Maturity Models

SOC Maturity Framework 360 (SOC360)

by Harald Reisinger and Marc Nimmerrichter

SOC Maturity Framework 360 (SOC360) is a multi-dimensional assessment for Security Operations Centers that fuses governance, people, process, technology, services, and a dedicated Risk Integration domain. It scores each capability across Maturity, Coverage, and Capability, mapping to ERM, MITRE ATT&CK, cloud, OT/ICS, and supply-chain. Practitioners gain an audit-ready baseline, risk-based alerting design, and a prioritized, six-level roadmap tied to business impact. CISOs can evidence risk reduction with defensible KPIs (MTTD/MTTR, detection efficacy, control coverage), justify SOC funding, target automation with SOAR, strengthen detection engineering and threat hunting, and orchestrate continuous improvement through purple-team and BAS-driven validation. This model was created by Harald Reisinger and Marc Nimmerrichter.

Cyber Security

6Domains

Security OperationsCyber ResilienceGovernance & StrategyRisk ManagementAudit & Assurance

SOC Capability Maturity Model (SOC-CMM)

by Rob van Os

SOC-CMM was founded in 2017 to help security operations centers (SOC) measure and increase their maturity. Since its initial conception and release, the SOC-CMM has grown to become a global de facto standard for capability maturity assessment within SOCs.

Cyber Security

5Domains

Security OperationsCyber ResilienceGovernance & StrategyAudit & Assurance

NIS2 Capability & Resilience Maturity Model (L1–L3)

by Gradum.io

The NIS2 Maturity Model translates EU legal obligations into an actionable capability roadmap across ten domains and twenty-four aspects. Using a three-tier scale—Level 1 (Foundational), Level 2 (Managed), Level 3 (Optimized & Proactive)—it probes 145 controls spanning governance, Article 21 technical measures, incident reporting, and supply-chain risk. It gives CISOs, DPOs, and OT leads a path from baseline readiness to demonstrable compliance and resilience. Balanced diagnostics surface gaps, prioritize remediation, and evidence due diligence for regulators and auditors. Results drive board reporting, vendor assurance, and continuous improvement beyond checkbox compliance. Benchmarking across sectors clarifies risk appetite, control ownership, and KPIs.

Cyber Security

10Domains

Regulatory ComplianceCyber ResilienceCritical InfrastructureGovernance & StrategySecurity Operations

EU AI Act Maturity Model: A Strategic Roadmap to Trustworthy AI

by Gradum.io

The EU AI Act is no longer a distant possibility—it is an operational reality. The Gradum.io EU AI Act Maturity Model is the definitive framework for organizations to translate complex legal obligations into clear, measurable actions. We don’t just ask if you are compliant; we assess how mature your AI governance is across 11 critical domains. From "Initial" ad-hoc processes to "Optimized" automation, our model provides the granular gap analysis you need to navigate the world’s toughest AI regulation. Don’t wait for a fine to find your blind spots. Benchmark your readiness, mitigate systemic risk, and build Trustworthy AI that scales.

AI

11Domains

Emerging Tech & AIRegulatory ComplianceGovernance & StrategyRisk ManagementAudit & Assurance

ESG EU CSRD Readiness Navigator: ESRS-Aligned Regulatory Maturity Model

by Gradum.io

Built for the EU Corporate Sustainability Reporting Directive, this maturity model operationalizes ESRS-aligned requirements across four pillars—Governance & Strategy, Double Materiality, ESRS Data Management & Reporting, and Value-Chain Due Diligence—through 60 rigorously scoped questions calibrated across three capability levels, covering baseline, managed, and optimized practices. It benchmarks readiness for mandatory disclosures, pinpoints control gaps, and prioritizes remediation without conflating strategic “should do” improvements with legal “must do” obligations. Specialists gain audit-ready transparency, defensible evidence trails, and a modular fit with enterprise ESG roadmaps—accelerating CSRD readiness, reducing reporting risk, and aligning board oversight with verifiable ESRS data integrity.

ESG

4Domains

ESG & SustainabilityRegulatory ComplianceGovernance & StrategyThird-Party & Supply ChainAudit & Assurance

NIST CSF 2.0 Capability Maturity Model: Risk-Based Roadmap & Benchmark

by Gradum.io

This maturity model operationalizes NIST CSF 2.0 across six Functions—Govern, Identify, Protect, Detect, Respond, Recover—mapped to Categories and Subcategories as Domains → Aspects → Questions. It yields Current and Target Profiles and a tiered capability scale (L1 Foundational, L2 Managed, L3 Optimized) aligned to risk. Benefits: clear prioritization across Functions, defensible roadmap, and budget-ready metrics. Leaders benchmark posture, justify investments, and track risk reduction with concise scoring. Engineers get prescriptive next steps; auditors see evidence trails. The pyramid distribution anchors foundational controls while enabling progressive detection, response, and recovery excellence, enterprise-wide. It standardizes risk language for boards and regulators.

