| Maturity Level | Process Criteria |
| 0. Nonexistent | No security policy exists. |
| 1. Initial: Process is unpredictable, poorly controlled and reactive | Processes are usually ad hoc and chaotic. The organization usually does not provide a stable environment to support processes. Success in these organizations depends on the competence and heroics of the people in the organization and not on the use of proven processes. |
| 2. Managed: Process is characterized by projects and is often reactive | The document exists, and has been validated and disseminated, but it is incomplete or does not fit the context of the organization. |
| 3. Defined: Process is characterized as a defined process | The document exists, is complete, has been validated and disseminated, and fits the context of the organization. |
| 4. Quantitatively Managed: Process is measured and controlled | Controls are set up to assess the application of the validated document. |
| 5. Optimized: Focus is on continuous process improvement | A regular review process allows assessing the application of the previously validated document and enables the organization to regularly update it. |