number of Members had used this capability model.
While generally posi ve, they were concerned by the significant amount of work required to conduct an assessment.
Proprietary/Consultant developed: Several Members have conducted assessments using a proprietary maturity model,
usually capability models used as part of a consul ng engagement. Members viewed these models as most useful
when they contained industry best prac ce or if they aligned with exis ng informa on security standards (ideally both).
Members were less posi ve when a model only aligned with the consultants’ approach to informa on security which
they considered to be of li le benefit.
Overall, Members liked some aspects of each of the above maturity models but none seemed to meet the required level
of detail or focus on informa on security. Addi onally, many Members wanted (but didn’t have) a maturity model which
aligns with the Standard. The ISF Maturity Model, described in SecƟon 5, is designed to meet these requirements.
NOTE: The examples given on previous pages (ES-C2M2 and BSIMM) did not feature in the list of most popular
maturity models with Members so are not included here.
It is easy to jump to the wrong conclusion about maturity, assuming more is always posi ve. For each proposed increase
in maturity, a cost/benefit analysis should be undertaken to answer the ques ons: is there a benefit by increasing
maturity to that point, and what is the cost of doing so? The insights come in two groups, those about maturity and
those about the associated costs.
14 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
What is a maturity model?
NOTE: A common reason given for se ng a high maturity target (in a capability maturity model) is to achieve
efficiency savings gained from mature processes, in par cular those subject to con nuous improvement.20 The
ISF has not iden fied any independent research which demonstrates that efficiency savings outweigh the costs of
achieving and maintaining high maturity levels in informa on security. Rather, the benefits gained by achieving high
maturity are o en ‘overshadowed by cost’.21 However, this only refers to high maturity (levels 4 to 5) and ‘very few
organisa ons are over-achieving when it comes to maturity’.22
Maturity insights
Maturity can If an organisa on considers itself to be too mature in When deciding a target
decrease as well a discipline, usually due to changing organisa onal maturity, consider whether
as increase priori es, maturity can be reduced over me. This is best the target could be below
achieved by taking ac ve steps such as removing process, your current maturity.
re ring documenta on, re-assigning staff or reducing
oversight. If an organisa on decides it is too mature in a
discipline following an assessment, this represents an over-
investment. A reduc on in maturity to an appropriate level
would result in a cost saving.
Maturity does There is a pa ern to how maturity increases over me.24 Don’t aim too high with
not increase Achieving higher maturity levels typically takes longer than a target maturity, and
evenly over achieving lower maturity levels. The exact pa ern of how don’t over-promise on
me maturity increases will depend on the maturity scale used. what you will deliver.
A significant Many informa on security disciplines are interdependent When deciding a target
difference (e.g. vulnerability management and asset management). maturity, include
in maturity Whilst these disciplines are assessed separately in a maturity dependencies in
between model, there are likely to be significant interdependencies your thinking.
disciplines can between them. Members should be wary of a large disparity
signify hidden in maturity scores for disciplines that are interdependent as
problems it may indicate a problem: e.g. if vulnerability management
is mature, but asset management is immature, the
organisa on will only be managing vulnerabili es on the
assets it knows about; there may be other assets of which
it has no visibility. Note: this is why the ISF Maturity Model
iden fies which disciplines are interdependent.
Business units One Member warned that there can also be problems if When planning how to
with different different business units with significantly different maturity achieve target maturi es,
maturi es can levels have to work together as they may have incompa ble consider business unit
struggle to work working prac ces. interac ons in the plans.
together Don’t forget the human
“If areas have widely different maturity,
element!
they just don’t understand each other.”
Information Security Forum Time to Grow: Using maturity models to create and protect value 15
1 2 3 4 5 6
What is a maturity model?
Cost insights
There is an In addi on to the direct cost of achieving a higher maturity, Iden fy the costs that will
indirect cost there is also an indirect cost to the remainder of the be incurred by other parts
of increasing organisa on of implemen ng new or enhanced security of the business. Ensure
maturity requirements. This indirect cost has been es mated these are included in the
between 2% and 25% of IT spend.25 cost/benefit analysis.
Scale affects The cost of increasing maturity will depend on the proposed Considera ons of scale need
cost ac vi es and the complexity of implemen ng them in the to be included when se ng
organisa on. In a small organisa on, documen ng a process target maturity.
that is already performed could take a few hours. In a global
organisa on with many business units it could take many
months to achieve consistency in a single ac vity.
Increasing There are examples of organisa ons that spend large Don’t assume that
investment amounts of money on informa on security, but this does increased investment in
does not not translate into increased maturity.26 For example, an area leads to maturity.
automa cally investments made on technical equipment may not If your aim is to increase
lead to increased translate into more capability in using it. maturity, make sure
maturity investments are focussed
on achieving it.
• Assess the maturity of compliance prac ces. An informa on security maturity model will usually support a
maturity assessment of compliance prac ces. This is the simplest approach and makes best use of the maturity
model.
• Plot every compliance requirement in each discipline. This may be possible (although me consuming) in a
detailed maturity model, but most maturity models do not contain sufficient detail to allow users to iden fy
the exact maturity level required to meet a specific compliance requirement. Many Members suggested that
compliance should be directly assessed against the relevant requirements, rather than via the extra intermediate
step of the maturity model. One compromise is to highlight the disciplines in which there is a compliance
requirement. This informs those making any decisions that there is a compliance requirement to be taken into
account but doesn’t overload the model with unnecessary informa on.
• Use a maturity model aligned with compliance ac vi es. Several Members suggested that the choice of maturity
model must support specific regulatory/audit/compliance requirements relevant to the organisa on. For example,
if an organisa on has a regulatory requirement to demonstrate compliance with a par cular standard (e.g. ISO/IEC
27001/2 or NIST Cybersecurity Framework) they should choose a maturity model that is based on that standard.
16 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
Using a maturity model for business planning
STRATEGIC GOALS
A – DEFINE
us
A1
ns
PREPARE
Pr
se
ior
on
ͻ/ĚĞŶƟĨLJƚŚĞŽƌŐĂŶŝƐĂƟŽŶĂůĐŽŶƚĞdžƚ
itis
ld C
ͻWƌĞƉĂƌĞƚŚĞŵŽĚĞů
e In
A2
Bui
ASSESS
vest
ͻŽŶĚƵĐƚƚŚĞĂƐƐĞƐƐŵĞŶƚ
ͻŽŵƉĂƌĞĂŐĂŝŶƐƚŽƚŚĞƌƐ
ment
A3
DECIDE
ͻŝƐĐƵƐƐƚŚĞƌĞƐƵůƚƐ
ͻŐƌĞĞĂƚĂƌŐĞƚŵĂƚƵƌŝƚLJ
1 2 3 4 5
A4
PLAN
ͻ/ĚĞŶƟĨLJĂĐƟǀŝƟĞƐƚŽ
ĂĐŚŝĞǀĞŵĂƚƵƌŝƚLJ
ͻWƌŽĚƵĐĞĂŶĚĂŐƌĞĞƉůĂŶƐ
Dem s
o n stra te P ro gre s
NHANC MPLEMEN
–E –I
E
D
EVALUATE
C–
ƵƌƌĞŶƚ dĂƌŐĞƚ
Maturity level
ͻhƉĚĂƚĞƉůĂŶ
Information Security Forum Time to Grow: Using maturity models to create and protect value 17
1 2 3 4 5 6
Using a maturity model for business planning
Introduction
This Sec on explains how to use an informa on security maturity model in a regular business planning cycle to focus on
organisa onal value. ISF research confirmed that how to use a maturity model and deciding target maturity levels for
disciplines is just as important as deciding which maturity model to use.
Our research iden fied that there are four phases common to using a maturity model, each of which is explained in detail
in this Sec on. The four-phase process works with any maturity model, including the ISF Maturity Model in SecƟon 5.
This four-phase process brings together Member experience from their use of maturity models, allowing Members to
learn from others. It is deliberately not prescrip ve because detailed approaches can be found elsewhere28. The four-
phase process (par cularly A1 PREPARE and A2 ASSESS) will support the requirements for conformity with ISO/IEC
15504:2004, the accepted standard for conduc ng process maturity assessments. If Members need to demonstrate
conformity with ISO/IEC 15504, for example due to organisa onal policy or a compliance requirement, full details can
be found in the ISO/IEC standard.29
Stage C – Evaluate: The informa on security func on uses the maturity model to assess progress against plans.
Stage D – Enhance: The planned improvements from the previous Stage are implemented.
NOTE: As a maturity model is a business planning tool, most of this Sec on of the report concentrates on Stage
A – Define where the maturity model is used for planning. A maturity model can also be used to check progress,
so Stage C – Evaluate is also covered in some detail. Consequently Stages B – Implement and D – Enhance, in which
plans are implemented, are covered in less detail.
28 For example: ISO/IEC 15504 (2004) or Standard CMMI Appraisal Method for Process Improvement (SCAMPI) A, Version 1.3: Method Defini on Document. March 2011. CMU/SEI-2011-HB-001.
29 ISO/IEC 15504-1, 15504-2 (2003), 15504-3 (2004). Available from www.iso.org. This is a set of requirements for conduc ng maturity assessments.
18 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
Using a maturity model for business planning
Step: e.g. 1. Iden fy the organisa onal context 2. Prepare the model
A er each step is explained in detail, covering the required tasks, the phase concludes with a short summary of what has
been accomplished and introduces the next phase.
