Latest Posts

CSF Security Tiers vs Security Maturity Level

This post is to clarify some concept difference between CSF Tiers and Maturity levels.

A security maturity model is a set of characteristics or indicators that represent capability and progression within an organization’s security program.

The Cyber Security Framework Implementation Tiers are not intended to be maturity levels. The Tiers are intended to provide guidance to organizations on the interactions and coordination between cybersecurity risk management and operational risk management. The key tenet of the Tiers is to allow organizations to take stock of their current activities from an organization wide point of view and determine if the current integration of cybersecurity risk management practices is sufficient given their mission, regulatory requirements, and risk appetite. Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and would be cost-effective.


The NIST CSF Tiers represent how well an organization views cybersecurity risk and the processes in place to mitigate risks. This helps provide organizations a benchmark on how their current operations.
  • Tier 1 – Partial: Organizational cybersecurity risk is not formalized and managed in an ad hoc and sometimes reactive manner. There is also limited awareness of cybersecurity risk management.
  • Tier 2 – Risk-Informed: There may not be an organizational-wide policy for security risk management. Management handles cybersecurity risk management based on risks as they happen.
  • Tier 3 – Repeatable: A formal organizational risk management process is followed by a defined security policy.
  • Tier 4 – Adaptable: An organization at this stage will adapt its cybersecurity policies based on lessons learned and analytics-driven to provide insights and best practices. The organization is constantly learning from the security events that do occur in the organization and will share that information with a larger network.
You can use the NIST CSF to benchmark your current security posture. Going through each category and subcategories in the core Function can help you determine where you stand on the NIST CSF Tier scale.

COBIT 2019 Maturity Levels

The maturity model provided by the COBIT Management Guidelines for the 34 COBIT IT processes is becoming an increasingly popular tool to manage the timeless issue of balancing risk and control in a cost-effective manner. Control Objectives for Information and related Technology (COBIT) is published by the IT Governance Institute (ITGI) and Information Systems Audit and Control Foundation (ISACF). 

The COBIT Maturity Model is an IT governance tool used to measure how well developed the management processes are with respect to internal controls. The maturity model allows an organization to grade itself from nonexistent (0) to optimized (5). Such capability can be exploited by auditors to help management fulfill its IT governance responsibilities, i.e., exercise effective responsibility over the use of IT just like any other part of the business. A fundamental feature of the maturity model is that it allows an organization to measure as-is maturity levels, and define to-be maturity levels as well as gaps to fill. 

As a result, an organization can discover practical improvements to the system of internal controls of IT. However, maturity levels are not a goal, but rather they are a means to evaluate the adequacy of the internal controls with respect to company business objectives. 

Figure 1—Capability Level for Processes

Figure 1

Figure 2—Maturity Level for Focus Area
Figure 2


  1. Initial—Unpredictable process that is poorly controlled and reactive
  2. Managed—Process is planned, documented and monitored at the project level and often are reactive
  3. Defined—Proactive process meant for organizations
  4. Quantitively Managed—Measured and controlled process
  5. Optimizing—Focus is on continuous process and improvement

Reaching Level 5 doesn’t mean that an organization’s maturity has peaked, however. It means that they are constantly monitoring and evolving their processes to make them better. 

Standardized Definitions of Maturity (People, Process, Technology)

Another evaluation diagram for Maturity Level around PPT (People, Process, Technology):

Maturity Level Evaluation Tool

 1  NIST CSF Free Evaluation Tool:

No comments