Cyber Security Maturity Assessment

Our Approach

In developing the assessment MTI has combined best practice benchmarks set out in international security standards, the National Cyber Security Centre’s (NCSC) 10 Steps to Cyber Security and guidelines from the Centre for the Protection of National Infrastructure (CPNI). These form the framework of the service and are key pillars of the assessment.

The areas covered in the service include:

  • Information Risk Management Regime
  • Secure Configuration
  • Network Security
  • Managing User Privileges
  • User Education & Awareness
  • Incident Management
  • Malware Protection
  • Monitoring
  • Removable Media Controls
  • Home & Mobile Working Information Risk Management Regime
Service Methodology

The CSMA service is provided over a fixed number of days. The number of days is determined by organisational complexity and scale. An initial scoping call can estimate this.

The CSMA service follows the following steps:

  1. Security scoping questionnaire and fact finding survey
  2. On-site working session with relevant stakeholders
  3. Stakeholder and key personnel interviews
  4. Maturity assessment development
  5. CSMA findings, maturity score and recommendations report
  6. Stakeholder de-brief

Maturity levels

The insight gained from hundreds of separate security customer engagements, and input from our security testing practice, has helped us develop our cyber security maturity assessment that help our customers de-risk and accelerate their cyber security improvement plans.

The maturity level used align with Capability Maturity Model Integration (CMMI) and ITIL.

The 5 Maturity Steps


At this level either nothing exists or is very embryonic in nature. It could also include initial discussions about cyber security development, but no concrete actions have been taken.


Some features of a cyber security process have begun to grow and be formulated, but may be ad-hoc, disorganised, poorly defined – or simply « new ».


Key elements of a cyber security plan are in place, and working. There is not, however, a well-thought out consideration of the relative allocation of resources against a strategic cyber security plan for the medium to long term.


Choices have been made about which parts of the cyber security plan are important, and which are less important for that particular organisation. The strategic level reflects the fact that these choices have been made in the context of the organisations objectives, risk profile and compliance obligations.


At the Dynamic level, there are clear mechanisms in place to alter strategy depending on the prevailing circumstances: for example, the technology of the threat environment, cyber attack profiles, a significant change in one area of concern (e.g. Cybercrime or privacy). Dynamic organisations have developed methods for changing strategies in stride, in a « sense-and-respond » way. Rapid decision-making, reallocation of resources, and constant attention to the changing environment are feature of this level.

CSMA Report and Recommendations

The purpose of the CSMA is to help customers identify risks, prioritise them and provide advice on appropriate measures and controls in order to better protect the organisation and improve our customers overall cyber resilience.

We provide a written report that includes:

  • Executive summary
  • Key recommendations
  • Visual representation of maturity score against the key category
  • Detailed assessment of each key metric
  • Recommendations for remediation or opportunities for improvements within each category
Example fig for maturity score:

Next Steps

Speak to one of our CSMA experts.

Related Resources


Expert Guide: 5 Steps to GDPR
 Learn more

Expert Guide: 8 Most Common IT Security Vulnerabilities
 Learn more

Case Study: Millstream Associates Managed Service
 Learn more

Expert Guide: 10 Steps to Cyber Security
 Learn more

Expert Guide: How to Combat the Rising Ransomware Threat
 Learn more

Expert Guide: Key Considerations for HCI
 Learn more

Trend Micro
 Learn more

 Learn more

 Learn more