Most cybersecurity programmes do not fail because they pick the wrong tools. They fail because they cannot answer two simple questions: "How good is our security right now?" and "What does better look like next year?"
That is the job of a cybersecurity maturity model. Not a control list. Not a vendor scorecard. A common language for talking about how disciplined, repeatable, and adaptive your security practices are — so you can plot a path from where you are to where you need to be.
This guide walks through the model: the five tiers, how the major frameworks (NIST CSF 2.0, CMMC 2.0, C2M2, CIS IGs, CMMI Cybermaturity) compare, how to assess your own posture, and a 90-day plan to move up a tier.
What is a cybersecurity maturity model?
A cybersecurity maturity model is a structured way to describe how well-established and adaptive an organisation's security practices are. Two organisations can implement the same control — say, multi-factor authentication — but at very different maturity levels:
- Low maturity: MFA is on for the CEO and a few admins. There is no policy. Nobody enforces it. New hires sometimes have it, sometimes not.
- High maturity: MFA is required for every account by policy. It is enforced by identity tooling. Exceptions are reviewed monthly. Coverage is reported to the board quarterly.
Both are "compliant" against most frameworks. Only one is actually safe.
Why maturity matters more than checklists
Compliance asks: "Do you have the control?" Maturity asks: "Will it still work next month, when nobody is watching?"
Three forces have made maturity the default conversation in 2026:
- Cyber insurance underwriters now ask for maturity scoring against NIST CSF, not just a yes/no controls questionnaire.
- Enterprise procurement teams have replaced multi-page security questionnaires with maturity-tier expectations ("we expect Tier 3 across Identify, Protect, Detect").
- Regulators are explicitly tier-anchored — the US Department of Defense\'s CMMC 2.0 is a maturity model with the force of contract law.
If you are still answering the question with a control checklist, you are answering a question the market stopped asking.
The five maturity tiers explained
The most widely used five-tier model maps cleanly to NIST CSF, CMMI, and ISO 27001 implementation maturity:
| Tier | Name | What it looks like | Typical org |
|---|---|---|---|
| 1 | Initial / Ad-hoc | Reactive. Practices exist where someone happens to care. No policy, no documentation, no metrics. | Most pre-Series-A startups, many SMBs |
| 2 | Risk-Informed / Managed | Leadership has approved key policies. Some controls are in place. Execution is inconsistent across teams. | Series A–B SaaS, growing SMBs after first incident |
| 3 | Repeatable / Defined | Organisation-wide policies. Controls are documented and reviewed. Evidence is collected. Internal audit exists. | SOC 2 / ISO 27001 certified mid-market |
| 4 | Adaptive / Quantitatively Managed | Metrics drive decisions. Continuous monitoring. Threat intelligence informs control changes. Cyber risk is part of enterprise risk. | Mature financial services, large healthtech |
| 5 | Optimised | Predictive and largely automated. Controls self-tune. Maturity is measured per outcome. Cyber risk has a board owner. | Top-decile global enterprises |
Two practical points. First, Tier 5 is rare and expensive — most organisations should target Tier 3 as their steady state and push specific, high-risk functions to Tier 4. Second, maturity is per-function, not a single number. A bank can be Tier 4 in Detect and Tier 2 in Govern; a SaaS startup can be Tier 3 in Protect and Tier 1 in Recover.
The major maturity models compared
You do not need to invent your own model. Several are well-tested:
| Model | Tiers | Best for | Status |
|---|---|---|---|
| NIST CSF 2.0 Implementation Tiers | 4 (Partial → Adaptive) | Any org, any sector, any country | Voluntary · global default |
| CMMC 2.0 | 3 (Foundational → Expert) | US Department of Defense supply chain | Mandatory for DoD contracts |
| US DOE C2M2 | 4 (MIL0 → MIL3, ten domains) | Energy & utility operators | Voluntary · sector-specific |
| CIS Controls Implementation Groups | 3 (IG1 → IG3) | SMBs choosing a starter control set | Voluntary · open-source |
| CMMI Cybermaturity Platform | 5 (Initial → Optimising) | Boards needing a CMMI-style narrative | Commercial |
| ISO 27001 implementation maturity | 5 (custom) | Organisations already running an ISMS | Voluntary · paired with the cert |
For most organisations, the right starting point is NIST CSF 2.0. It is free, recognised globally, and the four-tier model is simple enough for the board and detailed enough for the SOC.
