The maturity levels for security controls managed in Swise align to the COBIT Capability Maturity Model (CMM).
COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for IT governance and management. The COBIT Capability Maturity Model (CMM) is a tool within COBIT for assessing and improving IT processes and works very well for assessing risk controls.
As your organisation’s reliance on IT systems increases, so too does the need to ensure these systems are effectively governed and managed. The CMM framework provides a structured approach to evaluating the maturity level of your controls, and helps identify areas that need improvement.
Aligning to COBIT CMM makes is simpler to manage risk and prioritise improvement, aligns with many regulatory and industry standards, helping you meet compliance requirements, and enables you to benchmark against industry best practices.
Maturity Levels
There are five levels of maturity. As you create and evolve controls it’s important to provide an accurate assessment, and provide clear evidence to your auditor that your controls meet the assessed maturity level.
Level 0 - Non-existent
There is a complete lack of any recognisable processes. The enterprise has not even recognised that there is an issue to be addressed.
Level 1 - Initial/Ad Hoc
There is evidence that the enterprise has recognised that the issues exist and need to be addressed. However, there are no standardised processes. Instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis.
Level 2 - Repeatable but Intuitive
Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. However, there is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals.
Level 3 - Defined Process
Procedures have been standardised, documented, and communicated through training. They are mandated to be followed; however, deviations are unlikely to be detected. The procedures themselves are not sophisticated but formalize existing practices.
Level 4 - Managed and Measurable
Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are constantly improved and provide good practice. Automation and tools are used in a limited or fragmented way.
Level 5 - Optimised
Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.