This document presents a Cyber Security Maturity Model (v1.0) designed to help organizations assess and improve their cybersecurity posture by utilizing established frameworks such as NIST and ISO standards. The model consists of five maturity levels that organizations can self-assess against various core domains of cybersecurity, with recommendations for enhancements and initiatives tailored to specific needs. Feedback on the model is encouraged for future revisions, and contact information for contributors is provided.

1. Cyber Security Maturity Model
for Organizations
v1.0, 13/Jun/2017
IT/ITeSTaskforce – CISO Platform

2. Table of contents
1. Contributors
2. Introduction
3. Core Domains
4. Cyber Security Maturity Model
5. Cyber Security initiatives
6. Summary
7. References
2Cyber Security Maturity Model for organizations

3. Contributors
3
1. Manoj Kuruvanthody (Taskforce Ambassador) – Kuruvanthody@gmail.com
2. Vivek Silla – VivekSilla@gmail.com
3. Ajay Bhayani – AjayBhayani@gmail.com
4. Gomeet Pant – Gomeet.Pant@gmail.com
Cyber Security Maturity Model for organizations

4. Introduction
o This document aims at assisting user organizations in easily adapting a
Cyber Security Maturity Assessment Model
o The maturity model makes use of well known Standards and Frameworks
such as NIST Cyber Security Framework, ISO 27001:2013 Information
Security Standard and COBIT
3Cyber Security Maturity Model for organizations

5. Core domains
For ease of adaption, critical Security activities are grouped into various Core Domains as below
4
Physical and
Environmental
Security
Identity and
Access
Management
Network
Security
Endpoint
Security
Security
Incident
Management &
Forensics
Security
Operations
Security
Testing
Security
Engineering
Security
Architecture
Customer
Security
Human
Resource
Security
Policy &
Standards
Vendor Risk
Management
Risk
Management
Cyber Security
Governance
Asset
Management
Regulatory
Compliance
Information
Security
Continuity
Infrastructure
Security
Cloud
Security
Application
Security
Cyber Security Maturity Model for organizations

6. Cyber Security Maturity Model
o The Maturity Assessment model has 5 levels – Initial to Optimized
o The user can perform a self-assessment against each of the Core Domain’s
“Controls expectations” list made available in the “Assessment” sheet
o The user has the flexibility to revise these to tailor them for his / her
organizational requirements. However, caution has to be exercised to
ensure the formulae across the workbook are intact in the process
o Cyber Security Maturity Assessment
5Cyber Security Maturity Model for organizations

7. Cyber Security Maturity Model (Contd.)
o The Assessment sheet allows,
• Self assessment
• Independent assessment
• Industry peer rating and,
• Future state rating
o Visualization of the same
o For ease of comprehension, the sheet has been filled with sample rating
data
5Cyber Security Maturity Model for organizations

8. Cyber Security Maturity Model – Maturity Levels
0504030201
Initial /
ad-hoc
Repeatable
Defined
Managed &
Measureable
Optimized
6Cyber Security Maturity Model for organizations

9. Cyber Security Maturity Model – Maturity Level definitions
6Cyber Security Maturity Model for organizations
Maturity
Level No
Maturity Level Description
1 Initial / ad-hoc
a. Recognition of issues exist.
b. No standardized process.
c. Ad-hoc approaches.
2 Repeatable
a. Similar procedures are followed by different people for the same task
b. No formal training or communication of standard procedures
c. Responsibility is left to the individual
d. High degree of reliance of knowledge of individuals, therefore errors are likely
3 Defined process
a. Procedures are standardized, documented and communicated through training.
b. Mandatory that the process should be followed
c. Unlikely that deviations would be detected
4
Managed and
measurable
a. Monitors and measures compliance with procedures, and takes action where process appear not to be
effective
b. Constant improvement
c. Automation and tools are used in a limited manner
5 Optimized
a. Processes have been refined to a level of best practice based on continuous improvement and maturity
modeling
b. IT is used in an integrated way to automate workflows
c. Providing tools to improve quality and effectiveness

10. Cyber Security Maturity Model –Visualization with sample ratings (Contd.)
7Cyber Security Maturity Model for organizations
1
2
3
4
5
Cyber Security Governance
Policies and Standards
Risk Management
Vendor Risk Management
Human Resource Security
Customer Security
Security Architecture
Security Engineering
Security Testing
Security Operations
Incident Management and ForensicsEndpoint Security
Network Security
Infrastructure Security
Cloud Security
Application Security
Identity and Access Management
Physical and Environmental Security
Asset Management
Regulatory Compliance
Information Security Continuity
Maturity Assessment Ratings
Self rating Independent rating Peer rating Target Goal

11. Cyber Security Initiatives
• The Security initiatives help improve the Security posture for each domain
• The template features the possibility of mapping each initiative to their
corresponding NIST category to help the user ascertain the number of
initiatives earmarked against each area and decide on the required risk
and budget based prioritization with respect to the implementation
roadmap
8Cyber Security Maturity Model for organizations

12. Cyber Security Initiatives – Sample data
No Initiative Core Domain NIST Category
Identify Prevent Detect Respond Recover
1 Implement privilege IAM Identity and
Access
Management
2 Implement anti-APT solution Network
Security
3 Institute an Information Security
Continuity framework for critical
components
Information
Security
Continuity
Cyber Security initiatives to help improve Security posture and goals for specific domains
9Cyber Security Maturity Model for organizations

13. Summary
o This is the first version of the Cyber Security Maturity Model
o The Taskforce aims to refine the “Controls expectations” list, besides other
refinements to this maturity model, in its subsequent revisions
o Please send your suggestions and feedback to
Atul.Singh@FireCompass.com and Kuruvanthody@gmail.com
11Cyber Security Maturity Model for organizations

14. References
• NIST Cyber Security Framework
• ISO 27001:2013 Security Standard
• COBIT
11Cyber Security Maturity Model for organizations

15. ThankYou