Maturity Level

Process Criteria

0. Nonexistent

No security policy exists.

1. Initial: Process is unpredictable, poorly controlled and reactive

Processes are usually ad hoc and chaotic. The organization usually does not provide a stable environment to support processes. Success in these organizations depends on the competence and heroics of the people in the organization and not on the use of proven processes.

2. Managed: Process is characterized by projects and is often reactive

The document exists, and has been validated and disseminated, but it is incomplete or does not fit the context of the organization.

3. Defined: Process is characterized as a defined process

The document exists, is complete, has been validated and disseminated, and fits the context of the organization.

4. Quantitatively Managed: Process is measured and controlled

Controls are set up to assess the application of the validated document.

5. Optimized: Focus is on continuous process improvement

A regular review process allows assessing the application of the previously validated document and enables the organization to regularly update it.