PCI DSS Knowledge Hub – Compliance Resources & Best Practices | Q.V. LLC

About the Assessment

Information Security Management System Maturity Level Self-Assessment

Maturity Level of Information Security Management System in Organization. Used methodologies include:

• Maturity Levelling ISO/IEC 15504
• The Capability Maturity Model
• ISO/IEC 21827 – Systems Security Engineering Capability Maturity Model® (SSE-CMM®)
• COBIT
• Industrial best practices

Instructions

• There are 10 questions.
• Select the most appropriate option.
• You can select only one option for each question.
• Click the Submit button to process the assessment.

Assessment Levels

1. Initial System

• Culture: Information Security is accepted as a 'necessary evil'. Policies and procedures are just paperwork.
• People: Small IT team (mainly outsourced) handling basic system administration. No formal reporting.
• Process: Informal and ad-hoc processes. No structured approach.
• Technology: Basic security configurations. Decentralized security with limited coordination.

2. Developing System

• Culture: Information Security is recognized as essential and should be integrated into the business.
• People: Security responsibilities defined. Primarily managed by IT.
• Process: Some security coordination, but still informal. Risk assessment elements exist.
• Technology: Adoption of security tools for vulnerability detection and incident ticketing.

3. Advanced/Mature System

• Culture: Information Security is embedded in the company culture.
• People: Dedicated security team with relevant expertise, independent from IT.
• Process: Structured, documented, and monitored security processes. Risk management is in place.
• Technology: Focus on incident prevention, detection, and response. Full vulnerability management cycle.