NOTE: It is unlikely that an individual ISF Member would need to carry out every task of every step of the process
(although it can be used in that way). Rather, the process is designed to be modular and used in that way, or used as
a reference where necessary to augment exis ng efforts. Similarly, while a Member may wish to follow the Phases in
the order they are presented, some of the steps and tasks within each Phase are likely to be conducted concurrently.
Role Descrip on
Sponsor The individual who decides a maturity model will be deployed. This individual is likely to be
a member of the senior management team who represents informa on security in the
organisa on. This individual is also responsible for the resourcing and budget sign-off for using
a maturity model.
Lead The individual responsible for the use of the maturity model and who plans, co-ordinates and
promotes its use across the organisa on. In small organisa ons this may be the Sponsor. In
larger organisa ons, it is likely to be an individual who reports to the Sponsor.
Assessor(s) The individual (or team) who conducts maturity assessments, gathers informa on, and interprets
the results to assess maturity. Thought should be given to the skills and experience the Assessor(s)
will require, which are likely to include an understanding of informa on security, business acumen,
communica on and analysis skills, and an understanding of the maturity model being used.
Stakeholder(s) An individual or group of individuals who can affect or be affected by the use of the maturity
model.30
Assessed The individual or business unit from which informa on is being collected. This informa on forms
the basis of the maturity assessment.
The role tles in the table above are used throughout the remainder of this report.
Information Security Forum Time to Grow: Using maturity models to create and protect value 19
1 2 3 4 5 6
Using a maturity model for business planning
STAGE A – DEFINE
This Stage produces the plans that will be implemented in the second Stage (Stage B – Implement). The four-phase
process explains how to use a maturity model to do this. This Stage is where the benefits iden fied in SecƟon 1 can
be gained. The maturity model is used to build consensus on how the informa on security func on can support the
organisa on achieve its goals. The func on can then use this consensus to priori se investments on strategic goals
and demonstrate progress towards these agreed goals.
Phase A1 PREPARE
This Phase describes the prepara on required and the issues to address before
A – DEFINE using a maturity model. It looks at aligning the use of a maturity model with the
organisa onal context and preparing the maturity model for the assessment. It
A1
PREPARE
ͻ/ĚĞŶƟĨLJƚŚĞŽƌŐĂŶŝƐĂƟŽŶĂůĐŽŶƚĞdžƚ
• Prepare the model
assumes that the Lead has the required authority to proceed with a maturity
A2
ASSESS
• Conduct the assessment
• Compare against others
assessment. If this is not the case, the Lead should use informa on from SecƟons
1-3 to gain the necessary buy-in.
A3
DECIDE
• Discuss the results
• Agree a target maturity
1 2 3 4 5
STEP 1
IDENTIFY THE ORGANISATIONAL CONTEXT
Tasks
1.1 Understand strategic goals 1.3 Iden fy stakeholders
1.2 Scope the assessment 1.4 Sell the idea and engage stakeholders
STEP 2
PREPARE THE MODEL
Tasks
2.1 Select the model 2.2 Adapt the model
One Member cau oned against rushing the preparatory phases and going straight into the
maturity assessment. They designed and distributed a maturity assessment without first
iden fying the key areas that were important to the business. Following low par cipa on from
business, the assessment was cancelled and had to be re-planned in a more focussed way.
20 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
Using a maturity model for business planning
Task 1.1 How organisa ons document and share their strategic goals, what they value and what they are
trying to achieve, will ‘vary enormously and they will have different ways of ar cula ng what is
UNDERSTAND
important to them’.31 These goals may be recorded in an organisa onal strategy, and may also
STRATEGIC
be reflected in an informa on security strategy.32 Regardless of the format, every outcome of
GOALS
using the model needs to support the organisa on’s strategic goals. The Lead should ensure that
they personally, as well as those involved in the assessment, are confident they fully understand
the strategic goals. The Lead can then inves gate how the organisa on intends to achieve those
goals. This offers an excellent opportunity to engage with the wider organisa on to iden fy new
opportuni es for the informa on security func on to enable or support these ac vi es.
Task 1.2 The Lead should scope the maturity assessment so it assesses the disciplines related to the
organisa on’s strategic goals iden fied in Task 1.1. In addi on to the disciplines to be included
SCOPE THE
in the assessment, the scope should also define which business units will be assessed. This will
ASSESSMENT
influence the choice of maturity model later in Task 2.1.
TIP
The Lead should strike a balance between the breadth of disciplines covered
and the depth of assessment desired. Whilst recognising this balance will
depend on individual circumstances, a number of ISF Members suggested
keeping the scope as narrow as possible, as too wide a scope can create a
barrier to stakeholder involvement.
Too wide: “If you turn this (the assessment) into an industry, people won’t do it.”
Too narrow: “Being too selec ve can lead to difficul es later. When you
revisit the assessment, you can’t provide measurement or a reference
against all areas in response to ques ons from the board or auditors.”
The scope should also define whether single or mul ple assessments will be conducted. A
single assessment involves each discipline being assessed once in the organisa on. A mul ple
assessment is where each discipline is assessed separately within each in-scope business unit.
NOTE: In a single organisa on, there may be a combina on of single and mul ple assessments:
single assessments for disciplines that are centralised, and mul ple assessments for disciplines
that are managed separately by business units.
TIP
WHY DOES THE GOVERNANCE STRUCTURE MATTER?
An organisa on’s choice between single and mul ple assessments will depend
on how the organisa on governs its processes. For example, it is imprac cal to
separately assess the maturity of asset management in ten business units, if it is
handled centrally. In this case a single assessment would be appropriate to avoid
wasted resources and duplicated effort. It is likewise imprac cal to assess the
maturity of asset management centrally if responsibility and decisions are made
separately by individual business units, so in this case mul ple assessments
would be appropriate.
Many of the choices made during the scoping, and the budget that is available for using a model,
will affect the choices made in Phase A2 ASSESS, Step 1 for how the assessment is conducted.
Make sure these choices are considered before the scope is finalised.
Once the scope is produced it should be documented, validated and signed off by the Sponsor. This is
required to secure the buy-in, credibility and authority to conduct a successful maturity assessment.
31 ISF. Engaging with the Board: Balancing cyber risk and reward. April 2013.
32 ISF. Informa on Security Strategy: Transi oning from alignment to integra on. May 2014.
Information Security Forum Time to Grow: Using maturity models to create and protect value 21
1 2 3 4 5 6
Using a maturity model for business planning
Task 1.3 A maturity assessment typically involves a wide range of stakeholders across the organisa on, each
of whom are expected to contribute in varying ways. To ensure they all play their part and that all
IDENTIFY
relevant informa on is included in the assessment, a stakeholder mapping exercise is helpful. A
STAKEHOLDERS
simple ‘RACI’ stakeholder assessment can be used to iden fy everyone who should be involved in
the maturity assessment and whether they are:
• Responsible: Who is carrying out the assessment? Who will they report to?
• Accountable: Who will make decisions based on the outcome of the assessment? Who holds
ul mate responsibility for the assessment? Who holds decision-making and sign-off power?
• Consulted: Who are the experts? Which representa ves from in-scope business units will be
asked for input?
• Informed: Who else could be interested or be affected by the results of the assessment and
therefore should be kept informed of the progress and results of the assessment?
The Lead should work with the Sponsor to ensure that all relevant stakeholders have been iden fied
so that each can be engaged appropriately.
Task 1.4 NOTE: It might be necessary to educate the Sponsor about the maturity model being used
SELL THE as they may have to advocate or defend its use to senior stakeholders. Gaining this senior
IDEA AND buy-in facilitates the assessment by giving it organisa onal credibility.
ENGAGE
STAKEHOLDERS “Make sure it’s about something the organisa on
wants. Get senior management buy-in.”
The Lead should now sell the use of a maturity model to stakeholders. The sales pitch should
focus on the purpose of the assessment, their involvement in it and the organisa onal benefits of
par cipa on. The Lead should frame this conversa on in terms that resonate with the organisa on’s
language and culture and, in par cular, with stakeholders’ personal and organisa onal mo va ons.
If all in-scope business units are willing to invest sufficient me in the assessment, the informa on
gathered is likely to be of a much higher quality.
22 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
Using a maturity model for business planning
dŽŵŽƌĞĞīĞĐƟǀĞůLJ
engage with stakeholders, the
TOO HIGH Lead and the Assessor should TOO LOW
They want ƵŶĚĞƌƐƚĂŶĚƚŚĂƚƉĞŽƉůĞ͛ƐŵŽƟǀĂƟŽŶƐ They want to
improvement in how they interact and respond to an demonstrate
focus to go assessment are complex. Respondents improvement
elsewhere ĐĂŶƐŽŵĞƟŵĞƐĂŝŵƚŽŽŚŝŐŚŽƌƚŽŽůŽǁ͘ ŶĞdžƚƟŵĞ
or or
The Lead and Assessor need to consider
They are They want extra
ǁŚĞƚŚĞƌƉĂƌƟĐƵůĂƌĂƌĞĂƐŽƌƉĞŽƉůĞ
immature and help or funding
might respond in this way and try
don’t understand for their area
to introduce accuracy to
what’s being asked
the results based on
ƚŚĞƐĞĮŶĚŝŶŐƐ͘
WARNING
This report does not provide any specific guidance on stakeholder engagement
other than to encourage Members to engage fully with interested parts of the
business. The stakeholder mapping exercise suggested in Task 1.3: IdenƟfy
stakeholders and the ISF report Engaging with the Board: Balancing cyber
risk and reward can help address these issues.
