El marco de referencia adecuado para cada ambición

SOC Maturity Framework 360 (SOC360) es una evaluación multidimensional para Centros de Operaciones de Seguridad que fusiona gobernanza, personas, procesos, tecnología, servicios y un dominio dedicado a la Integración de Riesgos. Califica cada capacidad en cuanto a Madurez, Cobertura y Capacidad, mapeándolas con ERM, MITRE ATT&CK, la nube, OT/ICS y la cadena de suministro. Los profesionales obtienen una línea base lista para auditorías, un diseño de alertas basado en riesgos y una hoja de ruta priorizada de seis niveles vinculada al impacto comercial. Los CISO pueden evidenciar la reducción de riesgos con KPI defendibles (MTTD/MTTR, eficacia de detección, cobertura de controles), justificar el financiamiento del SOC, dirigir la automatización con SOAR, fortalecer la ingeniería de detección y el threat hunting, y orquestar la mejora continua a través de la validación impulsada por BAS y ejercicios de purple-team. Este modelo fue creado por Harald Reisinger y Marc Nimmerrichter.

Built on the U.S. Department of Energy’s C2M2, this model structures cybersecurity capability across OT and IT for energy and other critical infrastructure operators. It mirrors official Maturity Indicator Levels (MIL1–MIL3) and decomposes domain practices into measurable controls, evidence expectations, and role ownership—ready-made for Gradum.io assessments and road-mapping. Use it to baseline current posture, quantify risk reduction, and generate defensible remediation plans. Alignment with MILs accelerates audit readiness, supports NERC CIP/NIST CSF mappings, and clarifies OT/ICS accountability. The result: prioritized investment, improved incident preparedness, tighter supplier oversight, and demonstrable progress toward resilient, regulator-trusted cyber operations.

SOC-CMM se fundó en 2017 para ayudar a los centros de operaciones de seguridad (SOC) a medir y aumentar su madurez. Desde su concepción y lanzamiento inicial, el SOC-CMM ha crecido hasta convertirse en un estándar mundial de facto para la evaluación de la madurez de las capacidades dentro de los SOC.

El Modelo de Madurez NIS2 traduce las obligaciones legales de la UE en una hoja de ruta de capacidades práctica a través de ocho dominios y diecinueve aspectos. Utilizando una escala de tres niveles —Nivel 1 (Fundacional), Nivel 2 (Gestionado), Nivel 3 (Optimizado y Proactivo)— evalúa 125 controles que abarcan la gobernanza, las medidas técnicas del Artículo 21, la notificación de incidentes y el riesgo de la cadena de suministro. Proporciona a los CISO, DPO y líderes de OT un camino desde la preparación inicial hasta el cumplimiento demostrable y la resiliencia. Los diagnósticos equilibrados revelan brechas, priorizan la remediación y evidencian la debida diligencia ante reguladores y auditores. Los resultados impulsan los informes para la junta directiva, el aseguramiento de proveedores y la mejora continua más allá del mero cumplimiento de requisitos. La evaluación comparativa (benchmarking) entre sectores aclara el apetito de riesgo, la propiedad de los controles y los KPI.

Built for the EU Corporate Sustainability Reporting Directive, this maturity model operationalizes ESRS-aligned requirements across four pillars—Governance & Strategy, Double Materiality, ESRS Data Management & Reporting, and Value-Chain Due Diligence—through 60 rigorously scoped questions calibrated across three capability levels, covering baseline, managed, and optimized practices. It benchmarks readiness for mandatory disclosures, pinpoints control gaps, and prioritizes remediation without conflating strategic “should do” improvements with legal “must do” obligations. Specialists gain audit-ready transparency, defensible evidence trails, and a modular fit with enterprise ESG roadmaps—accelerating CSRD readiness, reducing reporting risk, and aligning board oversight with verifiable ESRS data integrity.

This maturity model operationalizes NIST CSF 2.0 across six Functions—Govern, Identify, Protect, Detect, Respond, Recover—mapped to Categories and Subcategories as Domains → Aspects → Questions. It yields Current and Target Profiles and a tiered capability scale (L1 Foundational, L2 Managed, L3 Optimized) aligned to risk. Benefits: clear prioritization across Functions, defensible roadmap, and budget-ready metrics. Leaders benchmark posture, justify investments, and track risk reduction with concise scoring. Engineers get prescriptive next steps; auditors see evidence trails. The pyramid distribution anchors foundational controls while enabling progressive detection, response, and recovery excellence, enterprise-wide. It standardizes risk language for boards and regulators.