Cyber Security

6Domains

Information SecurityGovernance & StrategyCyber ResilienceRisk ManagementAudit & Assurance

EU ESG CSDDD Due Diligence Maturity Model: From Policy to Proof

by Gradum.io

Anchored to EU CSDDD articles and built atop your Unified Core ESG Model, this maturity model assesses due-diligence capability across governance, salience and impact identification, prevention/mitigation, stakeholder engagement, and monitoring/disclosure. It targets in-scope EU and non-EU groups, translating statutory obligations into operational processes, control objectives, and verifiable evidence requirements. Use it to baseline readiness, prioritize remediation, and sequence an executable roadmap; embed risk-based value-chain controls, grievance mechanisms, supplier engagement, and board oversight; and demonstrate continuous improvement to regulators, investors, and audit committees. The diamond-weighted levels surface foundational gaps while driving managed practices and advanced integration across functions.

ESG

5Domains

ESG & SustainabilityThird-Party & Supply ChainRegulatory ComplianceGovernance & StrategyRisk Management

ISO/IEC 27701 & GDPR Privacy Maturity Model

A comprehensive, cross-industry maturity model designed to evaluate an organization's Privacy Information Management System (PIMS) against ISO/IEC 27701 and the EU General Data Protection Regulation (GDPR). Provides a rigorous framework balancing policy-oriented checks with technical security controls.

Cross-industry

6Domains

ISO 27701GDPRPrivacyCompliancePIMSData Protection

ESG General Maturity Model — Harmonized Baseline, Peer Benchmarking, Actionable Roadmap

by Gradum.io

Gradum.io’s ESG General Maturity Model unifies leading frameworks into a single, practitioner-grade baseline. Built around the E-S-G pillars and material aspects, it harmonizes GRI, SASB, and ISSB principles, with optional sector extensions. It delivers structured diagnostics, pillar scores, and peer benchmarks for organizations of any size. Use it to cut through ESG complexity, map gaps to material topics, and prioritize investments with a clear, auditable roadmap. The model accelerates readiness for evolving regulations, strengthens governance and controls, and links operational KPIs to strategic outcomes—giving sustainability, finance, and risk teams a common, data-driven playbook.

ESG

5Domains

ESG & SustainabilityGovernance & StrategyRisk ManagementAudit & Assurance

C2M2 MIL-Aligned Cyber Maturity Model for Energy & Critical Infrastructure

by Gradum.io

Built on the U.S. Department of Energy’s C2M2, this model structures cybersecurity capability across OT and IT for energy and other critical infrastructure operators. It mirrors official Maturity Indicator Levels (MIL1–MIL3) and decomposes domain practices into measurable controls, evidence expectations, and role ownership—ready-made for Gradum.io assessments and road-mapping. Use it to baseline current posture, quantify risk reduction, and generate defensible remediation plans. Alignment with MILs accelerates audit readiness, supports NERC CIP/NIST CSF mappings, and clarifies OT/ICS accountability. The result: prioritized investment, improved incident preparedness, tighter supplier oversight, and demonstrable progress toward resilient, regulator-trusted cyber operations.

Cyber Security

10Domains

Critical InfrastructureCyber ResilienceRisk ManagementRegulatory ComplianceInformation Security

IT Health Check — Pragmatic CIO Maturity Assessment

by Gradum.io

A pragmatic, business-aligned IT maturity assessment built for the Pragmatic Leader focused on value, stability, and speed. Spans six domains — IT Strategy, Org & Financial Management; Infrastructure & Cloud Operations; Service Desk & User Experience; Application Lifecycle & Project Delivery; Data Management & Governance; and Security Hygiene & Business Resilience — covering 30 aspects and 150 questions. Each question is scored on a six-point scale (0–5) with answer anchors written in real operational language ('First-In, First-Out', 'HIPPO', 'Capacity as Currency') rather than abstract framework jargon. Questions are tagged across four consolidated dimensions — Strategy & Governance, Process & Operations, People & Culture, and Technology & Architecture — so leaders can see whether weaknesses are structural, operational, cultural, or technical. Designed to surface the hard truths a CIO needs before the board asks: are we running IT as a strategic partner, or just keeping the lights on?

