ESRM Maturity Assessment

How to Use This Model The following assessment gives you the capacity to measure your enterprise's maturity level

based on the current Enterprise Security Risk Management (ESRM) framework. Below are

guidelines to get started.

Categories and Ratings

General Ratings

0 - Non-Existent/Not Wanted: The requirement is non-existent in the environment and/or not

desired.

1 - Ad Hoc: It is characteristic of processes at this level that they are (typically) undocumented

and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive

manner by users or events. This provides a chaotic or unstable environment for the processes.

2 - Repeatable: It is characteristic of processes at this level that some processes are

repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but

where it exists it may help to ensure that existing processes are maintained during times of

stress.

3 - Defined: It is characteristic of processes at this level that there are sets of defined and

documented standard processes established and subject to some degree of improvement over

time. These standard processes are in place (i.e., they are the AS-IS processes) and used to

establish consistency of process performance across the organization.

4 - Managed: It is characteristic of processes at this level that, using process metrics,

management can effectively control the AS-IS process (e.g., for software development). In

particular, management can identify ways to adjust and adapt the process to particular projects

without measurable losses of quality or deviations from specifications. Process Capability is

established from this level.

5 - Optimized: It is a characteristic of processes at this level that the focus is on continually

improving process performance through both incremental and innovative technological

changes/improvements.

Current Score

The current score is the score agreed to by the working group filling out the matrix on how the

enterprise is currently meeting the requirement as written. Separate scores for People and

Process are averaged to find the overall score.

People

1 - Risk knowledge is limited to a few key personnel, with no cross training between security

teams/groups and departments.

2 - Cross functional teams are mostly in place, and roles/responsibilities regarding risk

knowledge are generally understood.

3 - Cross functional teams are in place, ESRM knowledge is transferred between teams, and

roles/responsibilities regarding risk knowledge are well defined.

4 - Cross functional teams are adequately staffed for ESRM, performance for these teams is

measured, and ESRM development/training programs are in place for teams across the

organization.

5 - ESRM performance metrics are measured and optimized.

Process

1 - ESRM/Risk processes do not exist or are performed in an ad hoc manner.

2 - ESRM/Risk processes exist and are repeatable.

3 - ESRM/Risk processes are defined and documented as a standardized process across the

organization.

4 - ESRM/Risk processes are measured against established metrics.

5 - ESRM/Risk processes are reviewed and proactively improved based on measurable results.

Governance Target

Governance Target is the target set by the security governance body, based on their risk-

decision making authority, of the most appropriate rating to meet the set thresholds for risk as

determined by the governing body.

Recommended Score

Recommended score is the recommendation from the security leadership, based on our

security expertise, of the most appropriate rating to meet the set thresholds for risk as

communicated to the security leadership.

Definitions Used in this Model

Asset Owner

The person with budgetary control over the assets at a high enough level in the organization to

have appropriate decision-making authority on security risk decisions.

Business Unit Leader

Top level leaders of a particular function or department in the enterprise organization. (e.g.

Head of accounting, HR, IT, Operational departments, etc.).

Enterprise

This matrix references "enterprise" in the broadest sense of the meaning – a business,

organization, or company and can include Public, State or Government run organizations,

privately held, family companies, not–for–profit organizations, Stockholder controlled

corporations, or others.

Enterprise Executive

The enterprise executive references personnel at the top level of the organization: The "C-

Suite", President, Controlling Partners, Executive Vice Presidents, or other titled individuals with

strategic management level roles in the organization.

ESRM

The application of fundamental risk principles to manage all security risks – whether information,

cyber, physical security, asset management, or business continuity – in a comprehensive,

holistic, all–encompassing approach.

Security Department

The department designated in the organization to manage the enterprise security risk.

Security Discipline

Individual tactical security specialties, such as executive protection, information security,

physical access control, business continuity, investigations and forensics, and so on. These

disciplines are typically technically diverse enough to require tactical personnel with specialized

skill sets to complete the activities.

Security Risk

Anything that threatens harm to the enterprise, its mission, its employees, its customers, its

partners, its operations, its assets, or its reputation.

Stakeholder

Any non-asset owner whose group could be impacted by any incident or action involving that

asset who will need to be consulted on questions of security risk at a high enough level in the

organization to have appropriate decision-making authority on security risk decisions.

