The Maturity Levels of Security

Learn about the levels of maturity an organization needs to possess to effectively deploy appropriate security measures.


Many of the topics in the following sections have a level indicator. This indicator represents the level of maturity and expertise that a security team should have to deploy an effective security control. It doesn’t necessarily represent the inherent value of the control in relation to an organization. However, this indicator will assist us in identifying and prioritizing the most appropriate security solutions and controls. The following is a basic guide to assigning these levels:

  • Level 1 items are the best place to start for organizations just starting to implement an information security program.

  • For organizations that have already established an InfoSec program, level 2 or 3 objectives may be more appropriate.

These levels are included in sections one and two of this course.

Importance of maturity levels

These maturity levels aren’t meant to indicate their importance or effectiveness. They’re intended as suggestions for a phased and iterative approach to building and constantly improving an information security program. The intent is to help us focus on implementing best practices first, providing a solid foundation to build from.

Maturity level 1

This represents a security best practice, which is core to the foundation of any IT security program. It’s intended for a newly created security team or an individual recently tasked with improving the IT security of an organization. This could be mean starting with a blank slate or having some basic security controls already implemented.

Get hands-on with 1200+ tech skills courses.