Information Security Forum Time to Grow: Using maturity models to create and protect value 23
1 2 3 4 5 6
Using a maturity model for business planning
Task 2.1 The Lead will need to select a maturity model that meets the needs ar culated in the scope. If the
Lead has not hired a consultant to conduct the assessment, they must choose between using an
SELECT
exis ng maturity model and developing a new one. When making this decision, the Lead should
THE MODEL
consider the poten al costs of using an exis ng model (e.g. ini al cost of model, training to use it,
skills to analyse results) and of developing a new one (e.g. me and people resource).
Both the type of maturity model (for more details see SecƟon 3) and the disciplines it covers (for
example, is it discipline-specific or a general informa on security maturity model?) should be
considered. To help choose a maturity model, a list of exis ng models, including the ISF Maturity
Model, is available to Members on ISF Live.
NOTE: The ISF Maturity Model is aligned with the Standard and is available on ISF Live.
Members can use the high-level ISF Maturity Model as is, or as the basis for developing their
own maturity model.
Don’t forget to take any compliance requirements into account when choosing
the maturity model. See ‘Informa on security maturity models and compliance’
(page 16) for more details.
Task 2.2 It is likely that the Lead will need to adapt the maturity model to the specific circumstances in which it
will be used. For instance, there may be no requirement to use every domain of a maturity model so
ADAPT
the Lead will need to select the domains and sub-domains to cover only those disciplines in the scope.
THE MODEL
It may also be necessary to adapt the descrip ons of maturity and ac vi es in the model to fit the
organisa on’s language or terminology. The Lead should change any terms in the maturity model
if it helps the Assessed understand what is being asked. If the Lead doesn’t easily understand what
is being asked, it is unlikely others will.
One Member suggested a trial of the assessment ques ons before conduc ng
a full assessment, par cularly if conduc ng mul ple assessments. This way the
Lead can get an early indica on of whether others are likely to understand the
inten on of the ques ons, whether the length of the assessment is acceptable,
and to iden fy any other changes that could facilitate the process.
Summary
At this point in the process, the Lead has laid the groundwork for a successful maturity assessment. This includes an
understanding of the organisa onal context both from a strategic and cultural perspec ve. The Lead now has a documented
and signed off scope document that outlines which business units and disciplines will be assessed. The Lead, and poten ally
the Sponsor, are engaging stakeholders. Lastly, the model has been selected and adapted for use.
The next Phase, A2 ASSESS, takes the direc on from Phase A1 PREPARE to build and conduct a maturity assessment.
24 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
Using a maturity model for business planning
Phase A2 Assess
This Phase covers conduc ng the maturity assessment and, if required, how
A – DEFINE to obtain results for other organisa ons to enable comparison. Step 1 outlines
the four factors that need to be considered before execu ng the assessment.
A1
PREPARE
ͻ/ĚĞŶƟĨLJƚŚĞŽƌŐĂŶŝƐĂƟŽŶĂůĐŽŶƚĞdžƚ
ͻWƌĞƉĂƌĞƚŚĞŵŽĚĞů
These choices reflect the organisa on’s circumstances, including whether the
A2
ASSESS
ͻŽŶĚƵĐƚƚŚĞĂƐƐĞƐƐŵĞŶƚ
ͻŽŵƉĂƌĞĂŐĂŝŶƐƚŽƚŚĞƌƐ
scope calls for a single or mul ple assessments. For those who want or need to
compare against other organisa ons, Step 2 explains five op ons for obtaining
A3
DECIDE
ͻŝƐĐƵƐƐƚŚĞƌĞƐƵůƚƐ
ͻŐƌĞĞĂƚĂƌŐĞƚŵĂƚƵƌŝƚLJ
comparison data.
ĂƚƵƌĞ^ƚĂƚĞ Current Maturity level dĂƌŐĞƚ DĂƚƵƌĞ^ƚĂƚĞ
1 2 3 4 5
A4 PLAN
ͻ/ĚĞŶƟĨLJĂĐƟǀŝƟĞƐƚŽ
ĂĐŚŝĞǀĞŵĂƚƵƌŝƚLJ
ͻWƌŽĚƵĐĞĂŶĚĂŐƌĞĞƉůĂŶƐ
STEP 1
CONDUCT THE ASSESSMENT
Tasks
1.1 Tailor the assessment 1.2 Execute the assessment
STEP 2
COMPARE AGAINST OTHERS
Task 1.1 The ISF iden fied four factors that should be considered when tailoring an assessment. The Lead’s
decisions will be informed by how much assurance stakeholders need in the results and the prac cal
TAILOR THE constraints for the assessment(s). The table below shows these four factors, and the considera ons
ASSESSMENT that will affect the decisions.
The Lead must choose at least one op on from each column. The decision made in each column
should take into account the scope and the intended outcomes, which will dictate the level of
confidence required in the results’ accuracy. It will also reflect the prac cali es of how much me
and money is available for the assessment. The Lead can use more than one op on from each
column, dependent on circumstances (for example, if some business units need more support to
gain an accurate assessment). As indicated by the arrow, the increasing assurance in the results
comes at an increased cost.
Information Security Forum Time to Grow: Using maturity models to create and protect value 25
1 2 3 4 5 6
Using a maturity model for business planning
INDEPENDENCE The Lead needs to choose how independent the Assessor will be from the Assessed.
“Self-assessment doesn’t work. They lie – probably not deliberately.”
NOTE: If a maturity model is being used to gain accredita on (e.g. as part of a tender for business) it may require
a qualified Assessor to conduct the assessment. An organisa on wishing to gain this type of accredita on should
ensure the Assessor has any necessary qualifica ons, as dictated by the accredi ng organisa on. For example,
certain types of CMMI accredita on s pulate that the maturity assessment is conducted by a qualified Assessor.
Produce a list of ques ons to ensure consistent assessment of different respondents and business
units. The ques ons don’t need to be followed verba m, but should be used to ensure all relevant
areas are covered with all the Assessed.
26 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
Using a maturity model for business planning
INTERACTION The Lead needs to decide how much interac on there will be between the Assessor and the Assessed.
“Be smart in how you talk to people – in a conversa on people
will give you 90% of what you need and not even realise.”
Interview The Assessor holds Offers the ability for Incurs a cost associated with
an interview with in-person, in-depth holding interviews as they are
the Assessed. It may discussion which resource intensive.
involve follow up generally yields strong
interviews a er an results. Provides an
assessment is made opportunity to clarify any
to validate findings areas of uncertainty.
(see ‘VALIDATION’).
One Member suggested holding a one-hour interview with the Assessed. They were able to
gather all the necessary informa on in a short period which they could then validate in another
short interview later. They believed this to be an efficient method of gathering the necessary
informa on.
Information Security Forum Time to Grow: Using maturity models to create and protect value 27
1 2 3 4 5 6
Using a maturity model for business planning
EVIDENCE The Lead needs to decide how much evidence should be used to support the maturity assessment.
Evidence will usually take the form of documenta on that an ac vity is planned or has been
performed (to a given standard).
Targeted The Assessor asks for Evidence requests can May be difficult to strike a
Evidence opinion and requests be targeted at business balance between accuracy and
evidence in some units or specific domains the associated administra ve
circumstances. that need more support burden. Assessors need
to achieve an accurate experience to know what
assessment. evidence to request and then
to understand and verify that
Alterna vely, the evidence.
Assessor could ask for a
certain level/number/
pieces/quota of evidence
per discipline.
All evidence The Assessor requires There is a high degree of The administra ve burden is
evidence for each assurance in the results, drama cally increased both
asser on made. as every asser on has for the Assessed (to find the
been evidenced. evidence) and for the Assessor
(to analyse and verify the
evidence).
Several Members stated that the Assessors merely sugges ng that evidence may be requested
was o en enough to encourage the Assessed to consider their answers more carefully. This
increased the accuracy of the results for li le overhead.
28 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
Using a maturity model for business planning
VALIDATION The Lead needs to decide the extent to which the maturity score will be validated with the
Assessed, a er it has been decided.
Ac ve The Assessor ac vely Provides assurance that Requires the Assessed to have
asks the Assessed every result has been an in-depth understanding
whether they agree verified and that error of the assessment criteria for
with the assessment checking exists. feedback to be meaningful. This
and why. approach is resource intensive.
Task 1.2 The maturity model and the assessment are now ready to deploy. It is now me to put all the
planning into prac ce and assess the current maturity.
EXECUTE THE
ASSESSMENT Several ISF Members recommended asking the Assessed for a preliminary indica on of maturity at
the start of a formal assessment. They saw educa onal benefit in this ac vity, as it iden fies the gap
between where the Assessed think they are, and where they actually are following the assessment.
This task also provides the Assessed an opportunity to voice their opinions and engage early on with
the process, whilst giving the Assessor an opportunity to emphasise that the maturity score will be
an output from a formal assessment.
NOTE: This is the only me that the Assessor directly asks the Assessed about maturity. Regardless
of the model selected in Phase A1 PREPARE, once the formal assessment begins, the Assessor will
restrict themselves to ques ons about ac vi es and capabili es. The answers to these ques ons
are then used to determine a maturity score. This is deliberate. It moves the assessment away
from opinion towards a more structured, evidence-based assessment of maturity.