Cross-industry

6Domains

IT Health CheckIT MaturityCIOIT StrategyCloud OperationsService DeskITSMApplication DeliveryData ManagementSecurity HygienePragmatic LeaderMulti-DomainMaturity Model

Sales Excellence Quick Check — Multi-Domain Sales Maturity Assessment

by Gradum.io

A pragmatic, hyper-professional maturity assessment of the modern B2B Revenue Engine. Covers six domains — Strategy & Go-to-Market, Sales Process & Methodology, Talent & Culture, Enablement & Content Strategy, Operations Technology & Data, and Performance Management & Alignment — across 31 aspects and 170 questions. Each question is scored on a six-point scale (0–5) with answer anchors written in real sales-floor language ('Spray and Pray', 'HIPPO forecast', 'System of Record vs. System of Action') and tagged across three dimensions — Strategic Maturity (the Why), Execution Discipline (the How), and Alignment (the connective tissue between Sales, Marketing, and the buyer). Designed to separate organizations that rely on a handful of rainmakers from those that have built a scalable, predictable revenue engine — and to pinpoint the specific aspects where the gap between today and 'hyper-pro' is most expensive to leave open.

Cross-industry

6Domains

Sales ExcellenceSales MaturityQuick CheckCRORevOpsGo-to-MarketGTMSales ProcessSales EnablementForecastingB2B SalesRevenue EngineMaturity Model

ISO/IEC 27001 ISMS Maturity Model: From Compliance to Operational Excellence

by Gradum.io

Built on ISO/IEC 27001, this ISMS Maturity Model maps clauses 4–10 and Annex A (A.5–A.8) into three levels—Foundational, Managed, Optimized/Proactive—covering context, leadership, planning, operations, performance, and improvement. It targets security leaders in regulated and enterprise-facing organizations seeking a structured, evidence-driven path. Use it to stage initial certification, benchmark “paper compliance” against operational effectiveness, and drive continual improvement between surveillance audits. It clarifies risk treatment priorities, accelerates audit readiness, and provides defensible metrics for management review—helping SaaS, BFSI, healthcare, telecom, and manufacturing teams satisfy customer due-diligence and regulatory TOMs.

Security Compliance

11Domains

Information SecurityGovernance & StrategyAudit & AssuranceRisk ManagementSecurity Operations

ISO/IEC 42001 AI Management System Maturity Model

A cross-industry maturity model designed to help organizations assess and improve the effectiveness of their AI management system in alignment with ISO/IEC 42001. The model supports structured evaluation across governance, planning, support, lifecycle controls, oversight, assurance, and continual improvement.

Cross-industry

8Domains

ISO/IEC 42001AI management systemAI governanceAIMScross-industrymaturity modelresponsible AI

Cloud Security Maturity Model (CSA CCM Aligned)

A cross-industry cloud security maturity model aligned to the Cloud Security Alliance Cloud Controls Matrix (CSA CCM). The model helps organizations evaluate and improve the maturity of their cloud governance, identity and access management, data protection, platform security, secure engineering, monitoring and response, and resilience practices. It is designed to stay generic with respect to regulations and other standards while remaining practical for enterprise cloud environments.

Cross-industry

7Domains

cloud securityCSA CCMcross-industrymaturity modelenterprise securitycloud governanceIAMdata protection

NIST SP 800-171 / CMMC 2.0 Quick Check (US DIB)

by Gradum.io

A quick-check maturity assessment of NIST SP 800-171 Rev 2 implementation for the US Defense Industrial Base, aligned with CMMC 2.0 Levels 1, 2, and 3. Covers all 14 NIST 800-171 control families plus a Gradum-native Program Governance & Strategy overlay capturing the program-level practices universally expected by C3PAO assessors (scoping, accountability, vendor governance, evidence strategy). CMMC L1 applicability tagged per the official 17-NIST-control L1 list (CMMC Level 1 Self-Assessment Guide v2.13, DoD CIO, September 2024). Designed for rapid self-assessment, partner-led DIB readiness engagements, and gap discovery prior to formal CMMC assessment.

Cyber Security

15Domains

NISTNIST SP 800-171CMMCCMMC 2.0DFARSCUIFCIDIBDefenseQuick Check

HIPAA Extensive — Covered Entities

An extensive HIPAA maturity assessment model for Covered Entities aligned to the currently in-force HIPAA Privacy, Security, and Breach Notification Rules. The model uses a unified 12-domain architecture with applicability filtering for healthcare providers, health plans, healthcare clearinghouses, and hybrid entities. It is designed for cross-functional assessment by privacy, security, compliance, legal, HR, IT, facilities, and resilience stakeholders.

