Overview
Knowing where your security program actually stands is the first step toward improving it. This self-assessment helps you score your organization across 10 critical security domains using a consistent maturity scale. It is built for CISOs and security leaders who need an honest internal view of strengths, gaps, and priorities without waiting for an external audit to surface the problems.
Security Domains Covered
- Governance, risk, and compliance (GRC)
- Identity and access management (IAM)
- Endpoint security and device management
- Network security and segmentation
- Cloud security posture
- Data protection and classification
- Application security (SDLC and AppSec)
- Security operations and monitoring
- Incident response and recovery
- Third-party and supply chain risk management
Maturity Scoring Scale
| Level | Description | Indicators |
|---|---|---|
| 1 - Initial | Ad hoc, reactive, undocumented | No formal policies, firefighting mode, tribal knowledge |
| 2 - Developing | Some processes defined but inconsistently applied | Partial documentation, manual workflows, limited metrics |
| 3 - Defined | Documented policies and repeatable processes | Written procedures, assigned ownership, basic monitoring |
| 4 - Managed | Processes measured and actively managed | KPIs tracked, regular reviews, risk-based decisions |
| 5 - Optimizing | Continuous improvement with automation and feedback loops | Automated controls, advanced analytics, proactive posture |
Running the Assessment
Assign a domain owner for each of the 10 areas. Each owner should review their domain independently, score it honestly, and provide supporting evidence for the rating. Bring the group together for a calibration session where scores are discussed and adjusted based on peer input. This prevents both sandbagging and overconfidence. Document the rationale behind each score so you can track progress over time.
Translating Results into Action
After scoring, identify domains where your maturity level creates the most business risk. A level-2 identity program in an organization with remote workers and cloud infrastructure is a bigger concern than a level-2 physical security program in a fully remote company. Prioritize remediation based on business impact, not just low scores. Build a 90-day improvement plan for the top three gaps and assign executive sponsors to ensure accountability.
Benchmarking and Cadence
Repeat this assessment every six months. Track scores over time to measure improvement and demonstrate progress to the board and auditors. Compare your results against industry benchmarks when available. Organizations in regulated industries like financial services or healthcare should aim for level-4 maturity across all domains within 18 to 24 months of starting the program.
Frequently Asked Questions
Who should participate in the self-assessment?
Domain owners from security, IT, engineering, and compliance. The CISO should facilitate but not score every domain alone. Involving multiple contributors gives a more accurate and less biased result.
How is this different from an external audit?
This is an internal tool for self-awareness and planning. External audits validate compliance against specific standards. The self-assessment identifies gaps early so you can fix them before an auditor finds them.
What if most domains score at level 1 or 2?
That is normal for growing organizations. Focus on the three domains with the highest business risk, build quick wins to reach level 3, and create a roadmap for sustained improvement.
Can we customize the domains?
Yes. Add or remove domains based on your industry and risk profile. An organization with no cloud infrastructure can deprioritize the cloud domain and add operational technology (OT) security instead.
How do we present the results to leadership?
Use a radar chart or heatmap to visualize maturity scores across domains. Highlight the top three risks, the planned remediation actions, and the resources needed. Keep the narrative focused on business risk rather than technical jargon.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.