Blog post

Maturity models in cyber security: what's happening to the IAMM?

Created:  08 Mar 2018
Updated:  08 Mar 2018
Author:  Anne W
Pile of oranges and an  apple

What is a maturity model?

Most generally, a maturity model is a tool for assessing an organisation's effectiveness at achieving a particular goal. They enable organisations to identify where their practices are weak or not taken seriously and where their practices are truly embedded.

In the context of cyber security, maturity models can help to distinguish between organisations in which security is baked in and those in which it is merely bolted on. One of the main reasons that maturity models are used is that organisation-wide improvements can take time; in cyber security a maturity model gives an organisation’s leadership a way to measure the progress made in embedding security into its day-to-day and strategic operations.

How do they work?

Generally a security maturity model describes a range of capabilities that you would expect to see in an organisation with an effective approach to cyber security. These capabilities will include things like effective leadership and governance or information risk management processes. Each capability will have a description of the kinds of activities and processes you would expect to see present in the organisation, at different levels of maturity. An organisation seeking to assess its overall cyber security maturity would compare its own practices against those described in the levels of each capability. These assessments would need to be backed up by some sort of evidence to justify the assessment made.

That's probably not very clear, so an example should help to explain how this works. Most cyber security maturity models have a capability around security training. This capability describes the kinds of activity you would expect to see in an organisation at the various levels of maturity. An assessment might gather evidence of training courses attended, maybe survey or interview the staff, and analyse the impact of that training by looking at specific staff behaviours such as people tailgating through secured swipe-access doors into areas where sensitive information is processed. The assessment of maturity that comes out of this analysis would form part of the overall assessment of the organisation's maturity; assessments of capability in the individual areas can be used to inform improvements that an organisation may decide to make.

Most maturity models work in this way, including our own IA Maturity Model (IAMM).

"We're mature", but compared to what?

There are two fundamentally different approaches to using maturity models, and to thinking about an organisation's maturity. One involves comparing your organisation to how it looked at some point in the past, to track improvements over time. The other approach involves comparing your organisation with others.

A vast number of often complex and hard to measure factors affect the state of cyber security within an organisation. Factors, which might appear to have nothing to do with cyber security, can have a significant effect on an organisation's maturity in cyber security, so context is essential. For example, if your organisation has recently moved office, this could significantly change its cyber security maturity. Equally, in a year of high staff turnover, a workforce's approach to security will change. If you're using a maturity assessment to track your organisation’s improvement you might capture these changes, and then be able to link them to these contextual changes in your organisation. 

However, if you, or any 3rd party, are using a maturity model to make a comparison between the maturity rating of your organisation with that of another you are unlikely to have any knowledge of the contextual factors which may have impacted the other organisation. As such, you're unlikely to know why a given organisation is more or less mature than your own. If that's the case, you're not really going to get any actionable information from making the comparison. 

In short, using maturity models to compare your organisation to others is like comparing apples with oranges.

What about the IAMM?

Nearly a decade ago we (as one of our precursor organisations, CESG) produced a maturity model for information assurance (IA); the IA Maturity Model (IAMM). Its aim was to raise information security and assurance across the UK public sector by helping departments and agencies assess their own levels and then put programmes of work in place to raise their standards.

Although many organisations used the IAMM successfully (and some still use it today), the original intent - to encourage organisations to focus on continual improvement in their IA stance - became blurred. For some, the focus instead became the assessment itself and not the improvements that maturity level represented. For others, the focus became comparing their results with others despite us making it clear this wasn't what the IAMM was for. In other words, for some organisations, it became a "tick-box" exercise for compliance purposes, and which really didn't take into account the risk.

Over this time, NCSC's thinking on how to inform and improve cyber security decision making and investment programmes has matured; over many years (as CESG) we learned that mandating a specific tool or technique results in unintended consequences. Every organisation has had to make investment decisions about how to protect their technology and services; but every organisation is unique.  

We think decision making needs to be more nuanced than looking at the results of a maturity assessment and deciding to spend money on improving a particular score.  As John Y said in his blog last yearthere is no single method for doing risk management for cyber security which can be applied universally, to good effect”

The NCSC have therefore decided to stop our formal support for the IAMM with immediate effect. Instead we would point organisations to our recently published risk management  “toolbox”.

What does this mean in practice ?

The NCSC will no longer be offering the IAMM independent review or supported self assessment services. We are also withdrawing the IAMM assessment tool. If this causes any particular issues for a public sector organisation, please contact NCSC Enquiries.

We will retain our own IAMM framework on our website but you should be aware that we are not intending to update it now or in the future.  

Finally, we know there are organisations who have successfully used maturity models to drive improvements. If that is you, carry on, there are plenty out there ….. just don’t use them to compare apples with oranges!!

Anne W
Head of Cyber Security Assurance Schemes

3 comments

Adam Williams - 26 Mar 2018
I completely understand the rationale, but i have frequently used the IAMM to 'explain' things to senior management whose grasp of Information Security is little more than 'why would anyone want to hack us?'.
This is the issues - this is what CESG suggest to mitigate...

I have never followed it religiously. I just took bits were the organisation I was working for was lax and encouraged improvements.
Anne W - 27 Mar 2018
Great that you have been using the model in this way Adam and I’m pleased it’s worked for you.

We’re keeping the material up on our website so if you want to continue to reference it you can do. Also take a look at some of the new material that is being published as part of the risk management toolbox https://www.ncsc.gov.uk/guidance/risk-management-collection; you may find other stuff there that will help you in your conversations with senior management.
MartinH - 17 Apr 2018
Dear Anne, Good advice, the "unlikely to have any knowledge of the contextual factors" being key, if however context can be captured then comparisons within limits will provide insight where none were available before. 'Know' your orange and your apple before making a comparison ...!

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No