Healthcare

12Domains

HIPAACovered EntitiesHealthcare CompliancePrivacy RuleSecurity RuleBreach Notification RuleHITECH45 CFR Part 16045 CFR Part 164OCR Audit ProtocolNIST SP 800-66 Rev. 2PHIePHIHealthcare PrivacyHealthcare Cybersecurity

CIS Controls v8 Maturity Navigator (IG1–IG3 Operational Assessment)

by Gradum.io

Built on CIS Controls v8, this maturity model operationalizes the three Implementation Groups (IG1–IG3) into measurable safeguards, control owners, evidence expectations, and remediation workflows. It targets organizations of any size and sector seeking prescriptive, prioritized cyber hygiene aligned with NIST CSF and common assurance frameworks. Benefits: risk-based scoring by IG, automated posture snapshots, and roadmaps that reduce MTTR and audit friction. Users gain defensible coverage mapping to ISO/IEC 27001 and SOC 2, heat-maps of control gaps, and role-specific actions—from asset inventory and secure configuration to vulnerability management, logging, and incident response, plus threat-informed prioritization, board-ready metrics, and continuous improvement cycles.

Cyber Security

18Domains

Information SecuritySecurity OperationsThreat-Informed DefenseCyber ResilienceAudit & Assurance

Cyber Essentials (UK) — Multi-Dimensional Maturity Assessment

by Gradum.io

A deep, multi-dimensional maturity assessment built on the UK Cyber Essentials 'Requirements for IT Infrastructure' v3.3 (April 2026, NCSC/IASME). Each Cyber Essentials capability is assessed across six dimensions — Policy & Governance, Process & Procedure, Technology & Automation, People & Competency, Measurement & Monitoring, and Assurance & Improvement — on a five-point scale where score 3 is anchored on 'meets the Cyber Essentials v3.3 requirement as written' (the certification pass line) and scores 4-5 capture leading practice beyond the baseline (risk-tiered automation through to zero-trust-aligned, continuous operation). The model spans the five technical controls (Firewalls, Secure Configuration, Security Update Management, User Access Control, Malware Protection) plus Scope & Asset Management, an optional Backup & Cyber Resilience domain (recommended by v3.3 but not a certification requirement), and a Governance & Zero-Trust Trajectory domain. Designed so a single engagement delivers both Cyber Essentials certification readiness and a defensible beyond-baseline improvement roadmap.

Cross-industry (SME, Public Sector, Supply Chain)

8Domains

Cyber EssentialsCyber Essentials v3.3UKNCSCIASMECyber SecurityMaturity ModelMulti-dimensionalSMESupply ChainDeep Assessment

HIPAA Extensive — Business Associates

An extensive HIPAA maturity assessment model for Business Associates aligned to the currently in-force HIPAA Privacy, Security, and Breach Notification Rules. The model assesses BAA compliance, directly applicable Security Rule safeguards, Breach notification to Covered Entities, Subcontractor oversight, Workforce controls, physical safeguards, and contingency resilience. Proposed 2026 Security Rule concepts are treated only as readiness context, not as primary regulatory alignment.

Healthcare

12Domains

HIPAABusiness AssociatesBAASubcontractor ManagementHealthcare CompliancePrivacy RuleSecurity RuleBreach Notification RuleHITECH45 CFR Part 16045 CFR Part 164OCR Audit ProtocolNIST SP 800-66 Rev. 2PHIePHIHealthcare PrivacyHealthcare CybersecurityHITRUST

OWASP ASVS 5 Unified AppSec Maturity: From Baseline to Resilience

by Gradum.io

Built on OWASP ASVS 5, this unified model maps the 17 chapters to Domains→Aspects→Questions and inherits L1–L3 as capability outcomes. Controls are assessed on a 1–5 maturity scale that embeds coverage; “3—Defined” is the compliance threshold used to compute achieved level. Use it to move beyond checklist audits: quantify control strength, surface material gaps by level, and auto-generate a risk-prioritized remediation roadmap to your chosen target (L1/L2/L3). Benchmark per domain, track deltas over time, and present defensible, evidence-based assurance to customers, auditors, and boards—accelerating sales while hardening production.