NOTE: Members who rated themselves at a high maturity level considered the desire to benchmark a sign of rela ve
immaturity. They stated that as there are so many factors that vary between organisa ons (size, opera ng loca ons,
culture, industry, regula ons, specific threats, etc.) that comparisons are not only of li le use but also poten ally
misleading. Many believed a mature organisa on should focus on its own maturity requirements rather than comparing
against others. See Phase A3 DECIDE, Step 2 (page 34) for the details of how organisa ons have done this.
Information Security Forum Time to Grow: Using maturity models to create and protect value 29
1 2 3 4 5 6
Using a maturity model for business planning
Trade An independent body arranges for several Several ISF Members in the same country
body/ISF organisa ons to conduct a maturity assessment. and sector agreed for their trade body to
They could, if necessary, collate and anonymise co-ordinate using the Security Healthcheck.
the results, before sharing amongst those who This gave a consistent approach for comparison
par cipated. The results are obviously of most use between organisa ons. (This example
if all the organisa ons use the same maturity model demonstrates this type of co-opera on is
and domains, making direct comparison possible. possible, even though the Security Healthcheck
is not a maturity model.)
Third party The organisa on pays for access to a third party set Many ISF Member organisa ons say they have
data of data. paid for access to a third party collec on of
maturity assessment data, with some even
This is usually performed using consultants who selec ng consultants based on the quality
already have a collec on of maturity results for the and size of their data set.
INCREASING
maturity model they use (o en their own proprietary
maturity model). As long as there was sufficient data available ACCURACY
(e.g. tens of sets of results) and there were AND
An alterna ve is paying to access a benchmarking site several similar organisa ons (in terms of ASSURANCE
such as the IREC maturity benchmarking website.33 geography/industry/size), Members believed
the results were likely to be accurate, or at least
consistent (as all assessments were conducted
by the same third party organisa on).
Ask Organisa ons ask their compe tors or partners, Several Members have done this, but while this
either directly or via a third party (usually has some mes produced results, many believed
consultants), for their maturity scores. that these results could not be trusted as it was
feasible that they had been deliberately rated
too highly, and there was no assurance
of accuracy.
Guess This will be based on previous knowledge or One ISF Member reported a cau onary tale.
experience (e.g. former employees), using the An organisa on’s maturity results were being
professional exper se of those involved. Even so, compared to the (much higher) maturity results
there are obvious dangers associated with this of a compe tor. The disparity in maturity was
approach. The organisa on will need to decide given as jus fica on for investment. When
whether the benefit gained (having data to compare challenged about the source of the compe tor’s
against) is worth the significant risks associated with maturity results (by someone who knew it to be
it (making the wrong decisions based on poten ally incorrect), the presenter was forced to admit,
inaccurate data). Most importantly, it is essen al to in front of the board, that they had guessed.
be open and honest with decision makers about the
source of informa on.
Summary
Upon comple on of Phase A2 ASSESS, the Lead and the assessment team should have gathered the necessary informa on.
The next Phase, A3 DECIDE, involves analysing and presen ng the results to relevant decision makers and deciding the
target maturity level for the organisa on to meet its strategic goals.
30 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
Using a maturity model for business planning
Phase A3 Decide
This Phase explains how to present the results from Phase A2 ASSESS to
A – DEFINE decision-makers and how to choose a target maturity.
A1
PREPARE
ͻ/ĚĞŶƟĨLJƚŚĞŽƌŐĂŶŝƐĂƟŽŶĂůĐŽŶƚĞdžƚ
ͻWƌĞƉĂƌĞƚŚĞŵŽĚĞů Many ISF Members reported real benefit in discussing and deciding target
maturity as it forces those involved to think carefully about what they are trying
A2
ASSESS
ͻŽŶĚƵĐƚƚŚĞĂƐƐĞƐƐŵĞŶƚ
ͻŽŵƉĂƌĞĂŐĂŝŶƐƚŽƚŚĞƌƐ
to achieve and why, keeping organisa onal value front of mind.
A3 DECIDE
ͻŝƐĐƵƐƐƚŚĞƌĞƐƵůƚƐ
ͻŐƌĞĞĂƚĂƌŐĞƚŵĂƚƵƌŝƚLJ
This Phase refers to se ng a ‘target maturity’ but in reality this will almost always
ĂƚƵƌĞ^ƚĂƚĞ Current
1 2
Maturity level
3 4
dĂƌŐĞƚ
5
DĂƚƵƌĞ^ƚĂƚĞ
be se ng ‘target maturi es’ as a target will usually be set in each of the domains
of the maturity model, rather than se ng a single target for the whole model.
A4 PLAN
ͻ/ĚĞŶƟĨLJĂĐƟǀŝƟĞƐƚŽ
ĂĐŚŝĞǀĞŵĂƚƵƌŝƚLJ
ͻWƌŽĚƵĐĞĂŶĚ ĂŐƌĞĞƉůĂŶƐ These targets may also vary between business units. Before the discussion which
sets the target maturity, the Lead and Sponsor should decide the level at which
the target maturi es should be set i.e. domain or sub-domain level.
STEP 1
DISCUSS THE RESULTS
Tasks
1.1 Group the results 1.2 Prepare and present results
STEP 2
AGREE A TARGET MATURITY
Tasks
2.1 Iden fy ideal maturity 2.2 Set a target maturity
The person presen ng the results may be the Lead (presen ng to the Sponsor) or the Sponsor (presen ng to senior
stakeholders), or both. Whoever the audience is, the results must be presented in a format, and at a level of detail, that is
relevant to them.
NOTE: The first task in Phase A1 PREPARE was to understand the organisa on’s strategic goals. This is where the
Lead can highlight the link between those strategic goals and how informa on security is helping those responsible
for achieving them. The ISF’s Engaging with the Board: Balancing cyber risk and reward report also highlights the
need to speak the language of those you are presen ng to.
Information Security Forum Time to Grow: Using maturity models to create and protect value 31
1 2 3 4 5 6
Using a maturity model for business planning
Task 1.1 The maturity assessment results for different domains should be summarised and grouped in a way
that is relevant to the audience and simple for them to understand, with suppor ng detail available,
GROUP if required. Members suggested that the groupings may change dependent on the audience. Three
THE RESULTS possible ways to group the disciplines are according to:
• why the ac vity is carried out: this could be a general grouping (for example, “these ac vi es
keep our customers safe”) or it could be a specific grouping (“these ac vi es will enable us to
meet strategic objec ve X”). Several Members said this approach has the biggest impact with
senior management as it is speaking the language of the business, not of informa on security.
• organisa onal structure: the disciplines being assessed can be grouped to reflect the
organisa onal structure.
• similar disciplines: groups the domains which cover similar disciplines, even where these
disciplines cross organisa onal boundaries (e.g. strategy and governance).
Task 1.2 ISF Members emphasised that senior audiences o en wanted to see the main results of the
maturity assessments displayed graphically. Some examples are shown below:
PREPARE
AND PRESENT
RESULTS
The Lead should inves gate how the organisa on (and in par cular, senior management) prefers
to have informa on presented.
ISF Members suggested that those presen ng should prepare for common
or challenging ques ons.
Some common ques ons are: How this report can help answer them:
Q. How do we compare against See Phase A2 ASSESS, Step 2
others?
Q. I thought we were good, why See SecƟon 3
aren’t we ‘5’ in everything?
Q. What do you think we should do? See next Phase A3 DECIDE, Step 2
Q. How much will it cost to increase See SecƟon 3
maturity?
Q. What is maturity? What does it See SecƟon 3
mean? What are we measuring?
32 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
Using a maturity model for business planning
Choosing an appropriate target maturity for an organisa on was o en iden fied by Members as the most important
aspect of using a maturity model.
NOTE: Several Members reported that the discussion between informa on security and business decision-makers in
the organisa on about target maturity was the most informa ve and produc ve aspect of using a maturity model.
When iden fying a target maturity, many Members were wary of easy answers (e.g. “you must be a 4”). Rather, they favoured
a more flexible and pragma c approach based on informed discussions (in which all par cipants understand maturity) and
consensus building (between the informa on security func on, senior management and other decision-makers).
“If it’s propor onate and appropriate, so what if we’re a 3 and not a 5?”
1 2 3 4 5
ASSET Characteris cs, Characteris cs, Characteris cs, Characteris cs, Characteris cs,
MANAGEMENT a ributes, a ributes, a ributes, a ributes, a ributes,
indicators indicators indicators indicators indicators
or pa erns or pa erns or pa erns or pa erns or pa erns
Current This is the result of the maturity assessment conducted in Phase A2 ASSESS.
maturity
This is the lowest possible maturity the organisa on will tolerate. This sets the lower boundary
Minimum for the target maturity. This minimum could be lower or higher than current maturity, but
maturity should be based on a specific requirement (for example, a compliance requirement that a
process is documented and implemented).
Ideal This is the maturity level that the organisa on would wish to achieve if there were no resource
maturity constraints. This point marks the upper boundary for the target maturity.
This is the maturity level that is agreed between relevant stakeholders and is the target to
be achieved. The target maturity can be moved up and down the scale, between the lower
Target (minimum maturity) and upper (ideal maturity) bound to aid the discussion before being
maturity agreed and fixed. For example, “what would the consequences and costs be if our target
maturity in incident management were ‘2’ rather than ‘3’”.
There are many other possible points which can be used to support the discussion. These can
Other points include: interim targets (for different me scales), the maturity of others (if this is required and
to plot the informa on is available), what the organisa on is able to achieve internally (without the
need for external support), or whether there are dependencies on other disciplines.
