Question: Does leadership participate in external benchmarking, national frameworks, or sectoral cyber maturity programmes (e.g., NIRMATA, CERT-In)?
Objective — Why This Matters
External benchmarks prevent local optimism bias and show where to invest next. They also build credibility with customers and regulators.
Maturity Levels (0–5)
0 — Unaware
No participation.
No participation.
1 — Ad Hoc
One-off assessments with no follow-up.
One-off assessments with no follow-up.
2 — Defined
Annual self-assessment against a framework (NIRMATA, ISO/NIST).
Annual self-assessment against a framework (NIRMATA, ISO/NIST).
3 — Managed
Targets set from results; actions in roadmap.
Targets set from results; actions in roadmap.
4 — Integrated
Peer benchmarking and independent validation.
Peer benchmarking and independent validation.
5 — Optimized
Public attestation/certification; improvements tracked year-on-year.
Public attestation/certification; improvements tracked year-on-year.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Choose a framework; run a baseline self-assessment. |
| 1 → 2 | Publish results internally; add actions to security roadmap. |
| 2 → 3 | Repeat annually; compare deltas; assign owners. |
| 3 → 4 | Obtain third-party review; join sector forums. |
| 4 → 5 | Share maturity summary with customers; celebrate improvements. |
People / Process / Technology Enablers
- People: Security/Privacy lead; leadership sponsor.
- Process: Annual assessment calendar; result review.
- Technology: Spreadsheet + charts; portal for evidence.
Evidence Required
- Assessment report(s) and year-on-year comparison.
- Action plan derived from results.
- Proof of external participation/validation.
Metrics / KPIs
- Δ maturity score (pillar and composite).
- % actions completed from prior cycle.
- Number of external benchmarks completed.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Self-assessment | Google Sheets | Mirror Annex G anchors. |
| Evidence | Repo/Drive | Map evidence links to questions. |
| Visualization | Radar chart in Sheets | Pillar deltas over years. |
Common Pitfalls
- Treating assessment as a marketing badge only.
- Chasing certifications without fixing basics.
- No action tracking from results.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001:2022 | 9.1 monitoring & measurement |
| CERT-In / Sector Programmes | Participation evidence |
| NIRMATA Scoring | GL-Q12: external benchmark + action linkage required. |