Not logged in - Login
< back

Control Maturity Overview

Conducting a CMA

Assessing controls against the “root” division

Controls are assesses against any division within the organisations hierarchy. If a division is assessed then it will either be green or tan, if the control is not assessed at this level it will be indicated with a grey button.

This allows different areas of the organisation to have a different level of control maturity, for example (see below), Division control maturity assessment, shows a demo organisation whereby the overall organisation has been assessed but the support division has specific control (maybe additional controls around screening).

Non-applicable controls

All controls that have been setup within the organisation will be defaulted in and will be applicable to this division; however some of the controls may not be applicable to a specific division / organisation. These can then be excluded from the assessment and any justification given will appear on the Statement of Applicability.

Assessing controls against an “inherited” division

Control Inheritance

For each of the sub divisions the option is given to either inherit the control maturity or specify it specifically at this level. This can be used when a specific sub division requires a control to be implemented to a far higher level.

Image title

Assigning Control Owners

Applicable controls can be assigned an owner. This allows an individual contact within Abriska who has been granted the “Basic User” role to logon and assess the maturity of that control. Controls can either be assigned an owner individually (by clicking on each control shown in Figure 4 - Applicable Control) or multiple controls can be assigned to a single contact via “Assign Control Owners”.

Assigning other contacts to a control

Only a single contact can be defined as the control owner however additional contacts can be granted access to answer maturity questionnaires by clicking on the control within the control applicability, then clicking “Assign Contacts to Control”. This will then allow a basic user access to assess this control without changing the control owner.

Control Status & Third Party

For each control the option exists to record the current implementation status of this control, the three values available by default are “Fully”, “Partially” or “None”. The reason for this is whilst undertaking certification to ISO 27001 a control, such as 7.2.1 Classification guidelines, may well be well documented within the management system but is not fully implemented within the organisation (for example, documents might exist that do not have a classification). This drop down allows that status to be recorded, this is reported on the Statement of Applicablility.

The “Transferred to 3rd Party” flag allows the control to be recorded as being implemented by a third party. Figure 4 - Applicable Control

Control Maturity

Multiple tabs exist on the control maturity page, all tabs can be completed before submitting the page.

Current Implementation

Each applicable control needs to be assessed against the predefined maturity model. This should be completed by the control owner for that division and can either be completed by interview or assigned to that individual.

Navigation between controls is achievable by clicking on the forward / back navigation in the top right. Figure 5 - Assessing control maturity

Recommended Improvement

Each control should be described and the maturity level for that control assigned within the current implementation tab. The recommended improvement tab can then be completed with a recommendation for how that control can be improved and a proposed maturity of that control should the recommendation be implement. There is also the opportunity to enter a proposed date for the recommendation. Figure 5 - Assessing control maturity shows the screen where the control maturity is assessed.

This recommendation will then be linked through to a related risk to ensure that the highest priority areas are addressed first.

Note: For controls where no recommendation is applicable a statement should be added that states how the control should be maintained and reviewed, the recommended maturity should also be set to the same level as the current maturity. This allow Abriska to calculate an expected risk score.

Documents

There is also a tab within the maturity screen to link to related documents such as policies, procedures or documents that contain evidence. This allows the related documents to be loaded alongside the descriptions for how the control is currently implemented.

These document lists will also appear in the “Extended Statement of Applicability” and the “Risk Treatment Plan”.

Note: Due to the security setting within the browser local links to resources such as 'file:/' will not open directly. To open these links either the security setting can be modified or the links can be copied and pasted.

Back to Control Maturity Assessment