More details on how to decide the ideal maturity and target maturity are in Task 2.1 and Task 2.2 of this Step.
Information Security Forum Time to Grow: Using maturity models to create and protect value 33
1 2 3 4 5 6
Using a maturity model for business planning
Task 2.1 An ideal maturity is the op mum maturity level that the organisa on would choose to support
its objec ves if there were no prac cal constraints (constraints are taken into account in the next
IDENTIFY task). The ideal maturity will not necessarily be the top of the maturity scale and will depend on the
IDEAL organisa on’s requirements. All par es involved in deciding the ideal maturity need to understand
MATURITY the maturity scale and the effects of increases or decreases in maturity in each domain. (More
details about this can be found in SecƟon 3.)
NOTE: This ideal maturity should s ll be based on crea ng or protec ng value for the
organisa on, not solely on informa on security requirements.
ISF research revealed three op ons for choosing an ideal maturity. The approach an organisa on
takes will depend upon its level of experience in informa on security. Does the organisa on consider
itself to be star ng out in informa on security (limited experience), competent and improving at
informa on security (moderate experience) or world leading (highly experienced)? The different
approaches are presented below with the associated level of experience.
The Lead should consider the following three op ons to iden fy an ideal maturity and decide which
is most appropriate for their organisa on. The organisa on’s maturity scores may give a strong
indica on of which op on is appropriate. For example, if all maturity scores are very low, it is likely
OpƟon 1 will be appropriate.
Op on 3 CHOOSE AN IDEAL MATURITY THAT SUPPORTS CREATING AND PROTECTING VALUE, MEET
(Highly COMPLIANCE REQUIREMENTS AND MANAGES INFORMATION SECURITY RISKS34
experienced):
Many informa on security professionals focus on compliance and some on risk management, but
lose sight of the primary objec ve of the organisa on, and their role in suppor ng it, which is to
create and protect value. A recent report warned that ‘senior execu ves are becoming concerned
about the nega ve business impact of informa on security. In par cular, the delay in exploi ng value
from new technologies such as cloud and mobile compu ng’.35 ‘The real cost of cyber… stems from
delayed or lost technological innova on’.36
34 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
Using a maturity model for business planning
Op on 3 The Member organisa ons that considered themselves highly experienced believed they were able
(Highly to iden fy an ideal maturity that was specific and appropriate to their organisa on, its situa on and
experienced) strategic goals. They were not interested in comparison against others, believing this to distract from
con nued: a thorough assessment of their own requirements. Through engagement with the organisa on, they
believed they were able to iden fy a level of maturity that would support the organisa on to achieve
its strategic aims balanced against the cost of achieving it.
“Our great discovery was to target maturity at value.”
NOTE: Whilst many Members agreed this approach (OpƟon 3) is likely to produce the most
appropriate ideal maturity for each organisa on, there was concern that few organisa ons
were currently experienced enough to support this kind of decision making. However, all
agreed that this type of decision making should be the aspira on and that Members should
work towards this approach.
Task 2.2 The target maturity (i.e. the maturity that the organisa on commits to achieving) will be the
combina on of the ideal maturity tempered by prac cal constraints. Target maturity is best
SET A TARGET defined through discussion between informa on security and decision makers in the rest of the
MATURITY organisa on. The agreed target should come from a discussion about what the organisa on needs
and what informa on security can realis cally achieve given the available me and resources.
The points below outline the main prac cal constraints to consider:
Budget There will be a cost associated with every ac vity that increases a maturity score. For example,
increasing maturity in asset management could incur costs rela ng to managing the process
around documenta on of assets. If outside par es (e.g. consultants) are used, there can be a
considerable ini al and ongoing cost to increasing maturity. (See SecƟon 3 for more details on
the costs associated with maturity.)
Skills / Many informa on security disciplines require specialist skills and experience. The organisa on
Experience will need to consider whether it has the requisite skills and/or experience or whether it will need
to recruit, develop or purchase these skills from outside the organisa on. It is also important to
remember that each op on could have a considerable cost a ached. Therefore, resourcing and
budget should not be considered in isola on.
Time Target maturi es are typically not achieved quickly. The organisa on will need to plan for the long
term (usually three to five years) but with interim checkpoints to assess progress and re-assess
targets, and consequently different target maturi es for different me frames (e.g. the target is ‘1’
in six months, and ‘3’ in two years). The informa on security func on will also need to consider
that projects which require me from other func ons of the business may pose a constraint.
“If it’s from my team, it’s ok. If it’s money, it’s usually ok. When I need
resources from another part of the organisa on, that’s when it’s difficult.”
Inter- Many informa on security disciplines are interdependent (as discussed in SecƟon 3, page 15). It
dependency is important to recognise these interdependencies and understand how raising maturity in one
discipline may affect another. For example, it would be of limited benefit increasing the maturity
in network monitoring (iden fying suspicious ac vity on the network) if incident management
(dealing with incidents of suspicious ac vity) remained immature.
Summary
The outcome of Phase A3 DECIDE should be an agreed target maturity, or set of target maturi es for in-scope disciplines.
These decisions should be based on informed discussion about where the organisa on wants its informa on security maturity
to be to enable strategic goals. Ideally, the targets will be agreed between informa on security and the business, but in cases
where agreement is not possible, a target must s ll be defined. Who makes the final decision will depend on the organisa on’s
structure but will usually be the Sponsor. The next Phase involves developing plans to achieve the target maturity.
Information Security Forum Time to Grow: Using maturity models to create and protect value 35
1 2 3 4 5 6
Using a maturity model for business planning
Phase A4 Plan
This Phase describes how to produce plans to achieve the target maturity or
A – DEFINE target maturi es. It does not include general project management advice,
instead focussing on aspects specific to using a maturity model: consequently,
A1
PREPARE
ͻ/ĚĞŶƟĨLJƚŚĞŽƌŐĂŶŝƐĂƟŽŶĂůĐŽŶƚĞdžƚ
ͻWƌĞƉĂƌĞƚŚĞŵŽĚĞů
the Steps in this Phase do not include detail at the task level.
A2
ASSESS
ͻŽŶĚƵĐƚƚŚĞĂƐƐĞƐƐŵĞŶƚ
ͻŽŵƉĂƌĞĂŐĂŝŶƐƚŽƚŚĞƌƐ
NOTE: While many organisa ons will have an established project process
A3
DECIDE
ͻŝƐĐƵƐƐƚŚĞƌĞƐƵůƚƐ
ͻŐƌĞĞĂƚĂƌŐĞƚŵĂƚƵƌŝƚLJ
which can be ini ated at this point, the Steps below should be considered
ŵĂƚƵƌĞ^ƚĂƚĞ Current
1 2
Maturity level
3 4
Target
5
DĂƚƵƌĞ^ƚĂƚĞ
to support or complement such an approach.
A4
PLAN
ͻ/ĚĞŶƟĨLJĂĐƟǀŝƟĞƐƚŽ
ĂĐŚŝĞǀĞŵĂƚƵƌŝƚLJ
ͻWƌŽĚƵĐĞĂŶĚĂŐƌĞĞƉůĂŶƐ
NOTE: As men oned in Phase A3 DECIDE, in most cases several target
maturi es will have been set. Furthermore, if the target maturi es were set
at a high level then the Lead will need to produce target maturi es for each
of the lower-level components (e.g. if target maturi es were agreed at the
discipline level, the Lead will need to ensure that a target maturity is set for
the sub-disciplines that make up each discipline).
STEP 1
IDENTIFY ACTIVITIES TO ACHIEVE MATURITY
STEP 2
PRODUCE AND AGREE PLANS
NOTE: If the maturity scale is cumula ve, each maturity level builds upon what has been achieved in the
previous levels. A en on should be given to how exis ng characteris cs are maintained whilst achieving the new
characteris cs.
36 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
Using a maturity model for business planning
The Lead then needs to iden fy all of the ac vi es that need to be undertaken to achieve these intermediate characteris cs.
For example, if one of the characteris cs from a model is ‘staff have sufficient skills and experience’, the Lead will need to
iden fy the ac vi es needed to achieve that characteris c, such as iden fying what those skills and experience are, and then
plan how the organisa on will ensure it has suitable staff.
This list of intermediate ac vi es will inform the Lead’s planning and budge ng for how to achieve target maturity levels.
Get informa on security considera ons locked into exis ng projects in different parts of the organisa on
wherever possible. Make sure you seek out these opportuni es as part of the project planning process.
1 2
One Member recommended using the Eisenhower Method for IMPORTANT
The list of ac vi es derived from the maturity model will likely be high-level and o en focussed on an outcome (rather
than defining how to achieve the outcome). For each ac vity, the Lead will need to inves gate how the organisa on can
achieve the outcome.
For example, one of the ac vi es derived from a maturity model might be to ‘document the process’ but consulta on may
be required to iden fy what should be included in the documented process. This consulta on should include all stakeholders
and other relevant inputs such as applicable internal policies. The specific details on what to include in the documented
process can be iden fied through discussions with subject ma er experts, experienced staff, other ISF Members and from
relevant sec ons in the Standard.
The priori sed list of ac vi es should then be recorded in formal plans which outline all the basic project informa on
including who is responsible, meframes, agreed metrics and allocated budget.
NOTE: The Lead may have to take an itera ve approach to determine which plans to implement depending on available
resources and budget and to what degree the ac vi es enable the organisa on’s strategy.
Finally, and before implementa on can begin, the plans and associated budgets should be signed off at an appropriate
level. The Sponsor may sign off the plans or they may be responsible for obtaining sign-off from other business units.
