The Information Technology Governance maturity level will be measured with the help of a predefined maturity model. The information technology governance maturity model distinguishes 6 maturity levels (0, 1, 2, 3, 4 and 5), which are summarized in the table below. In order to achieve levels 3, 4 or 5, Member Organizations should first meet all criteria of the preceding maturity levels.
| Maturity Level | Definition and Criteria | Explanation |
0 Non-existent | - No documentation.
- There is no awareness or attention for certain information technology control.
| - IT controls are not in place. There may be no awareness of the particular risk area or no current plans to implement such IT controls.
|
1 Ad-hoc | - IT controls is not or partially defined.
- IT controls are performed in an inconsistent way.
- IT controls are not fully defined.
| - IT control design and execution varies by department or owner.
- IT control design may only partially mitigate the identified risk and execution may be inconsistent.
|
2 Repeatable but informal | - The execution of the IT control is based on an informal and unwritten, though standardized, practice.
| - Repeatable IT controls are in place. However, the control objectives and design are not formally defined or approved.
- There is limited consideration for a structured review or testing of a control.
|
3 Structured and formalized | - IT controls are defined, approved and implemented in a structured and formalized way.
- The implementation of IT controls can be demonstrated.
| - IT policies, standards and procedures are established.
- Compliance with IT documentation i.e., policies, standards and procedures is monitored, preferably using a governance, risk and compliance tool (GRC).
- Key performance indicators are defined, monitored and reported to evaluate the implementation.
|
4 Managed and measurable | - The effectiveness of the IT controls are periodically assessed and improved when necessary.
- This periodic measurement, evaluations and opportunities for improvement are documented.
| - Effectiveness of IT controls are measured and periodically evaluated.
- Key risk indicators and trend reporting are used to determine the effectiveness of the IT controls.
- Results of measurement and evaluation are used to identify opportunities for improvement of the IT controls.
|
5 Adaptive | - IT controls are subject to a continuous improvement plan.
| - The enterprise-wide IT governance program focuses on continuous compliance, effectiveness and improvement of the IT controls.
- IT controls are integrated with enterprise risk management framework and practices.
- Performance of IT controls are evaluated using peer and sector data.
|
Table 1 - Information technology governance Maturity Model
