Now that you have completed all of the ISMS assessments that you have considered relevant to your business, you can view these assessments in a consolidated strategic ISMS scorecard – see below. The scorecard maturity approach contains a five step framework that ranges from ‘Reactive’ – an organisation with limited basic processes to ‘Advanced’ – an organisation with sophisticated practices. Movement across the maturity spectrum is staged, meaning lower level processes must be in place before higher levels can be achieved. Within each of these maturity levels are activities or processes that must be completed before moving to the next level. For instance, responding ’Strongly Agree’ to a question would suggest the expected characteristics of highly mature processes requiring little additional attention other than perhaps a health check or benchmarking. However, responding ’Strongly Disagree’ might suggest that current arrangements could be further improved in which case the organisation may benefit from further work in certain areas. Organisations that tend to be more immature in terms of ISMS practices, tend to find it more difficult to maintain current capabilities, struggle to get cost transparency and miss out on better practices that could drive improved information security.
| - Consolidated ISMS Maturity Scorecard | ||||||||||||||
| Evaluation Criteria | 1. Mandate & Objective Setting | 2. Metrics & Accountability | 3. Policies & Procedures | 4. Communication | 5. Resourcing | 6. Risk Assessment | 7. Audits | 8. Security System | 9. Compliance Program | 10. Reporting | ||||
| COSO Element | Control Environment | Risk Assessment | Control Activities | Monitoring & Communication | Aggregated ISMS Score | |||||||||
| Aggregated ISMS Control Score | 0 | |||||||||||||
| Scoring Criteria | |||
|---|---|---|---|
| Level | Score | Maturity | Description |
| Working effectively | 5 | Advanced | Area has been fully addressed and comforms to better practices. |
| Could be improved | 4 | Maturing | Organisation has adequately addressed this area. Minor diviations from better practices. |
| Needs improving | 3 | Defined | Area is satisfactorily controlled but with some deviations from better practices. |
| Cause for concern | 2 | Basic | A critical issue raises doubt as to organisation's qualification with this area. |
| Requires attention | 1 | Reactive | The area is inadequately addressed. Large deviations from better practices. |