Maturity Model
Risk & AssuranceThe Maturity Model module lets you assess, score, and track the maturity of your security program over time using industry-standard or custom frameworks. It supports multi-framework assessments (CMMC 2.0, NIST CSF, ISO 27001:2022, CIS Controls, and custom frameworks), a hybrid approach combining auto-calculated scores from other SecureHive modules with manual expert assessments, multi-dimensional capability scoring across policy, process, technology, people, and metrics dimensions, and historical trend tracking with improvement planning tied to projects and CISO goals.
The Maturity Model connects to Audit Management (auto-calculation from control test pass rates), Risk Posture (risk treatment completion rates), Policy Controls (policy coverage and acknowledgment rates), Exceptions & Gaps (issues from capability assessments), and Security Direction (improvement planning via projects and goals).
Frameworks
A maturity framework defines the structure your organization is assessed against — the domains, capabilities, and maturity levels that represent progressive degrees of security program sophistication.
Supported framework types
| Type | Description |
|---|---|
| CMMC | Cybersecurity Maturity Model Certification 2.0 |
| NIST CSF | NIST Cybersecurity Framework |
| ISO | ISO 27001:2022 |
| CIS | CIS Controls |
| Custom | Organization-specific framework tailored to your needs |
Framework hierarchy
Each framework is organized into a two-level hierarchy:
Domains represent broad functional areas of security (e.g., Access Control, Risk Management, Incident Response). Each domain has a name, description, code, display order, and a weight that determines how much it contributes to the overall maturity score.
Capabilities sit within domains and represent specific practices or controls that can be individually assessed. Each capability has a name, description, code, order, weight, optional framework control reference, maturity dimension, scoring method, applicability flag, reference links, tags, and metadata. Capabilities also define criteria — structured descriptions of what each maturity level looks like for that specific capability — and can include auto-calculation configuration for pulling scores from other modules.
Maturity levels
Maturity levels define the scale used for scoring. While the default is a five-level scale (L1 through L5), levels are fully customizable per tenant. Each level has a name, description, code (e.g., L1, L2), display order, and active/inactive status. Level codes must be unique within a tenant.
Framework marketplace
SecureHive provides a framework marketplace where you can license pre-built, industry-standard frameworks. When you license a framework from the marketplace, it is cloned into your tenant with a reference back to the platform source (platformMaturityFrameworkId). Domains and capabilities also maintain their platform references, so you can receive updates from the marketplace while preserving your local customizations.
Each tenant can designate one framework as the default for quick access, and frameworks can be deactivated without deletion when no longer needed.
Assessments
A maturity assessment evaluates your organization’s current state across all (or selected) domains and capabilities in a chosen framework. Assessments produce a scored snapshot of your maturity posture at a point in time.
Assessment types
| Type | Description |
|---|---|
| Self Assessment | Internal team evaluates their own maturity |
| Third Party | External assessor conducts the evaluation |
| Executive Review | Leadership-level strategic assessment |
| Continuous | Ongoing assessment that pulls live data from connected modules |
Assessment coverage
Assessments support three coverage modes:
| Coverage | Description |
|---|---|
| Full | All domains and capabilities in the framework are assessed |
| Partial | A subset of domains is assessed (selected via selectedDomainIds) |
| Targeted | Specific capabilities are assessed (selected via selectedCapabilityIds) |
Partial and targeted coverage modes are useful for focused assessments — for example, assessing only the Access Control domain after a major identity management project, or targeting specific capabilities that were previously scored as low maturity.
Assessment lifecycle
| Status | Description |
|---|---|
| Draft | Assessment created, configuration in progress |
| In Progress | Assessors are actively scoring capabilities |
| Completed | All capabilities scored, results finalized |
| Archived | Assessment preserved for historical reference |
Creating an assessment
Select a framework
Navigate to Maturity Model → Assessments and click New Assessment. Choose the maturity framework you want to assess against.
Configure scope
Enter a name and description for the assessment. Select the assessment type and coverage mode. For partial or targeted assessments, select the specific domains or capabilities to include.
Assign assessors
Select the assessor who will conduct the evaluation and an optional reviewer who will verify the results.
Score capabilities
For each capability in scope, assign a maturity level and score. Provide rationale and notes explaining the assessment. Attach evidence (documents, screenshots, links) to support the score.
Review and complete
Once all capabilities are scored, review the overall results. The system calculates domain-level and overall maturity scores automatically. Move the assessment to Completed when finalized.
Score calculation
Maturity scores are calculated using a weighted averaging system that rolls up from individual capabilities to domains to the overall framework score.
