Cyber Security Maturity Assessment (CSMA)

What is a CSMA, and how can you benefit?

Similar to a gap analysis, a CSMA is an assessment of an organisation’s security posture against a desired framework or standard. Unlike a gap analysis, it is a process that is undertaken over a period of time to improve the maturity of an organisation.

It will determine whether controls are present, but it is not binary in the sense that controls are simply present or not present. Instead, marking is based on how mature the implementation is. This facilitates efficient implementation of controls to reduce an organisation’s exposure to information security risks.

It supports continuous improvement of an organisation’s security posture as an initial baseline is determined and then measured again at pre-defined intervals or once activities have been undertaken to further improve the organisation’s posture.

We can perform maturity assessments through the mapping of the Secure Controls Framework to several frameworks and standards, including the NIST CSF, NIST 800-53, ISO/IEC 27001, GDPR (UK), CIS Critical Security Controls (CIS Top 18), Cloud Security Alliance Cloud Controls Matrix, and more.

How does our CSMA service work?

If organisations don’t have a specific framework or standard in mind, we will assist in determining the scope and standard against which the maturity assessment shall be mapped and performed.

We will then perform a review of the organisation’s information security posture. This review shall be undertaken against the organisation’s people, processes, and technology.

During the assessment, we will review relevant policies, processes, and other documentation that is pertinent to the organisation’s information security programme.

A series of interviews will also be undertaken by our experienced consultants with key stakeholders who hold specific information security roles and responsibilities. Some security controls are also likely to be sampled during the process.

We are well versed in technical arenas, GRC, and communicating with senior/executive management, meaning they can present information in a format that is relevant to all stakeholders.

We are agile in our approach as we can accommodate new and evolving standards