Anchored to EU CSDDD articles and built atop your Unified Core ESG Model, this maturity model assesses due-diligence capability across governance, salience and impact identification, prevention/mitigation, stakeholder engagement, and monitoring/disclosure. It targets in-scope EU and non-EU groups, translating statutory obligations into operational processes, control objectives, and verifiable evidence requirements. Use it to baseline readiness, prioritize remediation, and sequence an executable roadmap; embed risk-based value-chain controls, grievance mechanisms, supplier engagement, and board oversight; and demonstrate continuous improvement to regulators, investors, and audit committees. The diamond-weighted levels surface foundational gaps while driving managed practices and advanced integration across functions.

This DORA Maturity Model translates the EU’s Digital Operational Resilience Act into an actionable L1–L2–L3 capability roadmap across ICT risk, third-party risk, incident management, resilience testing, and information-sharing. Built for financial institutions and critical ICT providers, it assesses control design, operating effectiveness, and governance. Benefits: it moves programs beyond checklist compliance to measurable resilience, aligning KRIs, RTO/RPOs, and SLAs with business impact. Benchmark current posture, prioritize remediation, evidence readiness for supervisors, and prepare for TLPT under DORA. The model surfaces dependencies on critical third parties and drives continuous improvement through risk-based testing and board-level oversight.

Built from the GDPR’s 99 articles, this model translates legal obligations into a practical Domains→Aspects framework with three capability levels: Foundational, Managed, and Optimized. It scopes policies, processes, controls and evidence across the data lifecycle, targeting DPOs, CISOs, product owners and privacy engineers. It provides a defensible baseline, a measurable roadmap, and audit-ready artefacts. Organizations reduce enforcement risk, accelerate DPIAs, embed privacy by design/default, and align security and data governance. The model supports vendor assurance, Board reporting, and continuous improvement—turning compliance into trust, resilience, and demonstrable business value. GDPR imposes principle-based, risk-oriented obligations: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability. Regulators expect evidence—ROPA, DPIAs, TOMs, DSR handling, breach response, vendor due diligence, and lawful transfer mechanisms.

Gradum.io’s ESG General Maturity Model unifies leading frameworks into a single, practitioner-grade baseline. Built around the E-S-G pillars and material aspects, it harmonizes GRI, SASB, and ISSB principles, with optional sector extensions. It delivers structured diagnostics, pillar scores, and peer benchmarks for organizations of any size. Use it to cut through ESG complexity, map gaps to material topics, and prioritize investments with a clear, auditable roadmap. The model accelerates readiness for evolving regulations, strengthens governance and controls, and links operational KPIs to strategic outcomes—giving sustainability, finance, and risk teams a common, data-driven playbook.

The EU AI Act is no longer a distant possibility—it is an operational reality. The Gradum.io EU AI Act Maturity Model is the definitive framework for organizations to translate complex legal obligations into clear, measurable actions. We don’t just ask if you are compliant; we assess how mature your AI governance is across 11 critical domains. From "Initial" ad-hoc processes to "Optimized" automation, our model provides the granular gap analysis you need to navigate the world’s toughest AI regulation. Don’t wait for a fine to find your blind spots. Benchmark your readiness, mitigate systemic risk, and build Trustworthy AI that scales.

A Quick Check version of the HIPAA Extensive — Covered Entities maturity model. Reuses the same 12-domain architecture, the same 0–5 HIPAA compliance-oriented maturity scale, and verbatim questions selected from the extensive model. Each domain includes three high-signal questions chosen across different aspects to cover the most foundational and most-audited HIPAA Privacy, Security, and Breach Notification Rule obligations. Ideal for first-pass readiness scans, executive briefings, consulting engagement scoping, and pre-audit health checks. Results are structurally compatible with the extensive model so a Quick Check finding in any domain naturally upgrades into a full assessment of that domain.

Built on ISO/IEC 27001, this ISMS Maturity Model maps clauses 4–10 and Annex A (A.5–A.8) into three levels—Foundational, Managed, Optimized/Proactive—covering context, leadership, planning, operations, performance, and improvement. It targets security leaders in regulated and enterprise-facing organizations seeking a structured, evidence-driven path. Use it to stage initial certification, benchmark “paper compliance” against operational effectiveness, and drive continual improvement between surveillance audits. It clarifies risk treatment priorities, accelerates audit readiness, and provides defensible metrics for management review—helping SaaS, BFSI, healthcare, telecom, and manufacturing teams satisfy customer due-diligence and regulatory TOMs.

