Has anyone used CMMI Cybermaturity framework to benchmark or improve Cybersecurity maturity? I believe it is suitable to large organizations and not small or medium ones. It also needs a lot of time in order to show improvements, do you agree?
Sort by:
The CMMI Cyber-maturity framework is a solid reference point for measuring organizational capability, but it was designed as a broad process improvement model, not specifically for information security.
Maturity is also commonly misunderstood. Many equate it with bureaucracy, more documentation, more approvals, more process layers. In reality, maturity is demonstrated through efficiency and consistency, the ability to execute repeatable, measurable, and adaptive processes that deliver secure outcomes with minimal friction. True maturity is when security is embedded in business operations and decisions flow naturally through proven, risk-based processes rather than manual interventions.
In short, while CMMI offers valuable structure, frameworks purpose-built for cybersecurity maturity, such as ISMM, NIST CSF, or ISO 27001 maturity scales, tend to yield faster, more actionable insights. The key is to measure what matters: process repeatability, control effectiveness, and the organization’s tolerance for risk, not the size of the budget or volume of documentation.
Our 3rd party assessment partner used CMMI to measure and score us against the NIST CSF v2 that we align with.
We use the Essential 8.
I believe an overall framework is key to get the whole organization to align and take the necessary steps to reach the necessary maturity in this field even if this can be perceived as slow at times.
We use NIST but that is principally because of how widely it is used. My advice would be to clear what you are doing the maturity and benchmarking assessment for. If it is to measure progress internally, self assessment is more engaging so use something familiar to the workforce. If you wish to benchmark, consider what others in your field most often use. If it is to provide independent assessment to stakeholders, consider who they would trust to do it and what is most familiar to them.
Your first maturity assessment should be CIS Control's based as you first maturity baseline then moving on to ISO 27k or NIST 800-53 depending upon the type of org you work at then move to a CMM Capability Maturity Model based on NIST CSF. I know that sounds like a lot but you need to consider the variety of technology and data types in conjunction with the people and processes and the interdependencies. Remember "You can't protect what you can't see" so your maturity should focus on the the dependency chain : CIS Controls [Data/Logs/Visibility] to ISO 27001/800-53 [Controls that USE that data] to NIST CSF [Orchestrates how data flows through Detect→Respond→Recover]