Simple Information Assurance Maturity Model

A few months back I was tasked by the Nexor Board to carry out a fresh review of the cyber threat to our business and the maturity of our risk mitigations. We’ve had ISO 27001 for a many years across the business, and our audits all come up good, so I thought it should be easy. But how could I explain the results in a Board friendly manner?

My first thought, was to apply the GCHQ Information Assurance Maturity Model (IAMM), to assess our maturity. This is an exercise I had undertaken previously, but felt it was too complex for what I needed for an SME organisation. There are a large number of security controls to assess (approximately 200), and focused on the organisation and structure of a government department. I needed something simpler, and could not find anything else suitable (and free) on the Internet.

By coincidence, the Spring 2013 edition of the IoD’s Big Picture magazine landed on my desk, with the lead article “Countering the cyber threat to business”. In short, it promotes the BIS / GCHQ 10 steps to Cyber Security which provides a good framework around the following 10 headings:

1. Information Risk Management Regime
2. Secure Configurations
3. Network Security
4. Managing User Privileges
5. User Education and Awareness
6. Incident Management
7. Malware Prevention
8. Monitoring
9. Incident Management
10. Home and Mobile Working

Each heading has between 5 and 10 security controls you should consider (89 controls in total, with some overlaps). The controls are simple to understand and make an assessment of. So I devised a simple, objective, maturity score for each control:

0 Nothing in place
1 Aware of issues, do something, but not a robust implementation
2 Have something, but room for improvement
3 Close to best practice

I then set about scoring each control – it took less than an hour, based on my view of our controls. I also asked our Security Forum (the governing forum for the Nexor Information Security Management System (ISMS) ) to independently score it. We then haggled over a few of the specific scores given to individual controls results.

To produce a metric I calculated a simple average of the 85 controls, to give an arbitrary number of the state of our maturity: XX.XX.  In itself this number does not mean a great deal, apart from there is room for improvement. Over time, as activities take place to improve areas of identified or improvement, this number will be used as a business improvement metric.
A graph (like the one below – using dummy data) also helped give the board a perspective where there was room from improvement.

10 steps

We now have an action plan in place to address the identified areas for improvement. The curiosity I am left with, is how come ISO 27001 did not help us assess these risks – lots of debate on that I am sure, and maybe I’ll do another blog on that shortly…
Back to my Simple IAMM, at the suggestion of my colleagues, at the Annual Symposium of the Information Assurance Advisory Council via their Serpents Lair, I announced an iPad/iPhone App called NEXOR Quaestor (click here for pronunciation). NEXOR Quaestor can be found in the Apple App Store, and the assessment can be completed in about 30 minutes if you have a good grasp of your organisation’s security controls.

To support users that are not familiar with the controls, we have developed a supporting web site that looks at best practice in each of the 10 areas. The site invites you to contribute references to other sources of good practice advice.

Do you find the app useful?   How can we develop it further to help support you?  Please let us know below, or leave feedback in the App Store.


2 thoughts on “Simple Information Assurance Maturity Model

  1. Risk Management 101
    Perhaps a better strategy? Estimate annual losses to defined assets from likely (frequent) threats to determine risks. THEN determine what controls are necessary for mitigation. Never spend a dollar to protect a dime…THAT is “best practices” from a business perspective…


    1. Hello Alan.
      I agree with the approach, but would not say its a better strategy – rather I’d argue it is an integrated part of Step 1 “Information Risk Management Regime” of the 10 Step to Cyber Security.
      The maturity model then gives the board a view on whether the risk management element is being done well, considering all elements of risk management. The Board can then take an informed view on whether to spend dollars on the other controls.


Comments are closed.