Référentiels professionnels

Le bon référentiel pour chaque ambition

Parcourez notre bibliothèque de modèles de maturité validés par l'industrie. De la cybersécurité à la gestion de projet, découvrez l'outil idéal pour mesurer, comprendre et améliorer les performances de votre organisation.

Qu’est-ce qu’un modèle de maturité, et lequel choisir ?

Un modèle de maturité est une évaluation structurée qui mesure les capacités d’une organisation face à un framework défini — de l’état initial/ad hoc jusqu’à optimisé/leader. La bibliothèque de Gradum couvre les frameworks les plus demandés pour la cybersécurité (SOC-CMM, NIST CSF, CIS Controls), la conformité réglementaire (DORA, EU AI Act, ESG/CSRD) et la gouvernance. Choisissez le modèle adapté à votre objectif — reporting au conseil d’administration, due diligence fournisseurs, benchmarking interne ou préparation réglementaire — invitez votre équipe et parcourez-le ensemble. Vous obtiendrez un score quantifié, un plan d’amélioration priorisé par IA et un rapport soigné à partager.

21 modèles trouvés

Trier par :

SOC Maturity Framework 360 (SOC360)

par Harald Reisinger et Marc Nimmerrichter

SOC Maturity Framework 360 (SOC360) est un modèle d'évaluation multidimensionnel pour les Security Operations Centers. Il associe la gouvernance, les personnes, les processus, la technologie, les services et une intégration dédiée des risques. Chaque capacité est évaluée selon sa maturité, sa couverture et sa capacité – avec des références à l'ERM, MITRE ATT&CK, au Cloud, à l'OT/ICS et à la chaîne d'approvisionnement. Les utilisateurs obtiennent une base de référence auditable, des alertes pondérées par les risques et une feuille de route priorisée en six étapes avec des liens clairs vers le métier. Les CISO démontrent la réduction des risques via des KPI fiables (MTTD/MTTR, efficacité de la détection, couverture des contrôles), justifient les budgets, concentrent les efforts sur l'automatisation SOAR, renforcent le Detection Engineering et le Threat Hunting, et pilotent l'amélioration continue grâce au Purple Teaming et à la validation assistée par BAS. Le management du SOC communique l'efficacité de manière claire, cible précisément les potentiels de développement et accélère la transformation vers un SOC résilient. Ce modèle de maturité a été développé par Harald Reisinger et Marc Nimmerrichter.

Cybersécurité

6Domaines

Security OperationsCyber-résilienceGouvernance & StratégieGestion des risquesAudit & Assurance

C2M2 MIL-Aligned Cyber Maturity Model for Energy & Critical Infrastructure

par Gradum.io

Built on the U.S. Department of Energy’s C2M2, this model structures cybersecurity capability across OT and IT for energy and other critical infrastructure operators. It mirrors official Maturity Indicator Levels (MIL1–MIL3) and decomposes domain practices into measurable controls, evidence expectations, and role ownership—ready-made for Gradum.io assessments and road-mapping. Use it to baseline current posture, quantify risk reduction, and generate defensible remediation plans. Alignment with MILs accelerates audit readiness, supports NERC CIP/NIST CSF mappings, and clarifies OT/ICS accountability. The result: prioritized investment, improved incident preparedness, tighter supplier oversight, and demonstrable progress toward resilient, regulator-trusted cyber operations.

Cybersécurité

10Domaines

Critical InfrastructureCyber ResilienceRisk ManagementRegulatory ComplianceInformation Security

SOC Capability Maturity Model (SOC-CMM)

par Rob van Os

Le SOC-CMM a été fondé en 2017 pour aider les centres d'opérations de sécurité (SOC) à mesurer et à accroître leur maturité. Depuis sa conception et sa publication initiales, le SOC-CMM s'est développé pour devenir un standard mondial de facto pour l'évaluation de la maturité des capacités au sein des SOC.