ESRM MATURITY SURVEY

Read each ESRM requirement and rate how the people and processes in your enterprise

support that requirement on a scale of 0 to 5, using the definitions above. All questions are

required.

1. Program Strategy

1.1 - Enterprise executives formally support the ESRM philosophy and approach.

1 - Ad Hoc: Tacit support of the program with no formal statement

5 - Optimized: Formal ESRM charter signed by all C-Level Stakeholders

1.2 - Security department mission and goals formally commit to an ESRM philosophy

and approach.

1 - Ad Hoc: Security team has verbal instruction to adhere to ESRM approach

5 - Optimized: Security department has a formal, written ESRM mission and goal set that is

shared with all security team members.

1.3 Security department leadership has established relationships with

function/department business leaders across the enterprise.

1 - Ad Hoc: Some team members have developed relationships with some business

Stakeholders in the Enterprise.

5 - Optimized: A formal registry of business Stakeholders is maintained with primary

security points of contact named for each Stakeholder and a mandated contact schedule

maintained for each.

1.4 Security department understands the mission and goals of the overall enterprise.

1 - Ad Hoc: Personnel with longer tenure have some insight into the overall mission, goals, and

function of the enterprise.

5 - Optimized: A formal onboarding program for all security employees trains on the overall

mission, goals, and critical functions of the enterprise and aligns them with the ESRM approach.

1.5 Security department understands the mission and goals of critical internal

departments / business units and the needs of those business leaders.

1 - Ad Hoc: Personnel with longer tenure have some insight into the business goals,

and function of critical processes.

5 - Optimized: A formal onboarding program for all security employees trains on the

business goals and critical functions of the enterprise and aligns them with the ESRM

approach.

1.6 Security department leaders and enterprise executives understand and agree to a

definition of what constitutes successful accomplishment of the security mission.

1 - Ad Hoc: Informal definition of tangible security goals.

5 - Optimized: Formal, documented, success criteria, additionally including intangible

goals.

1.7 Security department has a defined strategy to meet the defined success security

criteria based on an ESRM philosophy.

1 - Ad Hoc: Key performance indicators (KPIs) are developed for some achievement of tangible

goals.

5 - Optimized: Documented and reported-upon KPIs exist for all goals, including intangible

goals.

1.8 The ESRM security strategy is based on a formal risk model (such as ISO, COBIT,

ANSI, etc.).

1 - Ad Hoc: Some portions of the ESRM strategy align with some portions of a formal risk

management model.

5 - Optimized: A risk management model is officially adopted for the program and all practices

align with the model.

1.9 Enterprise executives understand the skillsets needed for effective ESRM program

management and support training existing staff and hiring staff with necessary skills.

1 - Ad Hoc: Management has some understanding of ESRM required skills and provides

sufficient resources through hiring or sufficient training.

5 - Optimized: ESRM requirements are incorporated into the HR hiring process and job

descriptions and existing personnel are given advanced risk management training.

2. Program Governance

2.1 Enterprise has instituted a security group or council to govern security risk and the

security program.

1 - Ad Hoc: A council or working group is established and meetings occur as the council

desires.

5 - Optimized: A security council is formed with a documented charter, roles and

responsibilities. The council has a mandated meeting schedule and regularly interacts

with the board of directors / management.

2.2 Enterprise has a set tolerance level for security risk overall for the enterprise.

1 - Ad Hoc: Security has an implied understanding of risk levels or a documented risk

posture for some risks.

5 - Optimized: The board of directors / management has a formal posture on the risk

level of the company including risk categories (high, medium, low).

2.3 Enterprise has a set tolerance level for security risk at the critical asset / function

level based on criticality of assets / functions across the enterprise.

1 - Ad Hoc: Risk thresholds are defined for the critical assets of the company.

5 - Optimized: Specific risk thresholds are defined for non-critical areas of the enterprise

as well and thresholds include risk categories (high, medium, low).

2.4 Security Department operates with effective levels of independence to avoid any

conflicts of interest.

1 - Ad Hoc: Internal audits are executed to confirm the independency.

5 - Optimized: In addition, external audits are executed to confirm the independency.

