Discovering the maturity model
CISM aspirants are expected to understand the basic details of a maturity model. A maturity model is a tool that helps the organization to assess the current effectiveness of a process and to determine what capabilities they need to improve their performance.
Capability maturity models (CMMs) are useful to determine the maturity level of governance processes. The following list defines the different maturity levels of an organization:
- Level 0: Incomplete: On this level, the process is not implemented or does not achieve its intended purpose.
- Level 1: Performed: On this level, the process can achieve its intended purpose.
- Level 2: Managed: On this level, the process can achieve its intended purpose. Also, the process is appropriately planned, monitored, and controlled.
- Level 3: Established: Apart from the Level 2 process, there is a well-defined, documented, and established process to manage the process.
- Level 4: Predictable: On this level, the process is predictable and operates within defined parameters and limits to achieve its intended purpose.
- Level 5: Optimized: This is the level at which the process is continuously improved to meet the current as well as projected goals.
The CMM indicates a scale of 0 to 5 based on process maturity level, and it is the most common method applied by organizations to measure their existing state and then to determine the desired one.
Maturity models identify the gaps between the current state of the governance process and the desired state to help the organization to determine the necessary remediation steps for improvement. A maturity model requires continuous improvement in the governance framework. It requires continuous evaluation, monitoring, and improvement to move towards the desired state from the current state.
Key aspects from the CISM exam perspective
The following are some of the key aspects from an exam perspective:
Table 1.3 – Key aspects from the CISM exam perspective
Questions
- What is the most important factor for the development of a maturity model-based information security governance framework?
A. Continuous evaluation, monitoring, and improvement.
B. The return on technology investment.
C. Continuous risk mitigation.
D. Continuous key risk indicator (KRI) monitoring.
Answer: A. Continuous evaluation, monitoring, and improvement.
Explanation: The maturity model requires continuous improvement in the governance framework. It requires continuous evaluation, monitoring, and improvement to move towards the desired state from the current state. The other options are not as significant as option A.
- What best indicates the level of information security governance?
A. A defined maturity model.
B. The size of the security team.
C. The availability of policies and procedures.
D. The number of security incidents.
Answer: A. A defined maturity model.
Explanation: A defined maturity model will be the best indicator to determine the level of security governance. The maturity model indicates the maturity of the governance processes on a scale of 0 to 5, where Level 0 indicates incomplete processes, and Level 5 indicates optimized processes. The other options may not be as useful as the maturity model in determining the level of security.
- What is the most effective indicator of the level of security governance?
A. The annual loss expectancy.
B. The maturity level.
C. A risk assessment.
D. An external audit.
Answer: B. The maturity level.
Explanation: A defined maturity model will be the best indicator to determine the level of security governance. The maturity model indicates the maturity of the governance processes on a scale of 0 to 5, where Level 0 indicates incomplete processes, and Level 5 indicates optimized processes. The other options may not be as useful as the maturity model in determining the level of security.