How the maturity model maps to NIST CSF 2.0
NIST CSF 2.0 organises cybersecurity into six core functions: Govern, Identify, Protect, Detect, Respond, Recover. You assess each one against the four implementation tiers (Partial, Risk Informed, Repeatable, Adaptive). The result is a tier per function — a six-row scorecard.
Example for a 75-person SaaS company that recently passed SOC 2:
- Govern: Tier 2 — policies exist, board oversight is irregular.
- Identify: Tier 3 — asset and supplier inventory is automated and reviewed quarterly.
- Protect: Tier 3 — identity, MFA, endpoint, encryption all rolled out.
- Detect: Tier 2 — alerts exist but nobody monitors them after hours.
- Respond: Tier 1 — no formal IR plan; first responder is whoever is on call.
- Recover: Tier 2 — backups run, restore has never been tested end-to-end.
That single table is more useful than a 70-page audit report. It tells the board exactly where the next dollar should go (Detect and Respond), and what "good" would look like in 12 months.
CMMC 2.0 — when maturity becomes a contract
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the US Department of Defense\'s programme for verifying that contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) have the cybersecurity practices in place to protect it.
CMMC 2.0 has three levels:
- Level 1 — Foundational: 17 basic practices, annual self-assessment. Required for contractors handling FCI only.
- Level 2 — Advanced: 110 practices, aligned with NIST SP 800-171. Triennial third-party assessment by a C3PAO. Required for most contractors handling CUI.
- Level 3 — Expert: Level 2 plus additional NIST SP 800-172 enhanced practices. Government-led assessment. Required for the most sensitive CUI programmes.
For US defence contractors and their suppliers, CMMC is the maturity model that matters most — failing it removes you from the supply chain.
How to assess your current maturity
A focused assessment takes 4–6 weeks for an SMB:
- Pick the model. Default to NIST CSF 2.0 unless a regulator or buyer dictates otherwise.
- Score every outcome. For NIST CSF 2.0, that means rating each of the 106 subcategories Not in place / Partial / Largely / Fully.
- Capture the evidence. Each score should be backed by a screenshot, log sample, policy reference, or interview note. No evidence = score it lower.
- Estimate the tier per function. Roll up the subcategory scores into a Tier 1–4 estimate for Govern, Identify, Protect, Detect, Respond, Recover.
- Sanity-check against incidents. If you scored Tier 3 on Respond but had a recent incident with no documented playbook, the score is wrong.
A 90-day plan to move up one tier
Moving up a tier is rarely about new tools. It is about repeatability, evidence, and accountability.
Days 0–30 — Document. Write down what you actually do today. Most low-maturity organisations have controls in heads, not docs. Convert ten of the most important practices (identity, access reviews, backup, IR, vendor onboarding, change management, incident reporting, training, log review, asset inventory) into one-page runbooks.
Days 30–60 — Operate. Run each practice on a published cadence and capture evidence automatically. The point is not the runbook; it is the receipts. If your access review happens but you cannot show who reviewed what, it does not exist for an auditor or insurer.
Days 60–90 — Measure. Add a small set of metrics: percentage of accounts with MFA, mean time to patch critical vulnerabilities, mean time to detect, mean time to respond, percentage of vendors with a current security review. Report them at the next board meeting. That single act often crosses the line from Tier 2 to Tier 3.
For a deeper end-to-end picture of how this connects with always-on assurance, see our guide to continuous compliance monitoring.
How Security Pulse helps
Maturity is the layer above tools — but the right tools make maturity practical instead of theoretical. Security Pulse pairs two products:
- RunWay — Build the assessment. Scope, current profile, target profile, gap analysis, and a prioritised 90-day roadmap aligned to NIST CSF 2.0 tiers.
- Autopilot — Run the operation. Identity, endpoint, monitoring, vendor risk, evidence vault — all mapped to the CSF outcome they satisfy, so your maturity score updates itself instead of being rebuilt every audit.
If you want a structured maturity assessment for your organisation — pick a model, score it, and walk out with a 90-day plan — book a 30-minute call.