Developing an alternative to the IA Maturity Model
CESG is currently reviewing the HMG IA Maturity Model (IAMM) which has been widely used by government departments and the broader public sector since its inception in 2008.
The goals of the new methodology are that it:
- is suitable for entities of any size – from a single system to a collection of organisations in an industry sector or supply chain
- can assess whether security governance objectives have been set and whether these have been translated into an appropriate security management regime
- can be used in conjunction with other methods such as HMG 10 Steps to Cyber Security, ISO 27000 series and NIST Cyber Security Framework
Chief Information Security Officers, directors, government, regulators and cyber security practitioners will all be able to use the new methodology to better understand whether their cyber security governance is effective.
As part of assisting organisations' boards to progress towards the broad outcomes of the National IA Strategy, and particularly the mandatory and other measures set out in the Data Handling Review, this IAMM has been created.
The IAMM is supported by the Information Assurance Assessment Framework (IAAF), which is designed to assist an independent review of progress against the IAMM within an organisation. In its turn, this review will assist organisational boards to report ongoing improvements in their Information Assurance and Information Risk Management postures in their annual reports to Cabinet Office.