Security Maturity Models Part 1: What is Security & Privacy Capability Maturity Model?

Security Maturity Models Part 1 What is Security & Privacy Capability Maturity Model

Threat environment in our ever-expanding cyberspace is dynamic. Organizations cannot implement security measures at once and let them continue to function without any changes or updates. As cyberattacks continue to evolve in complexity and sophistication, an organization’s security posture should also mature with time and experience. To maintain consistency in their efforts, organizations often look for a standard or a framework to help them out with the basics.

A security maturity model supports your organization in conducting regular reviews for assessing its efforts to improve security practices. Such security models also guide an organization in what it needs to do to reach the next maturity level. Some of the most common security maturity models are PRISMA (Program Review for Information Security Assistance), SP-CMM (Security & Privacy Capability Maturity Model), Cybersecurity Capability Maturity Model (C2M2), NIST Cybersecurity Framework, etc. In the first article of our two-part series, we are focusing on SP-CMM.


LIFARS Gap Assessment Solution is designed to ascertain your comprehensive information security, risk and compliance status (current). Not only we determine your current state along with your risk appetite and tolerance, we also provide you with actionable roadmap to reach target maturity level including strategy, structure, governance, and operations management plan.


What is SP-CMM?

SP-CMM is an acronym for Security & Privacy Capability Maturity Model. Maintained by the Secure Controls Framework Council, this framework seeks to help organizations in the establishment and evaluation of their security and privacy controls. On a high-level, it has three primary objectives:

  • Provide C-level executives with a well-defined criterion for setting the expectations for an organization’s cybersecurity and privacy program;
  • Provide internal security teams with a well-defined criterion for planning and implementing security practices; and
  • Provide a baseline criterion for organizations to evaluate third-party service providers.

This maturity model has taken inspiration from the Systems Security Engineering Capability Maturity Model v2.0 (SSE-CMM). SSE-CMM is hosted and maintained by the US DTIC (US Defense Technical Information Center). It follows a nested approach such that every succeeding level of maturity builds on its predecessor. It has a total of six levels that are represented from 0 to 6.

CMM 0: Not performed

This maturity corresponds to non-existent practices, i.e., the organization is not performing the relevant control or process. If it is reasonably expected that a control should exist, non-performance of a control can be deemed as an incident of negligent behavior.

CMM 1: Performed informally

This maturity level corresponds to ad-hoc practices. The organization is performing the relevant controls, but they are inconsistent or incomplete. An organization may follow the best practices for a control or process area, but they are neither planned nor documented. For SMEs, CMM 1 is often observed in situations when their IT team or vendor only focuses on break and fix work.

CMM 2: Planned and tracked

When an organization is driven by its security requirements, this maturity level is evident. The organization is familiar with its obligations, whether contractual, regulatory, or statutory. It has implemented security practices that meet those requirements, and it is actively planning and tracking the performance of its security practices. CMM 2 focuses more on compliance than security.
Further, the performance is verified by the designated individual, and the given requirements are fulfilled. In practical situations, an organization achieves this maturity level when it is audit-ready, i.e., it has sufficient evidence to demonstrate control execution and documentation. There are chances that the organization may not have a dedicated security team, and IT personnel are assigned additional responsibilities. However, they are aware of their roles and responsibilities and fulfill compliance obligations without any hurdles.

CMM3: Well-defined

At this maturity level, the organization has enterprise-wide standards with well-defined processes. There is a standard documentation process in place that came into effect after approval. All such processes are planned and managed with a well-defined process. CMM 3 practices focus more on organization-wide standards, unlike CMM 2. This maturity level anchors the implementation of security practices, instead of merely fulfilling compliance obligations. Organizations at this maturity level generally have smaller security teams led by a competent security manager/director. Larger organizations at this maturity level may have dedicated specialists for security operations, risk management, privacy, etc.

CMM4: Quantitatively controlled

When organizations achieve this level of maturity, metrics drive the improvisation of their security practices. An organization would collect detailed information about the performance of various security practices for performing data analysis and deriving useful insights. For smaller organizations, it is unrealistic to achieve this level of maturity. For larger organizations, there is a C-level executive who leads the organization’s security program, and the top management is informed about cybersecurity status at regular intervals.

CMM 5: Continuously improving

The highest level of maturity is analogous to having world-class security practices. Along with having standard processes and metrics about process execution, processes continuously improve at this maturity level. An organization sets a clear target for process effectiveness, in line with their business goals. There exists a continuous improvement process that incorporates previous experience, ideas, technologies, and quantitative feedback. In some cases, an organization may use artificial intelligence-based tools to improve their processes and procedures. For small and medium scale enterprises, it would be unrealistic to achieve CMM 5.

Ending notes

Defending an organization’s IT assets is not a one-time battle. While attackers only need to succeed once to damage your organization’s financial stability and reputation, your security team defends IT infrastructure every day. Our experts, in their years of experience, have found that focusing on achieving security maturity leads to reduced cybersecurity expenses, in around three to four years. Have you previously adopted any maturity model to improvise your security practices? Tweet to us at @LIFARSLLC and let us know.


Overview to Systems Security Engineering Capability Maturity Model v2.0 (SSE-CMM)

Security & Privacy Capability Maturity Model (SP-CMM)