My Consolidated ISMS Scorecard

Now that you have completed all of the ISMS assessments that you have considered relevant to your business, you can view these assessments in a consolidated strategic ISMS scorecard – see below. The scorecard maturity approach contains a five step framework that ranges from ‘Reactive’ – an organisation with limited basic processes to ‘Advanced’ – an organisation with sophisticated practices. Movement across the maturity spectrum is staged, meaning lower level processes must be in place before higher levels can be achieved. Within each of these maturity levels are activities or processes that must be completed before moving to the next level. For instance, responding ’Strongly Agree’ to a question would suggest the expected characteristics of highly mature processes requiring little additional attention other than perhaps a health check or benchmarking. However, responding ’Strongly Disagree’ might suggest that current arrangements could be further improved in which case the organisation may benefit from further work in certain areas. Organisations that tend to be more immature in terms of ISMS practices, tend to find it more difficult to maintain current capabilities, struggle to get cost transparency and miss out on better practices that could drive improved information security.

- Consolidated ISMS Maturity Scorecard
Evaluation Criteria
1. Mandate & Objective Setting
2. Metrics & Accountability
3. Policies & Procedures
4. Communication
5. Resourcing
6. Risk Assessment
7. Audits
8. Security System
9. Compliance Program
10. Reporting
COSO ElementControl EnvironmentRisk AssessmentControl ActivitiesMonitoring & CommunicationAggregated ISMS Score
Aggregated ISMS Control Score0
Scoring Criteria
LevelScoreMaturityDescription
Working effectively5AdvancedArea has been fully addressed and comforms to better practices.
Could be improved4MaturingOrganisation has adequately addressed this area. Minor diviations from better practices.
Needs improving3DefinedArea is satisfactorily controlled but with some deviations from better practices.
Cause for concern2BasicA critical issue raises doubt as to organisation's qualification with this area.
Requires attention1ReactiveThe area is inadequately addressed. Large deviations from better practices.