2.5 Security Department operates with effective levels of transparency for all security

risks.

1 - Ad Hoc: Status reports on risk tolerances are given to business leaders if requested.

5 - Optimized: Mandated status reports on risk tolerances are given to business leaders

and to external stake holders´ (e.g. security authorities) on a defined timeline.

2.6 Security Department operates with effective levels of authority to manage security

risk in all areas of the enterprise.

1 - Ad Hoc: The security department has executive support to perform security activities

as needed.

5 - Optimized: There is a clear and direct authorization for the security department from

the board of directors / management and by the security authorities.

2.7 Security program has a defined scope / charter / remit to clarify risk categories as

security or non-security for enterprise operations.

1 - Ad Hoc: The security program is formally approved by the security council.

5 - Optimized: The security program is formally approved by the security council and the

board of directors / management and has a documented charter / policy.

2.8 Security disciplines are aligned with industry standards and maturity of the

alignment is reported regularly to the governing group and to enterprise executives.

1 - Ad Hoc: Trainings are based on industry standards and the success of the training is

reported to the management.

5 - Optimized: Training for personnel also includes certification based on industry

standards.

2.9 All in-scope / chartered security risks are managed in accordance with an ESRM

approach regardless of the threat vector or impacted asset.

1 - Ad Hoc: The security council conducts self-assessments to verify the ESRM

approach.

5 - Optimized: The security council engages third party auditors on a defined timeline to

conduct audits to verify the ESRM approach.

3. Understanding and Awareness

3.1 Enterprise executives and department/business function leaders understand the

ESRM philosophy and approach.

1- Ad Hoc: Executives and management in critical functions and some support functions

have been exposed to the ESRM program and understand it.

5 - Optimized: ESRM is part of a formal security awareness program and the security

department conducts more in depth workshops with the most critical business functions.

3.2 Enterprise executives and department / business function leaders understand the

role of security as risk managers.

1 - Ad Hoc: Executives and management in critical functions and some support functions

have been part of a risk mitigation process and understand security's role in it.

5 - Optimized: ESRM is part of a formal security awareness program and the security

department conducts more in depth workshops with the most critical business functions

to ensure understanding of security's role.

3.3 Security department personnel understand the ESRM philosophy and approach.

1 - Ad Hoc: Some staff have been exposed to the ESRM philosophy.

5 - Optimized: Formal annual training is required for every security department employee

in ESRM methodologies.

3.4 Security department personnel understand the role of security as risk managers.

1 - Ad Hoc: Risk management trainings are provided to the security personnel.

5 - Optimized: The trainings will include certifications based on international standards.

3.5 Security department personnel act at all times in accordance with an ESRM

approach.

1 - Ad Hoc: A risk-management approach is sometimes used by security department

personnel.

5 - Optimized: Use of ESRM methodologies and processes is a formal part of security

staff training and employees are rated on ESRM adherence as part of the annual review

process.

3.6 Any department personnel outside of Security Department tasked with performing

activities that mitigate security risks understand the ESRM philosophy and approach.

1 - Ad Hoc: Some business functions are trained in ESRM and are capable of

performing their security tasks in partnership with the security department.

5 - Optimized: All functions performing any security mitigation process has formal

training in ESRM and understands the security role and their partnership with the

security department.

3.7 Enterprise Asset Owners understand the role of an Asset Owner in the ESRM

program.

1 - Ad Hoc: Asset owners may have their roles explained to them in the event they

become involved in a security project.

5 - Optimized: An embedded security culture of risk-management-decision making is

formally part of the training and awareness of all budget managers in the organization.

3.8 Security risk Stakeholders understand the role of a risk Stakeholder in the ESRM

program.

1 - Ad Hoc: The security department communicates the role of security to impacted

stakeholders.

5 - Optimized: In addition, the security department conducts workshops with the most

relevant stakeholders.

3.9 Enterprise employees understand their role in promoting and interacting in an

ESRM security culture.

1 - Ad Hoc: The security department communicates the ESRM approach to all

employees of the company.

5 - Optimized: In addition, the security department offers townhall meetings, webinars,

workshops to interact with the employees.

4.1 Security Department has identified all enterprise assets (tangible and intangible) to

be considered in the ESRM program.