Summary
This Phase has created priori sed plans which will now be implemented in the remaining business planning stages.
Information Security Forum Time to Grow: Using maturity models to create and protect value 37
1 2 3 4 5 6
Using a maturity model for business planning
The following sub-sec ons briefly describe each of the remaining three Stages of the business planning cycle.
NOTE: The Lead should ensure that the informa on security func on con nues to work within the organisa on’s
established business planning and governance structures in order to be effec ve and to maintain high-level
commitment to agreed plans.
A – DEFINE
A1 PREPARE
A2 ASSESS
A3 DECIDE
Maturity level
1 2 3 4 5
A4 PLAN
NHANC L
IMP EME
–E –
D
NT
E
ALUAT
– EV E
C
Cu
Current Target
Maturity level
STAGE B – IMPLEMENT
MPLEMEN
–I This Stage focuses on implemen ng the business plans that resulted from the four-phase
B
process in Stage A – Define. To a certain extent, the Lead’s role in implementa on will depend
on whether the plans involve a standalone informa on security project or form part of another
business unit’s project (or both). In the event that it is an individual informa on security
project, the Lead is more likely to be involved in its implementa on, including monitoring
resources (people, me and budget), maintaining engagement with stakeholders, ensuring
the project meets agreed milestones and managing associated risks to comple on.
If the informa on security plans form a component of another business unit’s project, the Lead’s role is more likely to be
advisory in nature, offering guidance, knowledge, skills or resources and monitoring associated risks. Regardless of the
level of involvement in implementa on, the Lead should endeavour to engage fully with those implemen ng the plans
and maintain visibility and accountability of progress.
38 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
Using a maturity model for business planning
STAGE C – EVALUATE
Because the use of a maturity model is o en part of an itera ve process, the Lead should plan to regularly re-assess targets,
the progress towards target maturity and the effec veness of implementa on. This gives an opportunity both to check and
demonstrate progress and value to stakeholders. Three key steps for the evalua on are:
TIP Current
C Target
Maturity level
Matu
The Lead should take this opportunity to re-visit and deepen engagement • Update plan
standalone projects, the role of the informa on security func on may be limited to • Update plan
evalua ng progress of the informa on security aspects. Even in these instances, the Lead
should engage with relevant stakeholders to ensure they have visibility of the results.
plans to achieve them. If the strategic goals remain the same, the plans will s ll likely
require upda ng, reflec ng lessons learned when the plans meet reality.
The ISF report InformaƟon Security Strategy: TransiƟoning from alignment to Current Target
Matu
urity level
integraƟon suggests that business plans ‘should adapt to accommodate changing
• Update plan
requirements, whether they are coming from the business, changes in the threat
landscape or from other internal or external factors. Being constantly engaged with
stakeholders means the CISO can an cipate changes in the environment and adjust plans
accordingly.’ A maturity model supports this type of engagement, enabling informa on
security to remain suppor ve of organisa onal needs as circumstances change.
NHANC
STAGE D – ENHANCE
–E
E
D
This Stage focuses on implemen ng the updated plans from Stage C – Evaluate. Just as in Stage B
– Implement, the detail of these plans will depend on the decisions made in the preceding Stages.
As the updated plans are implemented, the business planning cycle returns to the first Stage
where the maturity model can be used to support the next round of engagement and planning.
Information Security Forum Time to Grow: Using maturity models to create and protect value 39
1 2 3 4 5 6
The ISF Maturity Model
Introduction
This Sec on describes the ISF Maturity Model, a hybrid maturity model which allows Members to assess their maturity
across 21 disciplines of informa on security drawn from the Standard. The ISF Maturity Model can be found in the ISF
Maturity Model Accelerator Tool on ISF Live.
NOTE: While the ISF Maturity Model should fit seamlessly into exis ng ac vi es for Members who have based their
informa on security policies and procedures on the Standard, it is also adaptable for use by Members using other standards.
This Sec on describes the components of the model, including the maturity scale, the disciplines it covers, and how to
use it to conduct a maturity assessment.
The ISF Maturity Model should be used as part of the business planning cycle A1 PREPARE
described in the previous Sec on, which focuses resources on organisa onal A2 ASSESS
value (shown as Stage A – Define in the diagram). As described in SecƟon 4, A3 DECIDE
Maturity level
the four phases of the process which sits in the Define Stage are: 1 2 3 4 5
A4 PLAN
NT
E
B
A2 ASSESS – current maturity and, if necessary, – EV
ALUAT
E
C
determine the maturity of others
Maturity level
Target
The ISF Maturity Model can also be used in Stage C – Evaluate to check progress and updates plans.
For each domain, there is an objec ve statement which explains the purpose of the discipline covered (i.e. what does the
organisa on gain or achieve by doing that discipline). Where possible, the objec ve statements are the same as in the Standard.
EXAMPLE: For the domain that covers the discipline of Security Strategy, the objec ve statement is ‘To ensure the
organisa on’s approach to informa on security contributes to the organisa on’s success’.
Each domain lists between one and four goals (i.e. what organisa ons are trying to achieve in that discipline).
EXAMPLE: For Security Strategy there are two goals: ‘Develop an Informa on Security Strategy’ and ‘Demonstrate
stakeholder value’.
For each goal, a small number of specific ac vi es to achieve that goal are listed. The number of specific ac vi es listed
varies depending on the goal.
EXAMPLE: Within Security Strategy, for the goal ‘Develop an Informa on Security Strategy’, there is one specific
ac vity, ‘An Informa on Security Strategy is produced’.
The maturity scale assesses the maturity of the processes which support these specific ac vi es.
40 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
The ISF Maturity Model
MATURITY = 0.75
DETAILS
1 2 3 4 5
Goal Perfomed Planned Managed Measured Tailored
Security event logs exist, are normalised The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
and analysed. necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.1 Log security events procedures are followed. including policy and staff being responsible security and business activities.
and accountable for the activities.
Stakeholders have been identified, know of Necessary resources, including sufficiently Metrics for the activities have been Regular cycles of improvement are applied
their role, and contribute to the documented skilled and experienced staff, and funding identified, are used and regularly analysed, to the activities; lessons learned and
process. are available to perform and manage the and results are reported to all relevant improvements are documented and shared
activities. stakeholders. across the organisation.
All relevant requirements and inputs have Risks relating to the activities are identified Some improvements to the activities are Business units adapt the standardised
been identified and included in the and managed. made in response to results. activities to meet their specific needs.
documented process.
Systems and networks are monitored. The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.2 Monitor the system procedures are followed. including policy and staff being responsible security and business activities.
and network and accountable for the activities.
Stakeholders have been identified, know of Necessary resources, including sufficiently Metrics for the activities have been Regular cycles of improvement are applied
Details their role, and contribute to the documented skilled and experienced staff, and funding
process. are available to perform and manage the
activities.
identified, are used and regularly analysed,
and results are reported to all relevant
stakeholders.
to the activities; lessons learned and
improvements are documented and shared
across the organisation.
Box All relevant requirements and inputs have Risks relating to the activities are identified Some improvements to the activities are Business units adapt the standardised
been identified and included in the and managed. made in response to results. activities to meet their specific needs.
documented process.
Intrusion detection mechanisms are applied The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
on critical systems and networks. necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.3 Detect intrusions procedures are followed. including policy and staff being responsible security and business activities.
and accountable for the activities.
Stakeholders have been identified, know of Necessary resources, including sufficiently Metrics for the activities have been Regular cycles of improvement are applied
their role, and contribute to the documented skilled and experienced staff, and funding identified, are used and regularly analysed, to the activities; lessons learned and
process. are available to perform and manage the and results are reported to all relevant improvements are documented and shared
activities. stakeholders. across the organisation.
All relevant requirements and inputs have Risks relating to the activities are identified Some improvements to the activities are Business units adapt the standardised
been identified and included in the and managed. made in response to results. activities to meet their specific needs.
documented process.
Information leakage protection mechanisms The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
are applied on systems and networks. necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.4 Detect information procedures are followed. including policy and staff being responsible security and business activities.
leakage and accountable for the activities.
Stakeholders have been identified, know of Necessary resources, including sufficiently Metrics for the activities have been Regular cycles of improvement are applied
their role, and contribute to the documented skilled and experienced staff, and funding identified, are used and regularly analysed, to the activities; lessons learned and
process. are available to perform and manage the and results are reported to all relevant improvements are documented and shared
activities. stakeholders. across the organisation.
All relevant requirements and inputs have Risks relating to the activities are identified Some improvements to the activities are Business units adapt the standardised
been identified and included in the and managed. made in response to results. activities to meet their specific needs.
documented process.
Related disciplines: Threat Intelligence, Human Resources Security, Incident Repsonse, Crisis Management, Asset Management
Informa on
Related ISF deliverables: Security Event Logging - Full Report
Information Security Incident Management - Full Report
Notes:
NOTE: While it has some superficial similari es to the CMMI maturity scale, significant altera ons have been made
to make it applicable to the subject of informa on security. As a result, maturity assessment scores from the ISF
Maturity Model should not be directly compared against CMMI results.
The maturity scale in the ISF Maturity Model is cumula ve; that is, each level of maturity builds on the previous, lower
level. When maturity is assessed, it builds from maturity level 0. The maturity assessment will indicate the highest
maturity level for which all the requirements are met and all the preceding requirements are met. In prac ce this means
all requirements for each preceding maturity level must be achieved and sustained before a higher level can be reached.
