Documentation
Support
In this article
Journey Levels for Each Policy Area
Home
Control Evaluation

Journey-based Ranking Levels

Edited

  1. Foundation

    • Basic, essential controls and initial setup to establish a secure foundation.

  2. Defined and Documented

    • Formal documentation of policies and procedures with clear roles and responsibilities.

  3. Monitored and Controlled

    • Ongoing monitoring and periodic reviews to ensure compliance and accountability.

  4. Adaptive and Proactive

    • Dynamic adjustments to policies and practices based on real-time data and evolving risks; adoption of advanced principles (e.g., zero-trust).

  5. Optimized and Resilient

    • Fully automated, data-driven, continuously improving processes that align closely with strategic goals and adapt to new challenges.

Journey Levels for Each Policy Area

Access Control

  • Foundation: Basic user access management with initial password and account policies.

  • Defined and Documented: Role-based access controls (RBAC), documented procedures for user onboarding and offboarding.

  • Monitored and Controlled: Access logs, audits, and regular reviews of user privileges.

  • Adaptive and Proactive: Implementation of device trust and zero-trust principles, with dynamic access policies.

  • Optimized and Resilient: Automated access control workflows, real-time analytics for continuous improvement and threat detection.

Information Security

  • Foundation: Core security policies, basic firewalls, and antivirus protection.

  • Defined and Documented: Documented security procedures, defined roles and responsibilities.

  • Monitored and Controlled: Ongoing monitoring of network activity, regular security audits, and incident logging.

  • Adaptive and Proactive: Advanced threat detection, real-time vulnerability assessments, and active response capabilities.

  • Optimized and Resilient: Fully integrated, automated security systems with continuous monitoring and rapid response protocols.

Change Management

  • Foundation: Basic change approval and documentation requirements.

  • Defined and Documented: Formalized change management processes, including risk assessments and documentation for each change.

  • Monitored and Controlled: Regular audits and post-change reviews to ensure process compliance.

  • Adaptive and Proactive: Predictive change impact analysis, with proactive risk mitigation strategies.

  • Optimized and Resilient: Automated change workflows, with real-time impact monitoring and integrated rollback capabilities.

Continuity and Recovery

  • Foundation: Basic backup procedures and minimal recovery protocols.

  • Defined and Documented: Documented disaster recovery (DR) and business continuity (BC) plans, including roles and responsibilities.

  • Monitored and Controlled: Regular testing of DR and BC plans, with periodic updates.

  • Adaptive and Proactive: Dynamic recovery strategies, with real-time monitoring and adaptive failover mechanisms.

  • Optimized and Resilient: Fully automated continuity processes with real-time recovery tracking and optimization based on test results.

Data Privacy

  • Foundation: Core privacy policies and minimum data protection measures.

  • Defined and Documented: Detailed data handling and retention procedures, with clear privacy policy documentation.

  • Monitored and Controlled: Regular privacy audits, access reviews, and user consent tracking.

  • Adaptive and Proactive: Real-time privacy risk monitoring, with adaptive controls based on data sensitivity.

  • Optimized and Resilient: Automated privacy management, dynamic consent and data access tracking, continuous policy updates based on evolving regulations.

Data Security

  • Foundation: Basic data encryption and secure storage for critical data.

  • Defined and Documented: Documented data protection policies and access protocols.

  • Monitored and Controlled: Regular data security audits, access logging, and review.

  • Adaptive and Proactive: Real-time data protection, anomaly detection, and adaptive encryption protocols based on data risk.

  • Optimized and Resilient: Fully automated data security controls with real-time analytics, continuous monitoring, and proactive threat response.

Incident Management

  • Foundation: Basic incident reporting and response procedures.

  • Defined and Documented: Documented incident management process, roles, and responsibilities.

  • Monitored and Controlled: Regular incident reviews and logging to monitor response effectiveness.

  • Adaptive and Proactive: Real-time incident detection, automated alerts, and proactive incident containment.

  • Optimized and Resilient: Automated incident response workflows, with continuous learning and improvement from post-incident analysis.

Operations Management

  • Foundation: Basic operational policies, with minimal process oversight.

  • Defined and Documented: Documented operational procedures, roles, and responsibilities.

  • Monitored and Controlled: Continuous monitoring of operational processes and periodic audits.

  • Adaptive and Proactive: Adaptive process optimization, with predictive analytics for potential issues.

  • Optimized and Resilient: Fully automated operational management with continuous improvement based on analytics and feedback.

Risk Management

  • Foundation: Basic risk assessment and identification of critical assets.

  • Defined and Documented: Documented risk management policies and risk assessment procedures.

  • Monitored and Controlled: Regular risk assessments and risk mitigation tracking.

  • Adaptive and Proactive: Dynamic risk scoring, with real-time monitoring of emerging risks.

  • Optimized and Resilient: Automated risk management, with predictive analytics and proactive risk mitigation.

Security Operations

  • Foundation: Basic security operations, including minimal monitoring and logging.

  • Defined and Documented: Documented security operations procedures and responsibilities.

  • Monitored and Controlled: Continuous monitoring of security events, with regular reviews.

  • Adaptive and Proactive: Advanced threat intelligence integration and proactive threat hunting.

  • Optimized and Resilient: Fully automated security operations center (SOC) capabilities, with AI-driven threat detection and response.

Vendor Management

  • Foundation: Basic vendor identification and minimum security requirements.

  • Defined and Documented: Documented vendor assessment and onboarding processes.

  • Monitored and Controlled: Regular vendor performance and compliance reviews.

  • Adaptive and Proactive: Advanced risk assessments and dynamic monitoring of vendor compliance.

  • Optimized and Resilient: Continuous vendor risk monitoring, automated insights, and proactive vendor risk mitigation.

Human Resources

  • Foundation: Basic HR policies, with core record-keeping and compliance.

  • Defined and Documented: Documented HR policies and an employee handbook outlining expectations.

  • Monitored and Controlled: Performance reviews, regular training, and compliance checks.

  • Adaptive and Proactive: Dynamic HR processes, employee feedback mechanisms, and wellness initiatives.

  • Optimized and Resilient: Data-driven HR analytics, automated compliance, and continuous improvement based on employee feedback.

This standardized journey-based structure enables you to communicate maturity levels clearly and effectively across various policy areas. Each level builds on the previous one, giving your clients a clear roadmap for improving each aspect of their operations in line with best practices and compliance requirements.

4o