1 - Ad Hoc: A list of tangible assets exists.

5 - Optimized: A list of tangible and intangible assets exists.

4.2 Security Department has identified all Asset Owners or Stakeholders with

appropriate risk-decision-making authority for each asset to be considered in the ESRM

program.

1 - Ad Hoc: A list of tangible assets owners and stakeholders exists.

5 - Optimized: A list of tangible and intangible assets owners and stakeholders exists.

4.3 Security Department has engaged all Asset Owners or Stakeholders with

appropriate risk-decision-making authority in prioritizing each asset to be considered in

the ESRM program.

1 - Ad Hoc: The asset owners/stakeholders have prioritized their tangible assets.

5 - Optimized: The asset owners/stakeholders have prioritized their tangible and

intangible assets.

4.4 Security Department has identified all security risks associated with assets that have

been prioritized for risk assessment in the ESRM program.

1 - Ad Hoc: A risk report with all relevant risks related to prioritized tangible assets is

created.

5 - Optimized: A risk report with all relevant risks related to prioritized tangible and

intangible assets is created.

4.5 Security Department has engaged all Asset Owners or Stakeholders with

appropriate risk-decision-making authority in prioritizing the identified risks associated

with assets in the risk assessment process.

1 - Ad Hoc: The risk report with all relevant risks related to prioritized tangible assets is

created and aligned with all asset owners/stakeholders.

5 - Optimized: A risk report with all relevant risks related to prioritized tangible and

intangible assets is created and aligned with all asset owners/stakeholders.

4.6 A register of assets and associated risks with potential impacts exists for all assets

prioritized for risk assessment.

1 - Ad Hoc: The impact and likelihood of all relevant risks related to prioritized tangible

assets is calculated.

5 - Optimized: The impact and likelihood of all relevant risks related to prioritized tangible

and intangible assets is calculated.

4.7 All assets that meet the threshold for risk mitigation (as set by the ESRM governing

body) have had mitigation plans recommended to the Asset Owners or Stakeholders

with appropriate risk-decision-making authority previously identified for final risk

treatment decisions.

1 - Ad Hoc: Risk mitigation plans exist for relevant risks related to prioritized assets.

5 - Optimized: Risk mitigation plans exist for all relevant risks related to prioritized

tangible and intangible assets and have been tested and reviewed for residual risk.

4.8 Security risk mitigation plans approved by associated Asset Owners or Stakeholders

with appropriate risk-decision-making authority are documented in short term, mid term,

and long term security implementation roadmaps / plans.

1 - Ad Hoc: Risk mitigation plans for all relevant risks related to prioritized assets are

approved by the asset owners and milestones on the implementation are agreed.

5 - Optimized: Risk mitigation plans for all relevant risks related to prioritized assets are

approved by the asset owners and milestones on the implementation are agreed to and

reported on to the security council in addition to risk owners.

5.1 Key risk indicators for each are identified for each Asset Owner and Stakeholder to

understand how risk mitigation activities are working to maintain risk within stated

tolerance levels.

1 - Ad Hoc: A status report with KPIs is created on the mitigation for all relevant risks

related to prioritized assets.

5 - Optimized: A status report with KPIs is created on the mitigation of all relevant risks

related to prioritized assets and is reported on to the security council in addition to risk

owners.

5.2 Risk status reports are regularly delivered to Asset Owners and Stakeholders with

assets impacted by the ESRM program.

1 - Ad Hoc: The risk report is communicated to the asset owners / stakeholders as

requested.

5 - Optimized: The risk report is communicated to the asset owners and to stakeholders

on a formal, documented timeline.

5.3 Risk status reports are regularly delivered to executive management.

1 - Ad Hoc: The risk report is communicated to the executive management as requested.

5 - Optimized: The risk report is communicated to the executive management on a

formal, documented timeline.

5.4 Risk status reports are regularly delivered to Security Department governing body.

1 - Ad Hoc: The risk report is communicated to the governing body as requested.

5 - Optimized: The risk report is communicated to the governing body on a formal,

documented timeline.

5.5 Risk mitigation plan roadmap status reports are regularly delivered to Asset Owners

and Stakeholders with assets impacted by the ESRM program.

