Das richtige Framework für jedes Vorhaben

SOC Maturity Framework 360 (SOC360) ist ein mehrdimensionales Bewertungsmodell für Security Operations Center. Es verbindet Governance, Personen, Prozesse, Technologie, Services und eine dedizierte Risk-Integration. Jede Fähigkeit wird entlang Reifegrad, Abdeckung und Leistungsfähigkeit bewertet – mit Bezug zu ERM, MITRE ATT&CK, Cloud, OT/ICS und Lieferkette. Nutzer erhalten eine auditfeste Ausgangsbasis, risikogewichtetes Alerting und eine priorisierte, sechsstufige Roadmap mit klaren Business-Links. CISOs belegen Risikoreduktion über belastbare KPIs (MTTD/MTTR, Detection-Effektivität, Kontrollabdeckung), fundieren Budgets, fokussieren SOAR-Automatisierung, stärken Detection Engineering und Threat Hunting und steuern kontinuierliche Verbesserung durch Purple-Teaming sowie BAS-gestützte Validierung. Das SOC Management kommunizieren Wirksamkeit verständlich, adressiert Entwicklungspotentiale gezielt und beschleunigt eine resiliente SOC-Transformation. Dieses Reifegradmodell wurde von Harald Reisinger und Marc Nimmerrichter entwickelt.

This DORA Maturity Model translates the EU’s Digital Operational Resilience Act into an actionable L1–L2–L3 capability roadmap across ICT risk, third-party risk, incident management, resilience testing, and information-sharing. Built for financial institutions and critical ICT providers, it assesses control design, operating effectiveness, and governance. Benefits: it moves programs beyond checklist compliance to measurable resilience, aligning KRIs, RTO/RPOs, and SLAs with business impact. Benchmark current posture, prioritize remediation, evidence readiness for supervisors, and prepare for TLPT under DORA. The model surfaces dependencies on critical third parties and drives continuous improvement through risk-based testing and board-level oversight.

Built on ISO/IEC 27001, this ISMS Maturity Model maps clauses 4–10 and Annex A (A.5–A.8) into three levels—Foundational, Managed, Optimized/Proactive—covering context, leadership, planning, operations, performance, and improvement. It targets security leaders in regulated and enterprise-facing organizations seeking a structured, evidence-driven path. Use it to stage initial certification, benchmark “paper compliance” against operational effectiveness, and drive continual improvement between surveillance audits. It clarifies risk treatment priorities, accelerates audit readiness, and provides defensible metrics for management review—helping SaaS, BFSI, healthcare, telecom, and manufacturing teams satisfy customer due-diligence and regulatory TOMs.

Built on the U.S. Department of Energy’s C2M2, this model structures cybersecurity capability across OT and IT for energy and other critical infrastructure operators. It mirrors official Maturity Indicator Levels (MIL1–MIL3) and decomposes domain practices into measurable controls, evidence expectations, and role ownership—ready-made for Gradum.io assessments and road-mapping. Use it to baseline current posture, quantify risk reduction, and generate defensible remediation plans. Alignment with MILs accelerates audit readiness, supports NERC CIP/NIST CSF mappings, and clarifies OT/ICS accountability. The result: prioritized investment, improved incident preparedness, tighter supplier oversight, and demonstrable progress toward resilient, regulator-trusted cyber operations.

SOC-CMM was founded in 2017 to help security operations centers (SOC) measure and increase their maturity. Since its initial conception and release, the SOC-CMM has grown to become a global de facto standard for capability maturity assessment within SOCs.

This maturity model operationalizes NIST CSF 2.0 across six Functions—Govern, Identify, Protect, Detect, Respond, Recover—mapped to Categories and Subcategories as Domains → Aspects → Questions. It yields Current and Target Profiles and a tiered capability scale (L1 Foundational, L2 Managed, L3 Optimized) aligned to risk. Benefits: clear prioritization across Functions, defensible roadmap, and budget-ready metrics. Leaders benchmark posture, justify investments, and track risk reduction with concise scoring. Engineers get prescriptive next steps; auditors see evidence trails. The pyramid distribution anchors foundational controls while enabling progressive detection, response, and recovery excellence, enterprise-wide. It standardizes risk language for boards and regulators.