A quick-check maturity assessment of NIST SP 800-171 Rev 2 implementation for the US Defense Industrial Base, aligned with CMMC 2.0 Levels 1, 2, and 3. Covers all 14 NIST 800-171 control families plus a Gradum-native Program Governance & Strategy overlay capturing the program-level practices universally expected by C3PAO assessors (scoping, accountability, vendor governance, evidence strategy). CMMC L1 applicability tagged per the official 17-NIST-control L1 list (CMMC Level 1 Self-Assessment Guide v2.13, DoD CIO, September 2024). Designed for rapid self-assessment, partner-led DIB readiness engagements, and gap discovery prior to formal CMMC assessment.

A Quick Check version of the HIPAA Extensive — Business Associates maturity model. Reuses the same 12-domain architecture, the same 0–5 HIPAA compliance-oriented maturity scale, and verbatim questions selected from the extensive model. Each domain includes three high-signal questions chosen across different aspects to cover the most foundational BAA-driven Privacy obligations, directly applicable Security Rule safeguards, Breach notification to Covered Entities, and Subcontractor oversight duties. Ideal for first-pass readiness scans, customer-audit preparation, and consulting engagement scoping. Results are structurally compatible with the extensive model so a Quick Check finding in any domain naturally upgrades into a full assessment of that domain.

An extensive HIPAA maturity assessment model for Covered Entities aligned to the currently in-force HIPAA Privacy, Security, and Breach Notification Rules. The model uses a unified 12-domain architecture with applicability filtering for healthcare providers, health plans, healthcare clearinghouses, and hybrid entities. It is designed for cross-functional assessment by privacy, security, compliance, legal, HR, IT, facilities, and resilience stakeholders.

Built on CIS Controls v8, this maturity model operationalizes the three Implementation Groups (IG1–IG3) into measurable safeguards, control owners, evidence expectations, and remediation workflows. It targets organizations of any size and sector seeking prescriptive, prioritized cyber hygiene aligned with NIST CSF and common assurance frameworks. Benefits: risk-based scoring by IG, automated posture snapshots, and roadmaps that reduce MTTR and audit friction. Users gain defensible coverage mapping to ISO/IEC 27001 and SOC 2, heat-maps of control gaps, and role-specific actions—from asset inventory and secure configuration to vulnerability management, logging, and incident response, plus threat-informed prioritization, board-ready metrics, and continuous improvement cycles.

An extensive HIPAA maturity assessment model for Business Associates aligned to the currently in-force HIPAA Privacy, Security, and Breach Notification Rules. The model assesses BAA compliance, directly applicable Security Rule safeguards, Breach notification to Covered Entities, Subcontractor oversight, Workforce controls, physical safeguards, and contingency resilience. Proposed 2026 Security Rule concepts are treated only as readiness context, not as primary regulatory alignment.

Built on OWASP ASVS 5, this unified model maps the 17 chapters to Domains→Aspects→Questions and inherits L1–L3 as capability outcomes. Controls are assessed on a 1–5 maturity scale that embeds coverage; “3—Defined” is the compliance threshold used to compute achieved level. Use it to move beyond checklist audits: quantify control strength, surface material gaps by level, and auto-generate a risk-prioritized remediation roadmap to your chosen target (L1/L2/L3). Benchmark per domain, track deltas over time, and present defensible, evidence-based assurance to customers, auditors, and boards—accelerating sales while hardening production.

A multi-dimensional maturity assessment of NIST Special Publication 800-53 Revision 5. Each control is assessed across six dimensions — Policy & Governance, Process & Procedure, Technology & Automation, People & Competency, Measurement & Monitoring, and Assurance & Improvement — with a five-point scale anchored on the NIST 800-53A assessment objective at score 3 (Defined / Compliant) and leading-practice anchors at scores 4 and 5. Designed for enterprises and consulting partners running deep, defensible maturity engagements where control sophistication matters as much as control presence. Scope v1 = NIST SP 800-53B Moderate baseline (base controls and enhancements) plus the full Program Management (PM) and PII Processing and Transparency (PT) families, which apply program-wide regardless of impact baseline. High baseline content is reserved for v2.

The Gradum.io Cyber Security Health Check Model is the antidote to "Security Theater." In an era where organizations pass audits yet still get breached, this model digs deeper than standard compliance checklists. Covering 10 critical domains—from Board Governance and AI Security to Ransomware Resilience and Supply Chain Risk—it provides an unvarnished assessment of your true defensive posture. Designed for CISOs who need to speak the language of business, it transforms technical jargon into financial risk intelligence. Stop guessing if you are secure. Measure what matters, justify your budget, and build a defense that survives the worst day.