The cyber security maturity level will be measured with the help of a predefined cyber security maturity model. The cyber security maturity model distinguishes 6 maturity levels (0, 1, 2, 3, 4 and 5), which are summarized in the table below. In order to achieve levels 3, 4 or 5, a Member Organization must first meet all criteria of the preceding maturity levels.
| Maturity Level | Definition and Criteria | Explanation |
0 Non-existent | - No documentation.
- There is no awareness or attention for certain cyber security control.
| - Cyber security controls are not in place. There may be no awareness of the particular risk area or no current plans to implement such cyber security controls.
|
1 Ad-hoc | - Cyber security controls is not or partially defined.
- Cyber security controls are performed in an inconsistent way.
- Cyber security controls are not fully defined.
| - Cyber security control design and execution varies by department or owner.
- Cyber security control design may only partially mitigate the identified risk and execution may be inconsistent.
|
2 Repeatable but informal | - The execution of the cyber security control is
- based on an informal and unwritten, though standardized, practice.
| - Repeatable cyber security controls are in place. However, the control objectives and design are not formally defined or approved.
- There is limited consideration for a structured review or testing of a control.
|
3 Structured and formalized | - Cyber security controls are defined, approved and implemented in a structured and formalized way.
- The implementation of cyber security controls can be demonstrated.
| - Cyber security policies, standards and procedures are established.
- Compliance with cyber security documentation i.e., policies, standards and procedures is monitored, preferably using a governance, risk and compliance tool (GRC).
- key performance indicators are defined, monitored and reported to evaluate the implementation.
|
4 Managed and measurable | - The effectiveness of the cyber security controls are periodically assessed and improved when necessary.
- This periodic measurement, evaluations and opportunities for improvement are documented.
| - Effectiveness of cyber security controls are measured and periodically evaluated.
- key risk indicators and trend reporting are used to determine the effectiveness of the cyber security controls.
- Results of measurement and evaluation are used to identify opportunities for improvement of the cyber security controls.
|
5 Adaptive | - Cyber security controls are subject to a continuous improvement plan.
| - The enterprise-wide cyber security program focuses on continuous compliance, effectiveness and improvement of the cyber security controls.
- Cyber security controls are integrated with enterprise risk management framework and practices.
- Performance of cyber security controls are evaluated using peer and sector data.
|
Table 1 - Cyber Security Maturity Model
The objective of the Framework is to create an effective approach for addressing cyber security and managing cyber security risks within the Financial Sector. To achieve an appropriate cyber security maturity level, the Member Organizations should at least operate at maturity level 3 or higher as explained below.