Cybersécurité

5Domaines

Opérations de sécuritéCyber-résilienceGouvernance et StratégieAudit et Assurance

Modèle de maturité des capacités et de la résilience NIS2 (L1–L3)

par Gradum.io

Le modèle de maturité NIS2 traduit les obligations légales de l'UE en une feuille de route de capacités actionnable à travers huit domaines et dix-neuf aspects. Utilisant une échelle à trois niveaux — Niveau 1 (Fondamental), Niveau 2 (Géré), Niveau 3 (Optimisé et Proactif) — il examine 125 contrôles couvrant la gouvernance, les mesures techniques de l'Article 21, le signalement des incidents et les risques liés à la chaîne d'approvisionnement. Il offre aux CISOs, DPOs et responsables OT un cheminement allant de la préparation de base à une conformité et une résilience démontrables. Des diagnostics équilibrés mettent en évidence les lacunes, priorisent la remédiation et prouvent le devoir de diligence aux régulateurs et auditeurs. Les résultats alimentent le reporting au conseil d'administration, l'assurance fournisseur et l'amélioration continue au-delà d'une simple conformité de façade. L'analyse comparative intersectorielle clarifie l'appétence au risque, la propriété des contrôles et les KPIs.

Cybersécurité

10Domaines

Conformité réglementaireCyber-résilienceInfrastructures critiquesGouvernance et stratégieOpérations de sécurité

ESG EU CSRD Readiness Navigator: ESRS-Aligned Regulatory Maturity Model

par Gradum.io

Built for the EU Corporate Sustainability Reporting Directive, this maturity model operationalizes ESRS-aligned requirements across four pillars—Governance & Strategy, Double Materiality, ESRS Data Management & Reporting, and Value-Chain Due Diligence—through 60 rigorously scoped questions calibrated across three capability levels, covering baseline, managed, and optimized practices. It benchmarks readiness for mandatory disclosures, pinpoints control gaps, and prioritizes remediation without conflating strategic “should do” improvements with legal “must do” obligations. Specialists gain audit-ready transparency, defensible evidence trails, and a modular fit with enterprise ESG roadmaps—accelerating CSRD readiness, reducing reporting risk, and aligning board oversight with verifiable ESRS data integrity.

ESG

4Domaines

ESG & SustainabilityRegulatory ComplianceGovernance & StrategyThird-Party & Supply ChainAudit & Assurance

NIST CSF 2.0 Capability Maturity Model: Risk-Based Roadmap & Benchmark

par Gradum.io

This maturity model operationalizes NIST CSF 2.0 across six Functions—Govern, Identify, Protect, Detect, Respond, Recover—mapped to Categories and Subcategories as Domains → Aspects → Questions. It yields Current and Target Profiles and a tiered capability scale (L1 Foundational, L2 Managed, L3 Optimized) aligned to risk. Benefits: clear prioritization across Functions, defensible roadmap, and budget-ready metrics. Leaders benchmark posture, justify investments, and track risk reduction with concise scoring. Engineers get prescriptive next steps; auditors see evidence trails. The pyramid distribution anchors foundational controls while enabling progressive detection, response, and recovery excellence, enterprise-wide. It standardizes risk language for boards and regulators.

Cybersécurité

6Domaines

Information SecurityGovernance & StrategyCyber ResilienceRisk ManagementAudit & Assurance

EU ESG CSDDD Due Diligence Maturity Model: From Policy to Proof

par Gradum.io

Anchored to EU CSDDD articles and built atop your Unified Core ESG Model, this maturity model assesses due-diligence capability across governance, salience and impact identification, prevention/mitigation, stakeholder engagement, and monitoring/disclosure. It targets in-scope EU and non-EU groups, translating statutory obligations into operational processes, control objectives, and verifiable evidence requirements. Use it to baseline readiness, prioritize remediation, and sequence an executable roadmap; embed risk-based value-chain controls, grievance mechanisms, supplier engagement, and board oversight; and demonstrate continuous improvement to regulators, investors, and audit committees. The diamond-weighted levels surface foundational gaps while driving managed practices and advanced integration across functions.

ESG

5Domaines

ESG & SustainabilityThird-Party & Supply ChainRegulatory ComplianceGovernance & StrategyRisk Management

DORA Resilience Navigator — Level 1–3 Capability Maturity Model

par Gradum.io

This DORA Maturity Model translates the EU’s Digital Operational Resilience Act into an actionable L1–L2–L3 capability roadmap across ICT risk, third-party risk, incident management, resilience testing, and information-sharing. Built for financial institutions and critical ICT providers, it assesses control design, operating effectiveness, and governance. Benefits: it moves programs beyond checklist compliance to measurable resilience, aligning KRIs, RTO/RPOs, and SLAs with business impact. Benchmark current posture, prioritize remediation, evidence readiness for supervisors, and prepare for TLPT under DORA. The model surfaces dependencies on critical third parties and drives continuous improvement through risk-based testing and board-level oversight.