The ISF Maturity Model uses increments to demonstrate progress between maturity levels. Increments of 0.5 are used
to indicate that a maturity level is ‘PARTIALLY MET’. For example, if the requirements for maturity level 1 and level 2 are
‘MET’, and the requirements for level 3 are ‘PARTIALLY MET’, the maturity score is 2.5.
As another example, if the requirements for level 1 are ‘MET’, and the requirements for level 2 are ‘PARTIALLY MET’, the
maturity score will be 1.5. Even if the requirements for level 3 are ‘MET’, the maturity assessment will s ll be 1.5 as level
2 has not been ‘MET’.
NOTE: Do not assume that the same maturity score from different business units means that those business units
are performing iden cal ac vi es. For example, two business units could each have a score of 2.5, but they may
not have completed the same requirements to give them the 0.5 increment. The two business units will have
comparable results up to 2 (as they will both have completed all the requirements to achieve level 2), but they may
have completed different ac vi es to gain the 0.5 increment.
37 Butkovic M. Caralli R. Advancing cybersecurity capability measurement using the CERT-RMM maturity indicator level scale. November 2013. CMU/SEI-2013-TN-028.
Information Security Forum Time to Grow: Using maturity models to create and protect value 41
1 2 3 4 5 6
The ISF Maturity Model
1 Performed The ac vity is The specific ac vity for each goal is performed.
performed
3 Managed The ac vity is The ac vity is governed within the organisa on’s
performed, planned, governance structure, including policy and staff being
and has sufficient responsible and accountable for the ac vity.
organisa onal Necessary resources, including sufficiently skilled and
resources to support experienced staff, and funding are available to perform
and manage it and manage the ac vity.
Risks rela ng to the ac vity are iden fied and
managed.
4 Measured The ac vity is Measurable targets for the ac vity have been iden fied,
performed, planned, agreed and set.
managed, and is Metrics for the ac vity have been iden fied, are
monitored used and regularly analysed, and results are reported
to all relevant stakeholders.
Some improvements to the ac vity are made in
response to results.
5 Tailored The ac vity The ac vity is integrated (are supported and provide
is performed, support) with other informa on security and business
planned, managed, ac vi es.
measured, and Regular cycles of improvement are applied to the
subject to con nuous ac vity; lessons learned and improvements are
improvement and is documented and shared across the organisa on.
tailored to specific areas
Business units adapt the standardised ac vity
to meet their specific needs.
42 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
The ISF Maturity Model
As can be seen from the maturity level descrip ons opposite, the ISF Maturity Model, as a hybrid maturity model, aids
understanding in two ways.
1. The change from maturity level 0 to level 1: shows that the specific ac vity to achieve the goal is being performed.
Thus, achieving maturity level 1 gives assurance that the generally accepted ac vity is being performed.
2. The change from maturity levels 1 to level 5: shows how mature the processes that support the specific ac vity are.
Achieving each higher level indicates that the processes that support the ac vity are increasingly mature, giving increased
assurance that the ac vity will be effec ve, consistent and resilient (i.e. it will have the desired outcome).
The disciplines covered by the ISF Maturity Model are listed below along with their suggested groupings. These groupings
are intended to help the Lead iden fy interdependent disciplines and communicate results of an assessment in a logical
way to senior audiences (for more informa on see Phase A3 DECIDE).
1. Security Strategy
2. Security Governance
3. Informa on Risk Management
4. Compliance STRATEGIC
5. Security Audit
6. Informa on Security Policy
Ten disciplines have been marked as ‘essen al’ (in bold above) to help users priori se when it comes to planning ac vi es.
These were chosen by Members who considered them to be the fundamental disciplines of informa on security.
NOTE: Whilst Members tended to agree that informa on security governance and security awareness are essen al,
views diverged on whether the next most essen al aspects were technical (e.g. iden ty and access management) or
crisis-related (e.g. incident management). Consequently, Members should review the essen al disciplines above to
select those which reflect their organisa onal circumstances and priori es.
Information Security Forum Time to Grow: Using maturity models to create and protect value 43
1 2 3 4 5 6
The ISF Maturity Model
The tool is divided into introductory informa on, results pages and the domains. The introductory informa on explains
the structure of the maturity model and how to use it to conduct a maturity assessment (repea ng much of the
informa on below).
Each domain (an example is shown below) is divided into three main areas: the assessment box, the detail box, and other
informa on.
The assessment box contains the cells that affect the Goals: Specific Activities
guidelines) specific areas
maturity assessment for that discipline. The assessment 16.1 Log security events
MATURITY = 0.75
DETAILS
1 2 3 4 5
Goal Perfomed Planned Managed Measured Tailored
Security event logs exist, are normalised The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
and analysed. necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.1 Log security events procedures are followed. including policy and staff being responsible security and business activities.
and accountable for the activities.
Stakeholders have been identified, know of Necessary resources, including sufficiently Metrics for the activities have been Regular cycles of improvement are applied
their role, and contribute to the documented skilled and experienced staff, and funding identified, are used and regularly analysed, to the activities; lessons learned and
process. are available to perform and manage the and results are reported to all relevant improvements are documented and shared
activities. stakeholders. across the organisation.
All relevant requirements and inputs have Risks relating to the activities are identified Some improvements to the activities are Business units adapt the standardised
Detail box:
been identified and included in the and managed. made in response to results. activities to meet their specific needs.
documented process.
Systems and networks are monitored. The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
The detail box gives a more detailed descrip on of the 16.2 Monitor the system
and network
necessary approval, and these plans /
procedures are followed.
organisation’s governance structure,
including policy and staff being responsible
and accountable for the activities.
been identified, agreed and set. and provide support) with other information
security and business activities.
requirements at each maturity level for each specific Stakeholders have been identified, know of Necessary resources, including sufficiently Metrics for the activities have been
process. are available to perform and manage the and results are reported to all relevant
Regular cycles of improvement are applied
their role, and contribute to the documented skilled and experienced staff, and funding identified, are used and regularly analysed, to the activities; lessons learned and
improvements are documented and shared
activities. stakeholders. across the organisation.
Intrusion detection mechanisms are applied The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
on critical systems and networks. necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.3 Detect intrusions procedures are followed. including policy and staff being responsible security and business activities.
and accountable for the activities.
Stakeholders have been identified, know of Necessary resources, including sufficiently Metrics for the activities have been Regular cycles of improvement are applied
their role, and contribute to the documented skilled and experienced staff, and funding identified, are used and regularly analysed, to the activities; lessons learned and
process. are available to perform and manage the and results are reported to all relevant improvements are documented and shared
activities. stakeholders. across the organisation.
All relevant requirements and inputs have Risks relating to the activities are identified Some improvements to the activities are Business units adapt the standardised
been identified and included in the and managed. made in response to results. activities to meet their specific needs.
documented process.
Information leakage protection mechanisms The activities have been documented, with The activities are governed within the Measurable targets for the activities have The activities are integrated (are supported
are applied on systems and networks. necessary approval, and these plans / organisation’s governance structure, been identified, agreed and set. and provide support) with other information
16.4 Detect information procedures are followed. including policy and staff being responsible security and business activities.
leakage and accountable for the activities.
Other informa on: Stakeholders have been identified, know of Necessary resources, including sufficiently Metrics for the activities have been
At the top of the sheet, this includes the discipline All relevant requirements and inputs have
been identified and included in the
documented process.
Risks relating to the activities are identified Some improvements to the activities are
and managed. made in response to results.
Business units adapt the standardised
activities to meet their specific needs.
covered and the purpose statement. At the bo om of Related disciplines: Threat Intelligence, Human Resources Security, Incident Repsonse, Crisis Management, Asset Management
the sheet, this includes details of related disciplines, Related areas in ISF
Standard of Good
Practice CF10.4: Security Event Logging, CF10.5: System / Network Monitoring, CF10:6: Intrusion Detection, CF8.7 Information Leakage Protection
related ISF deliverables, and other notes for the Assessor. Related ISF deliverables: Security Event Logging - Full Report
Information Security Incident Management - Full Report
Notes:
The maturity assessment is carried out at the level of specific ac vi es, so the Assessor needs to work at that level. The
maturity results are then aggregated upwards to give a maturity assessment for the discipline. The maturity score starts
at maturity level 0 (even though this is not shown in the assessment box) and increases based on the selec ons made.
For each specific ac vity, the Assessor assesses whether the requirements at that maturity level are ‘MET’, ‘PARTIALLY
MET’ or ‘NOT MET’.
44 Time to Grow: Using maturity models to create and protect value Information Security Forum
1 2 3 4 5 6
The ISF Maturity Model
If the specific ac vity meets all (or nearly all, more than 85%) of the requirements set for that
MET maturity level, select ‘MET’.
If the specific ac vity meets some (but not all, between 15% and 85%) of the requirements set for
PARTIALLY MET
that maturity level, select ‘PARTIALLY MET’.38
If none of the requirements (or almost none, less than 15%) for that maturity level are met, select
NOT MET
‘NOT MET’.
NOTE: The percentages provided above come from the ISO/IEC standard and are intended only as a guideline.
The overall maturity score requires the maturity level for every specific ac vity to be ‘MET’ before a higher maturity level
can be achieved. If all the requirements for a par cular maturity level are ‘MET’ for every specific ac vity, the maturity
level is ‘MET’ for that discipline.
