The Right Framework for Every Ambition

SOC Maturity Framework 360 (SOC360) is a multi-dimensional assessment for Security Operations Centers that fuses governance, people, process, technology, services, and a dedicated Risk Integration domain. It scores each capability across Maturity, Coverage, and Capability, mapping to ERM, MITRE ATT&CK, cloud, OT/ICS, and supply-chain. Practitioners gain an audit-ready baseline, risk-based alerting design, and a prioritized, six-level roadmap tied to business impact. CISOs can evidence risk reduction with defensible KPIs (MTTD/MTTR, detection efficacy, control coverage), justify SOC funding, target automation with SOAR, strengthen detection engineering and threat hunting, and orchestrate continuous improvement through purple-team and BAS-driven validation. This model was created by Harald Reisinger and Marc Nimmerrichter.

SOC-CMM was founded in 2017 to help security operations centers (SOC) measure and increase their maturity. Since its initial conception and release, the SOC-CMM has grown to become a global de facto standard for capability maturity assessment within SOCs.

Built on the U.S. Department of Energy’s C2M2, this model structures cybersecurity capability across OT and IT for energy and other critical infrastructure operators. It mirrors official Maturity Indicator Levels (MIL1–MIL3) and decomposes domain practices into measurable controls, evidence expectations, and role ownership—ready-made for Gradum.io assessments and road-mapping. Use it to baseline current posture, quantify risk reduction, and generate defensible remediation plans. Alignment with MILs accelerates audit readiness, supports NERC CIP/NIST CSF mappings, and clarifies OT/ICS accountability. The result: prioritized investment, improved incident preparedness, tighter supplier oversight, and demonstrable progress toward resilient, regulator-trusted cyber operations.

This DORA Maturity Model translates the EU’s Digital Operational Resilience Act into an actionable L1–L2–L3 capability roadmap across ICT risk, third-party risk, incident management, resilience testing, and information-sharing. Built for financial institutions and critical ICT providers, it assesses control design, operating effectiveness, and governance. Benefits: it moves programs beyond checklist compliance to measurable resilience, aligning KRIs, RTO/RPOs, and SLAs with business impact. Benchmark current posture, prioritize remediation, evidence readiness for supervisors, and prepare for TLPT under DORA. The model surfaces dependencies on critical third parties and drives continuous improvement through risk-based testing and board-level oversight.

Built on ISO/IEC 27001, this ISMS Maturity Model maps clauses 4–10 and Annex A (A.5–A.8) into three levels—Foundational, Managed, Optimized/Proactive—covering context, leadership, planning, operations, performance, and improvement. It targets security leaders in regulated and enterprise-facing organizations seeking a structured, evidence-driven path. Use it to stage initial certification, benchmark “paper compliance” against operational effectiveness, and drive continual improvement between surveillance audits. It clarifies risk treatment priorities, accelerates audit readiness, and provides defensible metrics for management review—helping SaaS, BFSI, healthcare, telecom, and manufacturing teams satisfy customer due-diligence and regulatory TOMs.

Built on CIS Controls v8, this maturity model operationalizes the three Implementation Groups (IG1–IG3) into measurable safeguards, control owners, evidence expectations, and remediation workflows. It targets organizations of any size and sector seeking prescriptive, prioritized cyber hygiene aligned with NIST CSF and common assurance frameworks. Benefits: risk-based scoring by IG, automated posture snapshots, and roadmaps that reduce MTTR and audit friction. Users gain defensible coverage mapping to ISO/IEC 27001 and SOC 2, heat-maps of control gaps, and role-specific actions—from asset inventory and secure configuration to vulnerability management, logging, and incident response, plus threat-informed prioritization, board-ready metrics, and continuous improvement cycles.

The EU AI Act is no longer a distant possibility—it is an operational reality. The Gradum.io EU AI Act Maturity Model is the definitive framework for organizations to translate complex legal obligations into clear, measurable actions. We don’t just ask if you are compliant; we assess how mature your AI governance is across 11 critical domains. From "Initial" ad-hoc processes to "Optimized" automation, our model provides the granular gap analysis you need to navigate the world’s toughest AI regulation. Don’t wait for a fine to find your blind spots. Benchmark your readiness, mitigate systemic risk, and build Trustworthy AI that scales.

Built for the EU Corporate Sustainability Reporting Directive, this maturity model operationalizes ESRS-aligned requirements across four pillars—Governance & Strategy, Double Materiality, ESRS Data Management & Reporting, and Value-Chain Due Diligence—through 60 rigorously scoped questions calibrated across three capability levels, covering baseline, managed, and optimized practices. It benchmarks readiness for mandatory disclosures, pinpoints control gaps, and prioritizes remediation without conflating strategic “should do” improvements with legal “must do” obligations. Specialists gain audit-ready transparency, defensible evidence trails, and a modular fit with enterprise ESG roadmaps—accelerating CSRD readiness, reducing reporting risk, and aligning board oversight with verifiable ESRS data integrity.