Cyber Résilience

5Domaines

Operational ResilienceRegulatory ComplianceRisk ManagementThird-Party & Supply ChainSecurity Operations

GDPR Capability Maturity Model: From Baseline Compliance to Proactive Trust

par Gradum.io

Built from the GDPR’s 99 articles, this model translates legal obligations into a practical Domains→Aspects framework with three capability levels: Foundational, Managed, and Optimized. It scopes policies, processes, controls and evidence across the data lifecycle, targeting DPOs, CISOs, product owners and privacy engineers. It provides a defensible baseline, a measurable roadmap, and audit-ready artefacts. Organizations reduce enforcement risk, accelerate DPIAs, embed privacy by design/default, and align security and data governance. The model supports vendor assurance, Board reporting, and continuous improvement—turning compliance into trust, resilience, and demonstrable business value. GDPR imposes principle-based, risk-oriented obligations: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability. Regulators expect evidence—ROPA, DPIAs, TOMs, DSR handling, breach response, vendor due diligence, and lawful transfer mechanisms.

Protection des Données

6Domaines

Privacy & Data ProtectionRegulatory ComplianceGovernance & StrategyRisk ManagementAudit & Assurance

ESG General Maturity Model — Harmonized Baseline, Peer Benchmarking, Actionable Roadmap

par Gradum.io

Gradum.io’s ESG General Maturity Model unifies leading frameworks into a single, practitioner-grade baseline. Built around the E-S-G pillars and material aspects, it harmonizes GRI, SASB, and ISSB principles, with optional sector extensions. It delivers structured diagnostics, pillar scores, and peer benchmarks for organizations of any size. Use it to cut through ESG complexity, map gaps to material topics, and prioritize investments with a clear, auditable roadmap. The model accelerates readiness for evolving regulations, strengthens governance and controls, and links operational KPIs to strategic outcomes—giving sustainability, finance, and risk teams a common, data-driven playbook.

ESG

5Domaines

ESG & SustainabilityGovernance & StrategyRisk ManagementAudit & Assurance

EU AI Act Maturity Model: A Strategic Roadmap to Trustworthy AI

par Gradum.io

The EU AI Act is no longer a distant possibility—it is an operational reality. The Gradum.io EU AI Act Maturity Model is the definitive framework for organizations to translate complex legal obligations into clear, measurable actions. We don’t just ask if you are compliant; we assess how mature your AI governance is across 11 critical domains. From "Initial" ad-hoc processes to "Optimized" automation, our model provides the granular gap analysis you need to navigate the world’s toughest AI regulation. Don’t wait for a fine to find your blind spots. Benchmark your readiness, mitigate systemic risk, and build Trustworthy AI that scales.

11Domaines

Emerging Tech & AIRegulatory ComplianceGovernance & StrategyRisk ManagementAudit & Assurance

HIPAA Quick Check — Covered Entities

par Gradum.io

A Quick Check version of the HIPAA Extensive — Covered Entities maturity model. Reuses the same 12-domain architecture, the same 0–5 HIPAA compliance-oriented maturity scale, and verbatim questions selected from the extensive model. Each domain includes three high-signal questions chosen across different aspects to cover the most foundational and most-audited HIPAA Privacy, Security, and Breach Notification Rule obligations. Ideal for first-pass readiness scans, executive briefings, consulting engagement scoping, and pre-audit health checks. Results are structurally compatible with the extensive model so a Quick Check finding in any domain naturally upgrades into a full assessment of that domain.

Santé

12Domaines

HIPAACovered EntitiesHealthcare CompliancePrivacy RuleSecurity RuleBreach Notification RuleHITECH45 CFR Part 16045 CFR Part 164OCR Audit ProtocolNIST SP 800-66 Rev. 2PHIePHIHealthcare PrivacyHealthcare CybersecurityQuick CheckMaturity Snapshot

ISO/IEC 27001 ISMS Maturity Model: From Compliance to Operational Excellence

par Gradum.io

Built on ISO/IEC 27001, this ISMS Maturity Model maps clauses 4–10 and Annex A (A.5–A.8) into three levels—Foundational, Managed, Optimized/Proactive—covering context, leadership, planning, operations, performance, and improvement. It targets security leaders in regulated and enterprise-facing organizations seeking a structured, evidence-driven path. Use it to stage initial certification, benchmark “paper compliance” against operational effectiveness, and drive continual improvement between surveillance audits. It clarifies risk treatment priorities, accelerates audit readiness, and provides defensible metrics for management review—helping SaaS, BFSI, healthcare, telecom, and manufacturing teams satisfy customer due-diligence and regulatory TOMs.

