• jt

The SRMBOK Maturity Model

Security Risk Management Body Of Knowledge (SRMBOK)


The SRMBOK maturity model addresses the following four levels:


  1. Level 1 INITIAL

  2. Level 2 BASIC

  3. Level 3 REPEATABLE

  4. Level 4 OPTIMIZING

The model also addresses six categories of maturity:

  • Overview

  • Culture

  • Systems

  • Experience

  • Training

  • Management

Assessment descriptors for each of the categories are outlined below.


  • Overview

  1. Compliance-only approach. Risk appetite is not defined. No framework developed. No senior management support. No use of SRM to inform decision-making

  2. SRM established for loss prevention.Shared but poorly articulated SRM tolerance. SRM implemented at lower levels. Few policies and procedures

  3. SRM built into routine business processes and management systems. Comprehensive SRM policy and procedures. Benefits recognized at all levels of the organization

  4. SRM considered critical to competitive advantage and achievement of objectives. Security risk appetite and approach is documented and promulgated to all levels of the organization. SRM management systems demonstrate continuous improvement. SRM proactive and focused on opportunity realization.


  • Culture

  1. SRM implemented to meet minimum legislated requirements.

  2. SRM exposure defined. Roles and responsibilities defined. Basic SRM decision-making mechanisms

  3. Proactive approach to SRM. Support forSRM at all levels of the organization. High level security risks reviewed by senior management or board

  4. SRM culture is led by the Chief Executive. SRM information is used indecision-making. SRM roles and responsibilities included in inductions, job descriptions and performance appraisals


  • Systems

  1. SRM strategy and management systems non-existent or ad hoc

  2. SRM framework under development. BCM and resilience not addressed. Poor data collection and analysis.

  3. Strategy and management systems are documented and consistently applied. SRM framework is in place and partially integrated with BCM.

  4. SRM framework and management systems are defined and benchmarked against best practice. Continuous improvement is evident at all levels.


  • Experience

  1. Very limited understanding of SRM systems or terminology.

  2. Limited to small number of security practitioners.

  3. In-house core of experienced individuals, systems and modeling.

  4. Organization has in-depth experience at all levels and experiences are analyzed and recorded as part of normal knowledge management processes


  • Training

  1. Training implemented only to the level required by legislation.

  2. Training undertaken only by security practitioners

  3. Organizational training needs are analyzed and met. Security training provided to staff at all levels.

  4. Training and education programs are based on robust and up-to-date training needs analysis. Relevant training is provided to all levels of the organization.


  • Management

  1. Management practices are focused on meeting legislated requirements. Response to critical incidents is the prime initiator for SRM.

  2. SRM management practices are based on organizational management systems. Majority of SRM is reactive. Security systems are reviewed on an ad hoc basis.

  3. Guidance for SRM provided to all levels of management. Resource allocation commensurate with risk. Security plans are reviewed at least annually.

  4. Guidance on SRM implementation is provided to all levels of the organization. Lead indicators and benchmarks are established and monitored. Resource allocation is monitored and optimized. SRM is integrated and plans are reviewed and tested at least annually

Recent Posts

See All

©2019 by Julian Talbot