Das NIS2-Reifegradmodell übersetzt rechtliche EU-Vorgaben in eine umsetzbare Capability-Roadmap, die acht Domänen und neunzehn Aspekte abdeckt. Anhand einer dreistufigen Skala – Level 1 (Grundlegend), Level 2 (Verwaltet), Level 3 (Optimiert & Proaktiv) – prüft es 125 Controls in den Bereichen Governance, technische Maßnahmen gemäß Artikel 21, Meldung von Sicherheitsvorfällen und Lieferkettenrisiken. Es zeigt CISOs, DPOs und OT-Leitern den Weg von der Basisbereitschaft zu nachweisbarer Compliance und Resilienz. Die ausgewogene Diagnostik deckt Schwachstellen auf, priorisiert Behebungsmaßnahmen und belegt die Sorgfaltspflicht (Due Diligence) gegenüber Aufsichtsbehörden und Auditoren. Die Ergebnisse fördern das Reporting an den Vorstand, die Lieferantensicherheit (Vendor Assurance) und eine kontinuierliche Verbesserung, die über reine Checkbox-Compliance hinausgeht. Branchenübergreifendes Benchmarking verdeutlicht Risikoappetit, Control-Ownership und KPIs.

Built for the EU Corporate Sustainability Reporting Directive, this maturity model operationalizes ESRS-aligned requirements across four pillars—Governance & Strategy, Double Materiality, ESRS Data Management & Reporting, and Value-Chain Due Diligence—through 60 rigorously scoped questions calibrated across three capability levels, covering baseline, managed, and optimized practices. It benchmarks readiness for mandatory disclosures, pinpoints control gaps, and prioritizes remediation without conflating strategic “should do” improvements with legal “must do” obligations. Specialists gain audit-ready transparency, defensible evidence trails, and a modular fit with enterprise ESG roadmaps—accelerating CSRD readiness, reducing reporting risk, and aligning board oversight with verifiable ESRS data integrity.

Anchored to EU CSDDD articles and built atop your Unified Core ESG Model, this maturity model assesses due-diligence capability across governance, salience and impact identification, prevention/mitigation, stakeholder engagement, and monitoring/disclosure. It targets in-scope EU and non-EU groups, translating statutory obligations into operational processes, control objectives, and verifiable evidence requirements. Use it to baseline readiness, prioritize remediation, and sequence an executable roadmap; embed risk-based value-chain controls, grievance mechanisms, supplier engagement, and board oversight; and demonstrate continuous improvement to regulators, investors, and audit committees. The diamond-weighted levels surface foundational gaps while driving managed practices and advanced integration across functions.

Gradum.io’s ESG General Maturity Model unifies leading frameworks into a single, practitioner-grade baseline. Built around the E-S-G pillars and material aspects, it harmonizes GRI, SASB, and ISSB principles, with optional sector extensions. It delivers structured diagnostics, pillar scores, and peer benchmarks for organizations of any size. Use it to cut through ESG complexity, map gaps to material topics, and prioritize investments with a clear, auditable roadmap. The model accelerates readiness for evolving regulations, strengthens governance and controls, and links operational KPIs to strategic outcomes—giving sustainability, finance, and risk teams a common, data-driven playbook.

The EU AI Act is no longer a distant possibility—it is an operational reality. The Gradum.io EU AI Act Maturity Model is the definitive framework for organizations to translate complex legal obligations into clear, measurable actions. We don’t just ask if you are compliant; we assess how mature your AI governance is across 11 critical domains. From "Initial" ad-hoc processes to "Optimized" automation, our model provides the granular gap analysis you need to navigate the world’s toughest AI regulation. Don’t wait for a fine to find your blind spots. Benchmark your readiness, mitigate systemic risk, and build Trustworthy AI that scales.

A Quick Check version of the HIPAA Extensive — Covered Entities maturity model. Reuses the same 12-domain architecture, the same 0–5 HIPAA compliance-oriented maturity scale, and verbatim questions selected from the extensive model. Each domain includes three high-signal questions chosen across different aspects to cover the most foundational and most-audited HIPAA Privacy, Security, and Breach Notification Rule obligations. Ideal for first-pass readiness scans, executive briefings, consulting engagement scoping, and pre-audit health checks. Results are structurally compatible with the extensive model so a Quick Check finding in any domain naturally upgrades into a full assessment of that domain.