Conformité de Sécurité

11Domaines

Information SecurityGovernance & StrategyAudit & AssuranceRisk ManagementSecurity Operations

NIST SP 800-171 / CMMC 2.0 Quick Check (US DIB)

par Gradum.io

A quick-check maturity assessment of NIST SP 800-171 Rev 2 implementation for the US Defense Industrial Base, aligned with CMMC 2.0 Levels 1, 2, and 3. Covers all 14 NIST 800-171 control families plus a Gradum-native Program Governance & Strategy overlay capturing the program-level practices universally expected by C3PAO assessors (scoping, accountability, vendor governance, evidence strategy). CMMC L1 applicability tagged per the official 17-NIST-control L1 list (CMMC Level 1 Self-Assessment Guide v2.13, DoD CIO, September 2024). Designed for rapid self-assessment, partner-led DIB readiness engagements, and gap discovery prior to formal CMMC assessment.

Cybersécurité

15Domaines

NISTNIST SP 800-171CMMCCMMC 2.0DFARSCUIFCIDIBDefenseQuick Check

HIPAA Quick Check — Business Associates

par Gradum.io

A Quick Check version of the HIPAA Extensive — Business Associates maturity model. Reuses the same 12-domain architecture, the same 0–5 HIPAA compliance-oriented maturity scale, and verbatim questions selected from the extensive model. Each domain includes three high-signal questions chosen across different aspects to cover the most foundational BAA-driven Privacy obligations, directly applicable Security Rule safeguards, Breach notification to Covered Entities, and Subcontractor oversight duties. Ideal for first-pass readiness scans, customer-audit preparation, and consulting engagement scoping. Results are structurally compatible with the extensive model so a Quick Check finding in any domain naturally upgrades into a full assessment of that domain.

Santé

12Domaines

HIPAABusiness AssociatesBAASubcontractor ManagementHealthcare CompliancePrivacy RuleSecurity RuleBreach Notification RuleHITECH45 CFR Part 16045 CFR Part 164OCR Audit ProtocolNIST SP 800-66 Rev. 2PHIePHIHealthcare PrivacyHealthcare CybersecurityHITRUSTQuick CheckMaturity Snapshot

HIPAA Extensive — Covered Entities

An extensive HIPAA maturity assessment model for Covered Entities aligned to the currently in-force HIPAA Privacy, Security, and Breach Notification Rules. The model uses a unified 12-domain architecture with applicability filtering for healthcare providers, health plans, healthcare clearinghouses, and hybrid entities. It is designed for cross-functional assessment by privacy, security, compliance, legal, HR, IT, facilities, and resilience stakeholders.

Santé

12Domaines

CIS Controls v8 Maturity Navigator (IG1–IG3 Operational Assessment)

par Gradum.io

Built on CIS Controls v8, this maturity model operationalizes the three Implementation Groups (IG1–IG3) into measurable safeguards, control owners, evidence expectations, and remediation workflows. It targets organizations of any size and sector seeking prescriptive, prioritized cyber hygiene aligned with NIST CSF and common assurance frameworks. Benefits: risk-based scoring by IG, automated posture snapshots, and roadmaps that reduce MTTR and audit friction. Users gain defensible coverage mapping to ISO/IEC 27001 and SOC 2, heat-maps of control gaps, and role-specific actions—from asset inventory and secure configuration to vulnerability management, logging, and incident response, plus threat-informed prioritization, board-ready metrics, and continuous improvement cycles.

Cybersécurité

18Domaines

Information SecuritySecurity OperationsThreat-Informed DefenseCyber ResilienceAudit & Assurance

HIPAA Extensive — Business Associates

An extensive HIPAA maturity assessment model for Business Associates aligned to the currently in-force HIPAA Privacy, Security, and Breach Notification Rules. The model assesses BAA compliance, directly applicable Security Rule safeguards, Breach notification to Covered Entities, Subcontractor oversight, Workforce controls, physical safeguards, and contingency resilience. Proposed 2026 Security Rule concepts are treated only as readiness context, not as primary regulatory alignment.

