The SRMBOK Maturity Model
Security Risk Management Body Of Knowledge (SRMBOK)
The SRMBOK maturity model addresses the following four levels:
Level 1 INITIAL
Level 2 BASIC
Level 3 REPEATABLE
Level 4 OPTIMIZING
The model also addresses six categories of maturity:
Assessment descriptors for each of the categories are outlined below.
Compliance-only approach. Risk appetite is not defined. No framework developed. No senior management support. No use of SRM to inform decision-making
SRM established for loss prevention.Shared but poorly articulated SRM tolerance. SRM implemented at lower levels. Few policies and procedures
SRM built into routine business processes and management systems. Comprehensive SRM policy and procedures. Benefits recognized at all levels of the organization
SRM considered critical to competitive advantage and achievement of objectives. Security risk appetite and approach is documented and promulgated to all levels of the organization. SRM management systems demonstrate continuous improvement. SRM proactive and focused on opportunity realization.
SRM implemented to meet minimum legislated requirements.
SRM exposure defined. Roles and responsibilities defined. Basic SRM decision-making mechanisms
Proactive approach to SRM. Support forSRM at all levels of the organization. High level security risks reviewed by senior management or board
SRM culture is led by the Chief Executive. SRM information is used indecision-making. SRM roles and responsibilities included in inductions, job descriptions and performance appraisals
SRM strategy and management systems non-existent or ad hoc
SRM framework under development. BCM and resilience not addressed. Poor data collection and analysis.
Strategy and management systems are documented and consistently applied. SRM framework is in place and partially integrated with BCM.
SRM framework and management systems are defined and benchmarked against best practice. Continuous improvement is evident at all levels.
Very limited understanding of SRM systems or terminology.
Limited to small number of security practitioners.
In-house core of experienced individuals, systems and modeling.
Organization has in-depth experience at all levels and experiences are analyzed and recorded as part of normal knowledge management processes
Training implemented only to the level required by legislation.
Training undertaken only by security practitioners
Organizational training needs are analyzed and met. Security training provided to staff at all levels.
Training and education programs are based on robust and up-to-date training needs analysis. Relevant training is provided to all levels of the organization.
Management practices are focused on meeting legislated requirements. Response to critical incidents is the prime initiator for SRM.
SRM management practices are based on organizational management systems. Majority of SRM is reactive. Security systems are reviewed on an ad hoc basis.
Guidance for SRM provided to all levels of management. Resource allocation commensurate with risk. Security plans are reviewed at least annually.
Guidance on SRM implementation is provided to all levels of the organization. Lead indicators and benchmarks are established and monitored. Resource allocation is monitored and optimized. SRM is integrated and plans are reviewed and tested at least annually