Benchmarks of other companies and industries are very useful to GRC professionals. It is a good indicator to see how leaders, competitors, and the industry overall are positioned in terms of security maturity.
Unfortunately, this data is quite hard to come by. Gartner and ISF provide such data to their paid clients. There are not much information available in the public domain. I hope someone does a Verizon Data Breach type annual survey for Cybersecurity maturity.
So, I have started collecting publicly available information about Cybersecurity maturity that is publicly available. This page will be continuously as new information becomes publicly available.
US Federal Government Agencies
In the US the Federal Information Security Modernization Act (FISMA) law requires Federal government agencies to annually review their Information Security program. These reports are available to the general public from the oversight.gov site. This site is a treasure trove for everyone in security GRC. You can find well written audit reports, assessments and reports which you can learn from and even use in your work.
- Maturity Levels:
- Level 1: Ad Hoc
- Level 2: Defined
- Level 3: Consistently Implemented
- Level 4: Managed and Measurable
- Level 5: Optimized
- Levels 4 and 5 are considered to be “Effective” according to the methodology. You can read more about the definitions of each maturity level from this document (Page 7).
You can see the list of agencies that I was able to compile from the table below. But please note that I have only listed the maturity levels from reports published in 2024. I have also not included some agencies where the maturity levels were not mentioned or redacted.
Compiled on: 15th March, 2025
Critical Infrastructure Operators in Germany
Germany’s BSI (Federal Office for Information Security) is responsible for identifying and managing Critical Infrastructures (KRITIS) that are vital for public safety. BSI publishes reports about the maturity levels of these organizations (called “Critical Infrastructure Operators”).
- Maturity Levels:
- Maturity level 1: An ISMS / BCMS is planned but not yet established.
- Maturity level 2: An ISMS / BCMS is largely established.
- Maturity level 3: An ISMS / BCMS is established and documented.
- Maturity level 4: In addition to maturity level 3, the ISMS / BCMS was regularly reviewed for effectiveness.
- Maturity level 5: In addition to maturity level 4, the ISMS / BCMS was regularly improved.
- I had written a post about this earlier, Security Maturity of critical infrastructure operators in Germany, 2024, where I go into a little bit more details.
The table below shows the number of German critical operators at each ISMS maturity level, per sector.
Compiled on: 1st February, 2025
Australia Essential 8 Maturity levels
The Australian Signals Directorate (ASD) has identified 8 security measures that it considers to important to protect against various Cyberthreats. These are called the Essential 8 mitigation strategies.
- Maturity Levels:
- Maturity Level Zero
- Maturity Level One
- Maturity Level Two
- Maturity Level Three
- According to the ASD, the “maturity levels are based on mitigating increasing levels of tradecraft (i.e. tools, tactics, techniques and procedures) and targeting…“
You can read about the various Maturity levels here: Essential Eight maturity model. Check out Appendix D: Comparison of maturity levels to see how the controls get stronger with each maturity level.
The following table shows how many Australian Government entities have achieved a Level 2 or higher on each measure.
Compiled on: 1st February, 2025
SAP
- Maturity Levels:
- Tier 1 – Partial
- Tier 2 – Risk Informed
- Tier 3 – Repeatable
- Tier 4 – Adaptive
- Maturity Level Achieved: Tier 3
I had previously written a short post about this. SAP worked with Ernst & Young to develop a custom methodology to do the assessment.
Compiled on: 8th October, 2024
Fireblocks
- Maturity Levels: This is not publicly available. It seems like they use a scale of 1 to 5.
- Maturity Level Achieved: 4.4
Fireblocks seems to have worked with PwC on this and you can find their announcement here.
Compiled on: 15th March, 2024