Santé

12Domaines

OWASP ASVS 5 Unified AppSec Maturity: From Baseline to Resilience

par Gradum.io

Built on OWASP ASVS 5, this unified model maps the 17 chapters to Domains→Aspects→Questions and inherits L1–L3 as capability outcomes. Controls are assessed on a 1–5 maturity scale that embeds coverage; “3—Defined” is the compliance threshold used to compute achieved level. Use it to move beyond checklist audits: quantify control strength, surface material gaps by level, and auto-generate a risk-prioritized remediation roadmap to your chosen target (L1/L2/L3). Benchmark per domain, track deltas over time, and present defensible, evidence-based assurance to customers, auditors, and boards—accelerating sales while hardening production.

Sécurité des Applications

17Domaines

Application & DevSecOpsInformation SecurityAudit & AssuranceThreat-Informed Defense

NIST SP 800-53 Rev. 5 Security & Privacy Controls Navigator

par Gradum.io

A multi-dimensional maturity assessment of NIST Special Publication 800-53 Revision 5. Each control is assessed across six dimensions — Policy & Governance, Process & Procedure, Technology & Automation, People & Competency, Measurement & Monitoring, and Assurance & Improvement — with a five-point scale anchored on the NIST 800-53A assessment objective at score 3 (Defined / Compliant) and leading-practice anchors at scores 4 and 5. Designed for enterprises and consulting partners running deep, defensible maturity engagements where control sophistication matters as much as control presence. Scope v1 = NIST SP 800-53B Moderate baseline (base controls and enhancements) plus the full Program Management (PM) and PII Processing and Transparency (PT) families, which apply program-wide regardless of impact baseline. High baseline content is reserved for v2.

General

20Domaines

NISTNIST SP 800-53NIST 800-53 Rev 5FedRAMPModerate BaselineDeep AssessmentMulti-dimensionalMaturity ModelPrivacyProgram Management

Cyber Security Health Check

par Harald Reisinger

The Gradum.io Cyber Security Health Check Model is the antidote to "Security Theater." In an era where organizations pass audits yet still get breached, this model digs deeper than standard compliance checklists. Covering 10 critical domains—from Board Governance and AI Security to Ransomware Resilience and Supply Chain Risk—it provides an unvarnished assessment of your true defensive posture. Designed for CISOs who need to speak the language of business, it transforms technical jargon into financial risk intelligence. Stop guessing if you are secure. Measure what matters, justify your budget, and build a defense that survives the worst day.

Cybersécurité

10Domaines

Cyber ResilienceSecurity OperationsRisk ManagementGovernance & StrategyApplication & DevSecOps

Le bon référentiel pour chaque ambition

Qu’est-ce qu’un modèle de maturité, et lequel choisir ?

Filtrer les modèles

Domaine thématique

Tags

21 modèles trouvés

SOC Maturity Framework 360 (SOC360)

C2M2 MIL-Aligned Cyber Maturity Model for Energy & Critical Infrastructure

SOC Capability Maturity Model (SOC-CMM)

Modèle de maturité des capacités et de la résilience NIS2 (L1–L3)

ESG EU CSRD Readiness Navigator: ESRS-Aligned Regulatory Maturity Model

NIST CSF 2.0 Capability Maturity Model: Risk-Based Roadmap & Benchmark

EU ESG CSDDD Due Diligence Maturity Model: From Policy to Proof

DORA Resilience Navigator — Level 1–3 Capability Maturity Model

GDPR Capability Maturity Model: From Baseline Compliance to Proactive Trust

ESG General Maturity Model — Harmonized Baseline, Peer Benchmarking, Actionable Roadmap

EU AI Act Maturity Model: A Strategic Roadmap to Trustworthy AI

HIPAA Quick Check — Covered Entities

ISO/IEC 27001 ISMS Maturity Model: From Compliance to Operational Excellence

NIST SP 800-171 / CMMC 2.0 Quick Check (US DIB)

HIPAA Quick Check — Business Associates

HIPAA Extensive — Covered Entities

CIS Controls v8 Maturity Navigator (IG1–IG3 Operational Assessment)

HIPAA Extensive — Business Associates

OWASP ASVS 5 Unified AppSec Maturity: From Baseline to Resilience

NIST SP 800-53 Rev. 5 Security & Privacy Controls Navigator

Cyber Security Health Check

Nous utilisons des cookies