Individual capability scores
Each capability’s score is derived from its assigned maturity level:
Score = Level Order x 20
Where level order is the position of the maturity level (1 through 5). This produces scores on a 0-100 scale: Level 1 = 20, Level 2 = 40, Level 3 = 60, Level 4 = 80, Level 5 = 100.
Overall maturity score
The overall maturity score is calculated as a weighted average of all capability scores:
Overall Score = Sum(Capability Score x Weight) / Sum(Weight)
Each capability’s weight determines how much it contributes to the overall calculation. Domains also have weights, and the domain-level score is the weighted average of its capabilities.
Overall maturity level
The overall maturity level is derived from the overall score:
Overall Level = ceil(Overall Score / 20), clamped between 1 and 5.
For example, an overall score of 47.3 would produce ceil(47.3 / 20) = ceil(2.365) = 3, corresponding to maturity level L3.
Weights are critical to accurate scoring. Review domain and capability weights carefully when configuring a framework — they directly determine how individual scores contribute to the overall maturity picture. A heavily weighted domain with a low score will significantly pull down the overall assessment.
Multi-dimensional scoring
Beyond the primary maturity score, each capability assessment supports five scoring dimensions that provide a more nuanced view of maturity:
| Dimension | Description |
|---|---|
| Policy | Maturity of documented policies governing this capability |
| Process | Maturity of operational processes and procedures |
| Technology | Maturity of supporting tools and technology |
| People | Maturity of staffing, skills, and training |
| Metrics | Maturity of measurement, monitoring, and reporting |
Each dimension has its own score (0-100) and level (1-5), along with a dimension rationale field for documenting the reasoning behind each dimensional score. This multi-dimensional view helps identify whether a capability is strong in policy but weak in technology, or well-staffed but lacking metrics — enabling targeted improvement planning.
Auto-calculation
Capabilities can be configured for auto-calculation, pulling maturity scores directly from data in other SecureHive modules rather than requiring manual assessment:
Audit Module — Control test pass rates feed into capability scores, reflecting how well controls are performing in practice.
Risk Module — Risk treatment completion rates contribute to maturity scores, showing how effectively identified risks are being addressed.
Policy Module — Policy coverage percentages and acknowledgment rates indicate the maturity of governance documentation and organizational awareness.
When auto-calculation is enabled for a capability, the system computes the score automatically based on the configured data source. Assessors can still manually override an auto-calculated score when expert judgment differs from the computed result — the autoCalculated and manualOverride flags track which method produced the current score.
Improvement planning
Maturity assessments are most valuable when they drive action. Each capability assessment supports improvement planning through several mechanisms:
Target maturity level — Set a target level for each capability (and for the overall assessment), establishing a clear goal for where the organization wants to be.
Project linking — Associate specific projects with capability improvements via relatedProjectIds. These projects track the work needed to move from the current level to the target level.
CISO goal alignment — Link capability improvements to CISO goals via relatedCISOGoalIds, connecting maturity advancement to strategic security objectives tracked in Security Direction.
Framework outcomes — Each capability assessment can record framework-specific outcomes as structured metadata, documenting what was achieved against the framework’s specific requirements.
Trend tracking
Maturity trends are tracked over time through the MaturityTrend records associated with each assessment. Trends capture how maturity scores change across successive assessments of the same framework, enabling you to demonstrate progress to leadership and board-level stakeholders.
Run assessments on a regular cadence — quarterly or semi-annually — to build a meaningful trend baseline. Use the trend data to validate that improvement projects are producing measurable maturity gains.
Getting started
License a framework
Navigate to the Maturity Model → Frameworks section and browse the marketplace. License a pre-built framework (CMMC 2.0, NIST CSF, ISO 27001:2022, or CIS Controls) or create a custom framework tailored to your organization.
Create an assessment
Go to Maturity Model → Assessments and create a new assessment against your chosen framework. Select the assessment type, coverage scope, and assign assessors.
Assess capabilities
Work through each capability in the framework, assigning maturity levels based on evidence. Use manual scoring for expert-driven assessments, or enable auto-calculation for capabilities that can be scored from Audit, Risk, or Policy module data.
Track improvement
Set target maturity levels for capabilities that need advancement. Link improvement projects and CISO goals to track the work required to reach your targets. Run periodic reassessments to measure progress.
Permissions
Managing maturity frameworks and assessments requires the maturity-model:manage permission. Users with this permission can license frameworks, create assessments, score capabilities, and configure improvement plans. Users without this permission can view maturity data in read-only mode.