ASSESSMENT BOX Maturity Level
1 2 3 4 5
Perfomed Planned Managed Measured Tailored
The activity is performed The activity is performed, and supported by The activity is performed, planned, and has The activity is performed, planned, The activity is performed, planned,
planning (which includes engagement of sufficient organisational resources to support managed, and is monitored managed, measured, and subject to
stakeholders and relevant standards and and manage it continuous improvement and is tailored to
guidelines) specific areas
Goals: Specific Activities
1.1 Direct information security with An information security
a strategy strategy is produced MET PARTIALLY MET NOT MET SELECT… SELECT…
Stakeholder value is
1.2 Provide stakeholder value
demonstrated MET MET NOT MET SELECT… SELECT…
LEVEL COMPLETE MOVE TO NEXT LEVEL ->
MATURITY = 1.75
In the example above, the maturity score is 1.75. All the requirements for maturity level 1 for both specific ac vi es have
been ‘MET’. As a result, the cell underneath displays ‘LEVEL COMPLETE MOVE TO NEXT LEVEL’. At level 2, the Assessor has
assessed that the requirements for level 2 are ‘MET’ for one specific ac vity (the bo om one) and ‘PARTIALLY MET’ for the
other (the top one). The addi onal 0.75 increment is an average of the scores for maturity level 2 (MET = 1, PARTIALLY MET
= 0.5, average of these two is 0.75). The Assessor has not completed level 3 or above because level 2 has not been ‘MET’
for every specific ac vity.
38 ISO/IEC 15504-2:203 defines the need for four ra ngs, rather than three. Members warned that this o en creates confusion amongst respondees who were unable to differen ate between the
middle two op ons. As a result, this model only has three op ons.
Information Security Forum Time to Grow: Using maturity models to create and protect value 45
1 2 3 4 5 6
Conclusion
6 Conclusion
Using a maturity model is not an end in itself; rather it is a business planning tool that helps organisa ons target maturity
in the areas that create or protect value. Using a maturity model helps informa on security build consensus, priori se
investment and demonstrate progress. To get the balance of maturity correct, an understanding is needed of both the
effects of maturity and the costs of achieving it.
Using a maturity model also acts as a catalyst for engagement with the wider business through the process of deciding
where to target maturity and agreeing the appropriate maturity level. It provides a framework and common language
for discussion and debate on how informa on security can enable the organisa on to achieve its goals. A key aim for
the informa on security func on and its leader should be to engage with the organisa on to agree a target maturity
that will support organisa onal goals, meet compliance requirements and manage informa on risk. This report provides
the necessary detail on the benefits and limita ons of using a maturity model, and how to use one to focus me and
investment on value.
This report also provides an ISF Maturity Model, aligned with the Standard, which can be adapted to suit the needs of
individual Members. The ISF encourages Members to use it and share feedback and sugges ons for improvement with
other Members and the ISF Global Team on ISF Live.
46 Time to Grow: Using maturity models to create and protect value Information Security Forum
Glossary
Assessed: The individual or business unit from which informa on is being collected during the maturity assessment.
Assessment: See maturity assessment.
Assessor(s): The individual (or team) who conducts maturity assessments, gathers informa on (either remotely
or in person), and makes the assessment of maturity.
Business unit: The sub-divisions of the organisa on.
Discipline: An area of ac vity within a subject. In the subject of informa on security, examples of disciplines
are change management and asset management.
Domain: The highest-level sub-divisions of a maturity model.
Goal: The stated aim of specific ac vi es within a discipline. A discipline may have more than one goal.
Lead: The individual responsible for the use of the maturity model and who plans, co-ordinates and
promotes its use across the organisa on. In small organisa ons this may be the Sponsor. In larger
organisa ons, it is likely to be an individual who reports to the Sponsor.
Mature state: The most advanced state. The state or condi on of being fully mature. The mature state may
change over me.
Maturity: A measurement of progress between an immature state and a mature state. For example: ‘what
is your maturity in vulnerability management’ means ‘how much progress have you made in
vulnerability management from the immature state to the mature state?’. This is the meaning
used with maturity models generally and in this report.
NOTE: This can be confusing because the common usage and dic onary defini on of
‘maturity’ means ‘the mature state’ which is described above.
Information Security Forum Time to Grow: Using maturity models to create and protect value 47
Appendix: Methodology
• ISF Member development workshops held in London (x2), Oslo, Helsinki, Toronto, New York and Amsterdam
• Discussions and interviews with ISF Members worldwide
• Informa on submi ed by ISF Members via ISF Live
• Input from subject ma er experts
• Books, news ar cles, conference presenta ons, blogs and online research
• Thought leadership provided by the ISF Global Team.
Acknowledgements
The ISF would like to thank all ISF Members and external experts who contributed to this report by being interviewed,
emailing ideas and pos ng comments on ISF Live.
We would specifically like to thank those Members who contributed to the data gathering and valida on phases by
par cipa ng in workshops and those who commented on pre-publica on dra s.
48 Time to Grow: Using maturity models to create and protect value Information Security Forum
ISF MEMBERS COMPANY ISF MEMBERS COMPANY
Rob Bickmore Jaguar Land Rover Samantha Beesley RBS
Paul Atmore John Lewis Partnership James Chambers RBS
David Fu er JP Morgan Chase & Co Jill Trebilcock RBS
Henrik Smit KPMG John Fonteijn Royal Ahold
Pieter van Houten KPMG Bilal Khurshid Royal Mail Group
Rob Meijer KPN Mikhail Tolchelnikov SABMiller
Adrian Seccombe Leading Edge Forum Henri Eklund Samlink
Gary Emberson LV Markku Lindberg Samlink
Ma hew Bo omley Lloyds Banking Group Jari Pirhonen Samlink
Gareth Carrigan Lloyds Banking Group Mar n Eichhoff Sanlam Capital Markets
Dave Leather Lloyds Banking Group Jeroen de Boer Shell Interna onal
David Sewell Lloyds Banking Group Erik Pols Shell Interna onal
Andrew Wortley Lloyds Banking Group Nikola Holyer Skandia UK
Dirk Loomans Loomans & Matz James Thornton Smiths Group
Me e Fjellsa Paulsen Ministry of Foreign Affairs (Norway) Tomi Mar nen SOK
Ian Benfell Morgan Sindall Renate Thoreid SpareBank 1DA
Raymond Causton NETS Michael Constable SSE Services
Bjorn-Arild Kydland NETS Olutosin Fabode SSE Services
Darren Hepburn Network Rail Agnivesh Sathasivam SSE Services
Kirsty Benn-Harris NIHR Tim Shum SSE Services
Jarkko Rautula Microso Mobile Olutoson Fabode SSE Services
Terry Stern Microso Mobile Emmeren a du Plooy Standard Bank
Niels Andersen Nordea Bank Beverley Allen Steria
Pierre Schwartz Nordea Bank Alistair Young Steria
Kay Behnke NXP Semiconductors Agneta Mar nelle Swedbank
John Pendleton Old Mutual Ma hew Billowes Symantec
Colin Alexander Phoenix Life Holdings James Hanlon Symantec
Michelle Duff Procter & Gamble Lisa Burns-Peake Tesco Stores
Hubert Kirchgaessner Procter & Gamble Nadia Boreux Tesco Stores
Carole Embling Pruden al Robert Dunn Tesco Bank
Kevin Flood Pruden al Wyn Moseley Thames Water
Craig McGann Pruden al Erkki Helio Tieto
James Thomas Pruden al Veijo Pirhonen Tieto
John Crompton PwC Mark Ellis TNSI
George Draper PwC Andy Cassin Towers Watson
Ravin Gautam PwC Marios Nicolaou TUI Travel
Hannah Gore PwC Ellie Gentle Unilever
Roar Gulbrandsen PwC Neil Loader Unilever
Kristen Hayduk PwC Alan Willcox Vanguard
Jorge Melendez PwC Mar n Beumer Va enfall
Muhammad Mian PwC John Rudolph Verizon
Paul Midian PwC Petri Puhakaihen Vero
Opeyemi Ore PwC Darren Desmond Virgin Media
Ian Todd PwC Phillip Gregory Virgin Money
Grega Vrhovec PwC James Redhead Virgin Money
Grant Waterfall PwC Patrick Hendrick Vodafone
Adrie Janssen Steenberg Rabobank Nederland Johnson Tamakloe Vodafone
Rob Moniuk Royal Bank of Canada Satu Simonen Wärtsilä
Amalia Steiu Royal Bank of Canada Karen Gadd Worldpay
David Aubrey-Jones RBS
As always, because ISF Members are providing informa on that may be about their own organisa on, their contribu ons
are anonymous. Please accept our apologies for any omissions from the list.
The views, opinions and comments in this report are not necessarily those of contributors or of ISF Member organisa ons.
Information Security Forum Time to Grow: Using maturity models to create and protect value 49
Founded in 1989, the Informa on Security Forum (ISF) is an independent, not-for-profit associa on of leading
organisa ons from around the world. It is dedicated to inves ga ng, clarifying and resolving key issues in cyber,
informa on security and risk management and developing best prac ce methodologies, processes and solu ons
that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and prac cal experience drawn from within
their organisa ons and developed through an extensive research and work program. The ISF provides a confiden al
forum and framework, which ensures that Members adopt leading-edge informa on security strategies and solu ons.
And by working together, Members avoid the major expenditure required to reach the same goals on their own.
Reference: ISF 14 09 01 Copyright © 2014 Information Security Forum Limited. All rights reserved.