Anchored to EU CSDDD articles and built atop your Unified Core ESG Model, this maturity model assesses due-diligence capability across governance, salience and impact identification, prevention/mitigation, stakeholder engagement, and monitoring/disclosure. It targets in-scope EU and non-EU groups, translating statutory obligations into operational processes, control objectives, and verifiable evidence requirements. Use it to baseline readiness, prioritize remediation, and sequence an executable roadmap; embed risk-based value-chain controls, grievance mechanisms, supplier engagement, and board oversight; and demonstrate continuous improvement to regulators, investors, and audit committees. The diamond-weighted levels surface foundational gaps while driving managed practices and advanced integration across functions.

Built on OWASP ASVS 5, this unified model maps the 17 chapters to Domains→Aspects→Questions and inherits L1–L3 as capability outcomes. Controls are assessed on a 1–5 maturity scale that embeds coverage; “3—Defined” is the compliance threshold used to compute achieved level. Use it to move beyond checklist audits: quantify control strength, surface material gaps by level, and auto-generate a risk-prioritized remediation roadmap to your chosen target (L1/L2/L3). Benchmark per domain, track deltas over time, and present defensible, evidence-based assurance to customers, auditors, and boards—accelerating sales while hardening production.

Built from the GDPR’s 99 articles, this model translates legal obligations into a practical Domains→Aspects framework with three capability levels: Foundational, Managed, and Optimized. It scopes policies, processes, controls and evidence across the data lifecycle, targeting DPOs, CISOs, product owners and privacy engineers. It provides a defensible baseline, a measurable roadmap, and audit-ready artefacts. Organizations reduce enforcement risk, accelerate DPIAs, embed privacy by design/default, and align security and data governance. The model supports vendor assurance, Board reporting, and continuous improvement—turning compliance into trust, resilience, and demonstrable business value. GDPR imposes principle-based, risk-oriented obligations: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability. Regulators expect evidence—ROPA, DPIAs, TOMs, DSR handling, breach response, vendor due diligence, and lawful transfer mechanisms.

This maturity model operationalizes NIST CSF 2.0 across six Functions—Govern, Identify, Protect, Detect, Respond, Recover—mapped to Categories and Subcategories as Domains → Aspects → Questions. It yields Current and Target Profiles and a tiered capability scale (L1 Foundational, L2 Managed, L3 Optimized) aligned to risk. Benefits: clear prioritization across Functions, defensible roadmap, and budget-ready metrics. Leaders benchmark posture, justify investments, and track risk reduction with concise scoring. Engineers get prescriptive next steps; auditors see evidence trails. The pyramid distribution anchors foundational controls while enabling progressive detection, response, and recovery excellence, enterprise-wide. It standardizes risk language for boards and regulators.

Built for the Defense Industrial Base, this maturity model maps the 14 NIST SP 800-171 control families to Gradum Domains, binds all 110 requirements to Aspects and Questions, and stages capability across Foundational, Managed, and Optimized levels—explicitly targeting CMMC Level 2 readiness and sustained conformance. Use it to triage gaps, prioritize remediation, and operationalize policy-to-control traceability. The diamond distribution concentrates effort where auditors look, accelerates evidence collection, and hardens audit defensibility. Specialists gain repeatable workflows, supplier comparability, and DFARS-aligned reporting; executives get risk visibility, measurable maturity deltas, and a governed path to contract eligibility.

The NIS2 Maturity Model translates EU legal obligations into an actionable capability roadmap across eight domains and nineteen aspects. Using a three-tier scale—Level 1 (Foundational), Level 2 (Managed), Level 3 (Optimized & Proactive)—it probes 125 controls spanning governance, Article 21 technical measures, incident reporting, and supply-chain risk. It gives CISOs, DPOs, and OT leads a path from baseline readiness to demonstrable compliance and resilience. Balanced diagnostics surface gaps, prioritize remediation, and evidence due diligence for regulators and auditors. Results drive board reporting, vendor assurance, and continuous improvement beyond checkbox compliance. Benchmarking across sectors clarifies risk appetite, control ownership, and KPIs.

Gradum.io’s ESG General Maturity Model unifies leading frameworks into a single, practitioner-grade baseline. Built around the E-S-G pillars and material aspects, it harmonizes GRI, SASB, and ISSB principles, with optional sector extensions. It delivers structured diagnostics, pillar scores, and peer benchmarks for organizations of any size. Use it to cut through ESG complexity, map gaps to material topics, and prioritize investments with a clear, auditable roadmap. The model accelerates readiness for evolving regulations, strengthens governance and controls, and links operational KPIs to strategic outcomes—giving sustainability, finance, and risk teams a common, data-driven playbook.

The Gradum.io Cyber Security Health Check Model is the antidote to "Security Theater." In an era where organizations pass audits yet still get breached, this model digs deeper than standard compliance checklists. Covering 10 critical domains—from Board Governance and AI Security to Ransomware Resilience and Supply Chain Risk—it provides an unvarnished assessment of your true defensive posture. Designed for CISOs who need to speak the language of business, it transforms technical jargon into financial risk intelligence. Stop guessing if you are secure. Measure what matters, justify your budget, and build a defense that survives the worst day.