Organisations need a way to assess their current maturity level against the framework. We need a scoring methodology.
Proposal
- Per-control scoring: 0 (Not Started), 1 (Planned), 2 (Partially Implemented), 3 (Fully Implemented), 4 (Optimised)
- Tier scoring: Weighted average of control scores within the tier
- Overall maturity score: Composite score across all three tiers
- Minimum thresholds: Define what score qualifies an org for each tier level
Open questions
- Should all controls within a tier be weighted equally?
- Should there be mandatory controls that gate tier progression?
- How do we handle controls that are not applicable to certain industries?
Feedback welcome from practitioners who have used similar scoring models (e.g., CMMI, NIST CSF).
Organisations need a way to assess their current maturity level against the framework. We need a scoring methodology.
Proposal
Open questions
Feedback welcome from practitioners who have used similar scoring models (e.g., CMMI, NIST CSF).