Beyond React2Shell
Preparing an ISO 27001 Cybersecurity Maturity Comparison
A maturity comparison is a structured method used to evaluate the organization's current state of security controls against the desired maturity level required for ISO/IEC 27001 compliance. This document explains how to prepare such a comparison, score each domain, and present results to stakeholders.
Purpose of an ISO 27001 Maturity Comparison
An ISO 27001 maturity comparison answers three essential questions:
- Where do we stand today?
- Where should we be to comply with ISO 27001?
- What actions are required to close the gap?
This analysis supports:
- Certification readiness
- Risk-based prioritization
- Executive communication
- Continuous improvement of the ISMS
Maturity Model Used
Use a 0-5 scale aligned to ISO 27001 governance and improvement requirements.
| Level | Name | Description |
|---|---|---|
| 0 - Non-existent | No controls or processes in place | |
| 1 - Ad-hoc | Controls exist informally; inconsistent application | |
| 2 - Repeatable | Controls applied consistently but not documented | |
| 3 - Defined | Controls are documented and communicated across the organization | |
| 4 - Managed | Controls are monitored, measured, and reviewed | |
| 5 - Optimized | Controls are continuously improved and automated |
This scale supports ISO 27001 clauses on performance evaluation and continual improvement.
ISO 27001-Aligned Security Domains
Map your maturity scoring to Annex A control groups (A.5-A.18). Suggested domains:
- A.5 Information Security Policies
- A.6 Organization of Information Security
- A.7 Human Resource Security
- A.8 Asset Management
- A.9 Access Control
- A.10 Cryptography
- A.11 Physical & Environmental Security
- A.12 Operations Security
- A.13 Communications Security
- A.14 System Acquisition, Development & Maintenance
- A.15 Supplier Relationships
- A.16 Incident Management
- A.17 Business Continuity & DR
- A.18 Compliance
You may adjust domains based on organizational scope.
Collecting Evidence for Maturity Scoring
To determine the current maturity, gather:
- Documented policies and procedures
- Records of implementation (e.g., logs, screenshots, tickets)
- Tool configurations
- Training records
- Interviews with process owners
- Internal audit results
Only score domains based on verifiable evidence.
Scoring Current vs. Target Maturity
Rate each ISO 27001 domain using the 0-5 model.
Example Maturity Table
| ISO 27001 Domain | Current | Target | Gap | Notes |
|---|---|---|---|---|
| A.5 Policies | 3 | 4 | 1 | Policies exist but annual review missing |
| A.8 Asset Management | 2 | 4 | 2 | No automated asset discovery |
| A.9 Access Control | 3 | 4 | 1 | MFA not fully enforced |
| A.12 Operations Security | 2 | 5 | 3 | Logs collected but not monitored |
| A.16 Incident Management | 1 | 4 | 3 | IR plan not tested |
Visualizing the Maturity Comparison
Recommended chart types:
- Radar chart: Best for showing multiple ISO domains
- Bar chart: Clear comparison of current vs. target levels
ISO 27001 Maturity Comparison (Text Chart)
A.5 Policies | Current: ███ (3) | Target: ████ (4)
A.8 Asset Management | Current: ██ (2) | Target: ████ (4)
A.9 Access Control | Current: ███ (3) | Target: ████ (4)
A.12 Operations Security | Current: ██ (2) | Target: █████ (5)
A.16 Incident Management | Current: █ (1) | Target: ████ (4)
A.17 Business Continuity | Current: ███ (3) | Target: ████ (4)
A.18 Compliance | Current: ████ (4) | Target: █████ (5)
Legend:
Each block █ ≈ 1 maturity point
Scale: 0-5Gap Analysis Summary
Explain major gaps and associated risks.
Example:
- Incident Management (A.16): No documented or tested incident response plan, representing a high risk of prolonged downtime and potential non-compliance.
- Operations Security (A.12): Lack of SIEM tuning reduces ability to detect threats in a timely manner.
- Asset Management (A.8): Manual inventory creates inaccuracies and reduces ability to evaluate risk effectively.
ISO 27001 Roadmap to Close Gaps
Align your roadmap with ISO 27001 risk treatment and continual improvement requirements.
Example Roadmap
| Objective | Required Actions | Owner | Deadline |
|---|---|---|---|
| Improve Incident Management to Level 4 | Develop IR plan, run tabletop exercise, implement escalation workflow | Security Manager | Q2 |
| Improve Operations Security to Level 4 | Tune SIEM, implement monitoring dashboards, define metrics | SOC Lead | Q3 |
| Enhance Asset Management | Deploy automated discovery tool, inventory review every quarter | IT Ops | Q4 |
Final Deliverable Structure
A complete ISO 27001 maturity comparison package should include:
- Executive summary
- Scoring table
- Visual charts
- Evidence-based findings
- Gap analysis
- Treatment plan / roadmap
- References to ISO 27001 controls
This creates a transparent and auditable record for certification and management review.
Example Executive Summary (Ready to Use)
The maturity assessment demonstrates an overall security maturity of 2.3, compared with the target maturity of 3.8 required for ISO 27001 readiness. Major gaps exist in Operations Security, Incident Response, and Asset Management. A prioritized roadmap is proposed to reach compliance maturity within 12 months, in alignment with the organization's risk tolerance and regulatory obligations.
Conclusion
A structured ISO 27001 maturity comparison provides clear insight into current readiness, highlights risks, and establishes a transparent improvement plan. It is a critical component of ISMS governance and supports effective certification preparation.