Application Security

17Domains

Application & DevSecOpsInformation SecurityAudit & AssuranceThreat-Informed Defense

GDPR Capability Maturity Model: From Baseline Compliance to Proactive Trust

by Gradum.io

Built from the GDPR’s 99 articles, this model translates legal obligations into a practical Domains→Aspects framework with three capability levels: Foundational, Managed, and Optimized. It scopes policies, processes, controls and evidence across the data lifecycle, targeting DPOs, CISOs, product owners and privacy engineers. It provides a defensible baseline, a measurable roadmap, and audit-ready artefacts. Organizations reduce enforcement risk, accelerate DPIAs, embed privacy by design/default, and align security and data governance. The model supports vendor assurance, Board reporting, and continuous improvement—turning compliance into trust, resilience, and demonstrable business value. GDPR imposes principle-based, risk-oriented obligations: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability. Regulators expect evidence—ROPA, DPIAs, TOMs, DSR handling, breach response, vendor due diligence, and lawful transfer mechanisms.

Data Privacy

6Domains

Privacy & Data ProtectionRegulatory ComplianceGovernance & StrategyRisk ManagementAudit & Assurance

DORA Resilience Navigator — Level 1–3 Capability Maturity Model

by Gradum.io

This DORA Maturity Model translates the EU’s Digital Operational Resilience Act into an actionable L1–L2–L3 capability roadmap across ICT risk, third-party risk, incident management, resilience testing, and information-sharing. Built for financial institutions and critical ICT providers, it assesses control design, operating effectiveness, and governance. Benefits: it moves programs beyond checklist compliance to measurable resilience, aligning KRIs, RTO/RPOs, and SLAs with business impact. Benchmark current posture, prioritize remediation, evidence readiness for supervisors, and prepare for TLPT under DORA. The model surfaces dependencies on critical third parties and drives continuous improvement through risk-based testing and board-level oversight.

Cyber Resilience

5Domains

Operational ResilienceRegulatory ComplianceRisk ManagementThird-Party & Supply ChainSecurity Operations

NIST SP 800-53 Rev. 5 Security & Privacy Controls Navigator

by Gradum.io

A multi-dimensional maturity assessment of NIST Special Publication 800-53 Revision 5. Each control is assessed across six dimensions — Policy & Governance, Process & Procedure, Technology & Automation, People & Competency, Measurement & Monitoring, and Assurance & Improvement — with a five-point scale anchored on the NIST 800-53A assessment objective at score 3 (Defined / Compliant) and leading-practice anchors at scores 4 and 5. Designed for enterprises and consulting partners running deep, defensible maturity engagements where control sophistication matters as much as control presence. Scope v1 = NIST SP 800-53B Moderate baseline (base controls and enhancements) plus the full Program Management (PM) and PII Processing and Transparency (PT) families, which apply program-wide regardless of impact baseline. High baseline content is reserved for v2.

Cross-industry (Banking, Federal, Critical Infrastructure)

20Domains

NISTNIST SP 800-53NIST 800-53 Rev 5FedRAMPModerate BaselineDeep AssessmentMulti-dimensionalMaturity ModelPrivacyProgram Management

Cyber Security Health Check

by Harald Reisinger

The Gradum.io Cyber Security Health Check Model is the antidote to "Security Theater." In an era where organizations pass audits yet still get breached, this model digs deeper than standard compliance checklists. Covering 10 critical domains—from Board Governance and AI Security to Ransomware Resilience and Supply Chain Risk—it provides an unvarnished assessment of your true defensive posture. Designed for CISOs who need to speak the language of business, it transforms technical jargon into financial risk intelligence. Stop guessing if you are secure. Measure what matters, justify your budget, and build a defense that survives the worst day.

Cyber Security

10Domains

Cyber ResilienceSecurity OperationsRisk ManagementGovernance & StrategyApplication & DevSecOps

The Right Framework for Every Ambition

What is a maturity model, and which one should you use?

Filter Models

Topic Domain

Tags

25 Models Found

SOC Maturity Framework 360 (SOC360)

SOC Capability Maturity Model (SOC-CMM)

NIS2 Capability & Resilience Maturity Model (L1–L3)

EU AI Act Maturity Model: A Strategic Roadmap to Trustworthy AI

ESG EU CSRD Readiness Navigator: ESRS-Aligned Regulatory Maturity Model

NIST CSF 2.0 Capability Maturity Model: Risk-Based Roadmap & Benchmark

EU ESG CSDDD Due Diligence Maturity Model: From Policy to Proof

ISO/IEC 27701 & GDPR Privacy Maturity Model

ESG General Maturity Model — Harmonized Baseline, Peer Benchmarking, Actionable Roadmap

C2M2 MIL-Aligned Cyber Maturity Model for Energy & Critical Infrastructure

IT Health Check — Pragmatic CIO Maturity Assessment

Sales Excellence Quick Check — Multi-Domain Sales Maturity Assessment