1 - Ad Hoc: The risk mitigation plan is communicated to the asset owners as requested.

5 - Optimized: The risk mitigation plan is communicated to the asset owners on a formal,

documented timeline.

5.6 Risk mitigation plan roadmap status reports are regularly delivered to executive

management.

1 - Ad Hoc: The risk mitigation plan is communicated to the executive management as

requested.

5 - Optimized: The risk mitigation plan is communicated to the executive management

on a formal, documented timeline.

5.7 Risk mitigation plan roadmap status reports are regularly delivered to Security

Department governing body.

1 - Ad Hoc: The risk mitigation plan is communicated to the governing body as

requested.

5 - Optimized: The risk mitigation plan is communicated to the governing body on a

formal, documented timeline.

5.8 Risk re-assessments of all enterprise security risks are performed on a regular

basis.

1 - Ad Hoc: Risk assessments are conducted as the security team has availability.

5 - Optimized: Risk assessments are mandated by the Security Council and reported to

the council on formal, documented timeline.

5.9 New security risk scanning activities are performed on a regular basis.

1 - Ad Hoc: Risk scanning is conducted as the security team has availability.

5 - Optimized: Risk scanning is mandated by the Security Council and reported to the

council on formal, documented timeline.

5.10 Risk mitigation plans and activities, and associated roadmaps, are updated

regularly to account for changing risk environments.

1 - Ad Hoc: Updates on mitigation plans are completed when events impact them.

5 - Optimized: Updates on mitigation plans will be conducted on a formal, documented

timeline.

5.11 All post-incident or post-investigation root cause analysis findings are delivered to

the Asset Owners and impacted Stakeholders for further risk mitigation decision

making.

1 - Ad Hoc: The security department reports root cause analysis to impacted functions or

asset owners/stakeholders as requested.

5 - Optimized: The security department reports root cause analysis to impacted functions

or asset owners/stakeholders as a formal, documented part of any incident investigation

or follow up.

6.1 All job roles and responsibilities within Security Department are developed and

defined with an ESRM philosophy and approach.

1 - Ad Hoc: All job profiles in the security department are aligned with ESRM and

approved by security management.

5 - Optimized: All job profiles in the security department are mandated to be aligned with

ESRM by the security council and have risk-management specific skillsets required for

hiring processes.

6.2 Teams performing security risk mitigation activities are managed cross-functionally

or work cross-functionally in partnership using an ESRM approach if they are not

managed in a single organization.

1 - Ad Hoc: Projects will sometimes involve cross functional teams working under a

project structure.

5 - Optimized: All security risk mitigation activities are performed by staff that report in a

single organization structure to a CSO at the executive level. All security risk is managed

in a single department.

6.3 All security risk mitigation activities performed by security tactical personnel in any

discipline are directly linked to an asset and risk (or identified as mitigating risk

universally for multiple assets).

1 - Ad Hoc: Security projects may sometimes be sponsored by or tied to a requesting

department.

5 - Optimized: No security risk mitigation activities take place that do not have an

underlying, documented asset or group of assets that are protected by the security

activity.

6.4 Internal and external security threats and risks are managed holistically in

partnership with all impacted groups.

1 - Ad Hoc: Partnerships with all relevant asset owners/stakeholder are established.

5 - Optimized: Partnerships with all relevant asset owners/stakeholders are established

and formally documented and reported on to the security council.

6.5 Any risk assessment performed by any tactical security personnel in any security

discipline is shared across all disciplines and leveraged to identify assets and risks to

ensure all are considered in the ESRM program.

1 - Ad Hoc: Most risk assessments are communicated within the security department

and to any personnel performing security mitigation tasks in other departments.

5 - Optimized: All risk assessments are communicated within the security department, to

any personnel performing security mitigation tasks in other departments, and to asset

owners/stakeholders.

6.6 Any security risk monitoring activity performed by any tactical security personnel in

any security discipline is shared across all disciplines and leveraged to proactively

identify new or emerging security risks in the enterprise.

1 - Ad Hoc: Most risk monitoring activities are communicated within the security

department and to any personnel performing security mitigation tasks in other

departments.

5 - Optimized: All risk monitoring activities are communicated within the security

department, to any personnel performing security mitigation tasks in other departments

and to asset owners/stakeholders.

