Control Maturity Overview
Conducting a CMA
Assessing controls against the “root” division
Controls are assesses against any division within the organisations hierarchy. If a division is assessed then it will either be green or tan, if the control is not assessed at this level it will be indicated with a grey button.This allows different areas of the organisation to have a different level of control maturity, for example (see below), Division control maturity assessment, shows a demo organisation whereby the overall organisation has been assessed but the support division has specific control (maybe additional controls around screening).
Non-applicable controls
All controls that have been setup within the organisation will be defaulted in and will be applicable to this division; however some of the controls may not be applicable to a specific division / organisation. These can then be excluded from the assessment and any justification given will appear on the Statement of Applicability.
Assessing controls against an “inherited” division
Control Inheritance
For each of the sub divisions the option is given to either inherit the control maturity or specify it specifically at this level. This can be used when a specific sub division requires a control to be implemented to a far higher level.
Control Icons example
Assigning Control Owners
Applicable controls can be assigned an owner. This allows an individual contact within Abriska who has been granted the “Basic User” role to logon and assess the maturity of that control. Controls can either be assigned an owner individually (by clicking on each control shown below in Applicable Control) or multiple controls can be assigned to a single contact via “Assign Control Owners”.Assigning other contacts to a control
Only a single contact can be defined as the control owner however additional contacts can be granted access to answer maturity questionnaires by clicking on the control within the control applicability, then clicking “Assign Contacts to Control”. This will then allow a basic user access to assess this control without changing the control owner.Control Status & Third Party
For each control the option exists to record the current implementation status of this control, the three values available by default are “Fully”, “Partially” or “None”. The reason for this is whilst undertaking certification to ISO 27001 a control, such as 8.2.1 Classification of information (2022: 5.12 Classification of information) Classification guidelines, may well be well documented within the management system but is not fully implemented within the organisation (for example, documents might exist that do not have a classification). This drop down allows that status to be recorded, this is reported on the Statement of Applicability.The “Transferred to 3rd Party” flag allows the control to be recorded as being implemented by a third party.
Example of applicability and owner
Control Maturity
Multiple tabs exist on the control maturity page, all tabs can be completed before submitting the page.Current Implementation
Each applicable control needs to be assessed against the predefined maturity model. This should be completed by the control owner for that division and can either be completed by interview or assigned to that individual.Navigation between controls is achievable by clicking on the forward / back navigation in the top right.
Control maturity and implementation
Recommended Improvement
Each control should be described and the maturity level for that control assigned within the current implementation tab. The recommended improvement tab can then be completed with a recommendation for how that control can be improved and a proposed maturity of that control should the recommendation be implement. There is also the opportunity to enter a proposed date for the recommendation. Assessing control maturity (see above) shows the screen where the control maturity is assessed.This recommendation will then be linked through to a related risk to ensure that the highest priority areas are addressed first.
Note: For controls where no recommendation is applicable a statement should be added that states how the control should be maintained and reviewed, the recommended maturity should also be set to the same level as the current maturity. This allow Abriska to calculate an expected risk score.
Documents
There is also a tab within the maturity screen to link to related documents such as policies, procedures or documents that contain evidence. This allows the related documents to be loaded alongside the descriptions for how the control is currently implemented.These document lists will also appear in the “Extended Statement of Applicability” and the “Risk Treatment Plan”.
Note: Due to the security setting within the browser local links to resources such as 'file:/' will not open directly. To open these links either the security setting can be modified or the links can be copied and pasted.
Division Reporting
For each division where control maturity is assess, a pie chart breakdown is available to illustration the spread of control maturity across that division (or organisation). You can see a comparison to current and proposed (recommend) maturity as well as filtering the controls per each maturity level.
Maturity Pie Chart
Attributes
Attributes is now available in line with the ISO 27002:2022 (4.2) introduction. This allows you to slice and dice controls separate from their themes. The attributes include: - Security Domains
- Cybersecurity Concepts
- Information Security Properties
- Control Types
- Operational Capabilities
Attributes
The graph can either be a stacked or box plot.
To view your controls in the attribute variations, from the home page go to > Control Maturity Assessment > Control Maturity Overview > click into the top organisation division (or any division assessed directly) > left panel select the Division Reporting dropdown > Control Attribute Dashboard > select the attribute view > submit.
Back to Control Maturity Assessment