Stage 1	Stage 2	Stage 3	Stage 4
	Unaware	Reactive	Compliance-Centered	Proactive & Business Aligned
Description	In the unaware stage, the organization is largely in the dark about security compliance and its implications.	In the reactive stage, the organization recognizes compliance but primarily responds to incidents or pressures in hindsight.	In the compliance-centric stage, the organization actively seeks to meet compliance requirements, focusing on adhering to rules.	In the proactive and business aligned stage, the organization looks beyond mere compliance to proactively advance its security stance and align it with its business goals.
Overview	Compliance is not on the radar, and there's little to no effort to understand or address it.	Security and compliance steps are taken to handle past incidents or to avoid immediate penalties.	A conscious effort is made to understand and meet all regulatory requirements, even if the broader benefits of security aren't fully realized yet.	Security is seen not just as a requirement but as a strategic business enabler. Compliance is integrated into the business strategy, focusing on foresight and innovation.
People	Staff are untrained or unaware of compliance implications. No dedicated roles exist for handling compliance.	Key personnel might receive some compliance training. An individual might be tasked with addressing security and compliance issues, but actions are often retrospective.	Regular training sessions keep staff updated. A dedicated team oversees compliance, ensuring that regulations are met.	Training is continuous, dynamic, and comprehensive. The compliance team collaborates closely with other business units, ensuring security measures align with business objectives.
Processes	Processes lack any structure related to compliance with no guidelines on data handling or security measures.	While processes exist for compliant data handling, they're often formulated in reaction to specific incidents. Documentation might be sparse and inconsistent.	Clear processes and guidelines are in place. Periodic reviews and audits are initiated to ensure adherence.	Advanced, forward-thinking processes are in place, often going beyond the letter of the law to the spirit of secure and ethical operations. Continuous feedback loops drive improvements and reduce friction.
Technology	The technological infrastructure does not cater to compliance needs. Basic security might be in place but lacks a specific focus on regulatory requirements.	Basic compliance-oriented tools are implemented, usually to respond to specific needs rather than as a part of a comprehensive cybersecurity strategy.	A comprehensive range of compliance-specific tools are employed, ensuring data security, monitoring, and logging as per regulatory standards.	State-of-the-art tools are employed to predict and respond to potential cybersecurity challenges proactively. Technology integrates security and compliance with business operations, ensuring seamless, secure, and compliant processes.
Governance	Limited or no recognized cybersecurity governance framework.	Basic governance structure is in place.	A recognized framework suitable for the organization's size and industry has been adopted.	Fully mature and dynamic governance framework that evolves with the threat landscape and business needs.
Stakeholders	Lack of clarity on roles and responsibilities; no dedicated personnel for cybersecurity governance.	Specific roles for cybersecurity governance have been designated, although they may be part-time or have other primary responsibilities.	A dedicated cybersecurity committee or team with clear roles and responsibilities has been established.	Full integration of cybersecurity governance into executive and board-level discussions. Engagement of external cybersecurity advisors or consultants.
Policies & Procedures	No defined cybersecurity policies, guidelines, or standard operating procedures.	Creation of basic policies that address only the most pressing threats and risks.	Comprehensive policy suite covering a wide range of threats, risks, and scenarios, with regular updates.	Adaptive policies that anticipate emerging threats, with continuous feedback and integration from various organizational units.
Oversight & Monitoring	No mechanisms to review or assess the effectiveness of existing cybersecurity practices, if any.	Ad-hoc reviews of cybersecurity practices, mostly in response to incidents or external pressures.	Routine cybersecurity assessments, including vulnerability scans and penetration testing, with feedback loops for improvement.	Regular, in-depth audits and assessments that include third-party evaluations. Advanced analytics and metrics-driven performance reviews drive continuous improvement.

Q1: How would you describe your organization's overall approach toward cybersecurity compliance?

A- We have little awareness or effort toward understanding security compliance.
B- We respond to security incidents or pressures retrospectively.
C- We actively work to meet all regulatory compliance requirements.
D- Security is integrated into our business strategy, focusing on innovation and foresight.

Q2: What best describes your staff's level of training and awareness in cybersecurity?

A- Our staff are untrained and unaware of compliance implications.
B- Training is usually done in response to a cybersecurity event or imminent threat with limited ongoing education.
C- Regular training sessions are in place, and a dedicated team oversees compliance.
D- The entire organization, from leadership to new hires, is actively involved in upholding and innovating compliance initiatives.

Q3: Which statement best describes your organization's cybersecurity processes?

A- We lack structured processes related to compliance.
B- Our processes are reactionary and are developed in response to specific incidents.
C- We have transparent, regularly reviewed processes and guidelines for compliance.
D- Our processes are advanced and proactive, going beyond basic compliance requirements.

Q4: How do your organization’s technology resources support cybersecurity?

A- Our technology includes basic security, without a specific focus on compliance.
B- We implement basic compliance tools in response to specific needs.
C- We use a comprehensive range of tools specifically for compliance.
D- We employ advanced tools for proactive cybersecurity challenges and integrate those tools with business operations.

Q5: How would you describe your organization’s cybersecurity governance framework?

A- We have limited or no recognized cybersecurity governance structure.
B- We have a basic governance structure in place.
C- We have adopted a recognized framework suitable for our size and industry.
D- Our governance framework is mature, dynamic, and evolves with business and threat landscapes.

Q6: How are cybersecurity governance roles and responsibilities defined in your organization?

A- We have unclear roles and no dedicated personnel for cybersecurity governance.
B- We have designated specific roles for cybersecurity, though they may have other primary responsibilities.
C- We have a dedicated cybersecurity committee and team with clear roles and responsibilities.
D- Cybersecurity governance is integrated at the executive and board levels, with the engagement of external advisors.

Q7: What is the state of your organization’s cybersecurity policies and procedures?

A- We have no defined cybersecurity policies, guidelines, or standard operating procedures.
B- Our policies are basic and only address the most pressing threats and risks.
C- We have a comprehensive policy suite covering a wide range of threats, with regular updates.
D- Our policies are adaptive, anticipating emerging threats and integrating feedback from various organizational units.

Q8: How does your organization conduct oversight and monitoring of cybersecurity practices?

A- We have no mechanisms for reviewing or assessing cybersecurity practices.
B- We conduct ad-hoc reviews, mostly in response to specific incidents.
C- We perform routine cybersecurity assessments, including vulnerability scans and penetration testing.
D- We conduct regular, in-depth audits, including third-party evaluations and use analytics for continuous improvement.

Submit Answers

Next Steps: Overview

Next Steps: People

Next Steps: Process

Next Steps: Technology

Next Steps: Governance

Next Steps: Stakeholders

Next Steps: Policies & Procedure

Next Steps: Oversight & Monitoring