6.7 Any security intelligence gathering and analysis activity performed by any tactical

security personnel in any security discipline is shared across all disciplines and

leveraged to proactively identify new or emerging security risks in the enterprise.

1 - Ad Hoc: Most security intelligence analyses are communicated within the security

department and to any personnel performing security mitigation tasks in other

departments.

5 - Optimized: All security intelligence analyses are communicated within the security

department, to any personnel performing security mitigation tasks in other departments

and to asset owners/stakeholders.

6.8 Security incident response teams in any security discipline provide immediate

response / triage / control / recovery for any security risks that become realized

incidents and notify security leadership in order to consider activation of other security

discipline incident response teams for coordination.

1 - Ad Hoc: Security personnel escalate and notify management and other groups as

needed during an event.

5 - Optimized: Formal documented processes exist with escalation pathways and

thresholds to mandate communication across teams and stakeholder during incident

response.

6.9 A post-incident investigation including a root cause analysis is performed on every

security incident regardless of the threat vector, impacted asset, or the tactical security

discipline of the response team(s) that was tasked to work the incident.

1 - Ad Hoc: Post-incident investigation reporting is done on critical or high-visibility

events.

5 - Optimized: Every security incident has a post-incident investigation that is

communicated within the security department and to the asset owners/stakeholders.

6.10 All incident investigations in all security disciplines include a post-mortem report

delivered to all impacted asset owners and stakeholders that communicates incident

impact, root cause, identified risks, and any further recommended risk mitigation

activities for the risk.

1 - Ad Hoc: Post-incident investigation reporting is done on critical or high-visibility

events and sometimes communicated to asset owners / stakeholders.

5 - Optimized: Every security incident has a post-incident investigation that is

communicated within the security department and to the asset owners/stakeholders.

6.11 All incident investigations in all security disciplines identify and account for

impacted Asset Owners and Stakeholders in the investigation process to ensure proper

audience for the post-incident reporting process.

1 - Ad Hoc: Investigations sometimes involve asset owners/stakeholders if needed for

investigative input.

5 - Optimized: A formal, documented process exists to ensure asset

owners/stakeholders are included in the investigative process involving their impacted

assets.

6.12 All incident investigations in all security disciplines identify and account for any

related policy / process / risk mitigation ties that could impact the investigation to ensure

thorough root cause analysis and residual risk identification.

1 - Ad Hoc: Investigations sometimes look at any associated policies and processes if

needed for investigative input.

5 - Optimized: A formal, documented process exists to ensure associated policies and

processes are included in the investigative process involving their impacted assets.

6.13 Any enterprise security awareness training performed by any tactical security

group in any security discipline considers ESRM philosophies and is leveraged to

increase awareness of security risks across all security disciplines.

1 - Ad Hoc: The security employees will receive a security awareness training based on

ESRM methods.

5 - Optimized: The security employees and the asset owners will receive a security

awareness training based on ESRM methods.

6.14 Any enterprise security policy, standard, procedure, or guideline written or created

by any tactical security group in any security discipline considers ESRM philosophies

and is leveraged to facilitate the management of security risks across all security

disciplines.

1 - Ad Hoc: The security policies are based on ESRM methods.

5 - Optimized: The security and the business policies are based on ESRM methods.

6.15 Any security architecture design model created by any tactical security group in

any security discipline considers ESRM philosophies and is leveraged to facilitate the

management of security risks across all security disciplines.

1 - Ad Hoc: The designer of a new access control system involves information security

after installation to take part in the credentialing process.

5 - Optimized: All new projects begin with a discovery step to identify all security risk

Asset Owners and Stakeholder and involve them in the architecture risk decision

making, allowing the project to benefit from many avenues of input.

6.16 Any security testing activity performed by any tactical security group in any security

discipline considers ESRM philosophies and is leveraged to facilitate the management

of security risks across all security disciplines.

1 - Ad Hoc: Security tests and exercises occasionally incorporate multiple tactical teams

or cross different types of security discipline.

5 - Optimized: The security department has a dedicated test and exercise function that

plans and designs all tests and exercises to incorporate multiple security disciplines and

tracks all testing to ensure all disciplines participate in tests on a regular basis.