A Quick Check version of the HIPAA Extensive — Business Associates maturity model. Reuses the same 12-domain architecture, the same 0–5 HIPAA compliance-oriented maturity scale, and verbatim questions selected from the extensive model. Each domain includes three high-signal questions chosen across different aspects to cover the most foundational BAA-driven Privacy obligations, directly applicable Security Rule safeguards, Breach notification to Covered Entities, and Subcontractor oversight duties. Ideal for first-pass readiness scans, customer-audit preparation, and consulting engagement scoping. Results are structurally compatible with the extensive model so a Quick Check finding in any domain naturally upgrades into a full assessment of that domain.

Built on CIS Controls v8, this maturity model operationalizes the three Implementation Groups (IG1–IG3) into measurable safeguards, control owners, evidence expectations, and remediation workflows. It targets organizations of any size and sector seeking prescriptive, prioritized cyber hygiene aligned with NIST CSF and common assurance frameworks. Benefits: risk-based scoring by IG, automated posture snapshots, and roadmaps that reduce MTTR and audit friction. Users gain defensible coverage mapping to ISO/IEC 27001 and SOC 2, heat-maps of control gaps, and role-specific actions—from asset inventory and secure configuration to vulnerability management, logging, and incident response, plus threat-informed prioritization, board-ready metrics, and continuous improvement cycles.

Built on OWASP ASVS 5, this unified model maps the 17 chapters to Domains→Aspects→Questions and inherits L1–L3 as capability outcomes. Controls are assessed on a 1–5 maturity scale that embeds coverage; “3—Defined” is the compliance threshold used to compute achieved level. Use it to move beyond checklist audits: quantify control strength, surface material gaps by level, and auto-generate a risk-prioritized remediation roadmap to your chosen target (L1/L2/L3). Benchmark per domain, track deltas over time, and present defensible, evidence-based assurance to customers, auditors, and boards—accelerating sales while hardening production.

Built from the GDPR’s 99 articles, this model translates legal obligations into a practical Domains→Aspects framework with three capability levels: Foundational, Managed, and Optimized. It scopes policies, processes, controls and evidence across the data lifecycle, targeting DPOs, CISOs, product owners and privacy engineers. It provides a defensible baseline, a measurable roadmap, and audit-ready artefacts. Organizations reduce enforcement risk, accelerate DPIAs, embed privacy by design/default, and align security and data governance. The model supports vendor assurance, Board reporting, and continuous improvement—turning compliance into trust, resilience, and demonstrable business value. GDPR imposes principle-based, risk-oriented obligations: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability. Regulators expect evidence—ROPA, DPIAs, TOMs, DSR handling, breach response, vendor due diligence, and lawful transfer mechanisms.

Built for the Defense Industrial Base, this maturity model maps the 14 NIST SP 800-171 control families to Gradum Domains, binds all 110 requirements to Aspects and Questions, and stages capability across Foundational, Managed, and Optimized levels—explicitly targeting CMMC Level 2 readiness and sustained conformance. Use it to triage gaps, prioritize remediation, and operationalize policy-to-control traceability. The diamond distribution concentrates effort where auditors look, accelerates evidence collection, and hardens audit defensibility. Specialists gain repeatable workflows, supplier comparability, and DFARS-aligned reporting; executives get risk visibility, measurable maturity deltas, and a governed path to contract eligibility.

A multi-dimensional maturity assessment of NIST Special Publication 800-53 Revision 5. Each control is assessed across six dimensions — Policy & Governance, Process & Procedure, Technology & Automation, People & Competency, Measurement & Monitoring, and Assurance & Improvement — with a five-point scale anchored on the NIST 800-53A assessment objective at score 3 (Defined / Compliant) and leading-practice anchors at scores 4 and 5. Designed for enterprises and consulting partners running deep, defensible maturity engagements where control sophistication matters as much as control presence. Scope v1 = NIST SP 800-53B Moderate baseline (base controls and enhancements) plus the full Program Management (PM) and PII Processing and Transparency (PT) families, which apply program-wide regardless of impact baseline. High baseline content is reserved for v2.

The Gradum.io Cyber Security Health Check Model is the antidote to "Security Theater." In an era where organizations pass audits yet still get breached, this model digs deeper than standard compliance checklists. Covering 10 critical domains—from Board Governance and AI Security to Ransomware Resilience and Supply Chain Risk—it provides an unvarnished assessment of your true defensive posture. Designed for CISOs who need to speak the language of business, it transforms technical jargon into financial risk intelligence. Stop guessing if you are secure. Measure what matters, justify your budget, and build a defense that survives the worst day.