Maturity Model for the Critical Infrastructure Risk Management Program

What is a security maturity model?

A security maturity model is a structured framework that enables organisations to assess and systematically improve their security posture over time.  An organisation’s risk assessment, risk appetite, and available resources will all inform the level of security maturity it aims to achieve.  A maturity model provides a roadmap for organisations to determine the route they might take to reach their desired destination, with ‘stops’ along the way, in a long journey of enhancing security practices, processes, and controls to make operations more robust and cost-effective.

How ‘mature’ is mature?

In terms of security, most organisations will never reach a fully mature state.  Limited resources, evolving operating environments, and ever-changing threats mean maturity must be seen as a moving target.  

Maturity evolution is largely driven by technology.  For example, for centuries we wrote ‘secrets’ on paper and safeguarded them in locked containers with guards, whereas since the 1960s, secrets have increasingly been held in electronic form.  But we still have legacy security approaches and practices that hark back to protecting secrets recorded on paper.

The hallmark of a mature security posture is when an organisation adopts a business-as-usual approach to mitigating risks.  At this level, most threat events are anticipated, response plans are embedded, and scanning the environment for emerging risks becomes second nature.  Intelligence feeds timely decisions – whether to act or not – and sufficient resources underpin execution.  Meaningful KPIs track program outcomes and return on investment, reinforcing a culture of accountability and continuous improvement.

What are the features of a maturity model?

• A maturity model is a structured approach to evaluating an organisation’s security capabilities and identifying areas for improvement. 

• It typically defines different levels of maturity, often ranging from basic or initial to advanced or optimised. 

• These levels represent the progression of an organisation’s security practices, processes, and controls.

• By assessing where an organisation falls on the maturity scale, it can identify gaps and prioritise areas for improvement. 

A well-developed maturity model provides multiple benefits:

• Benchmarking: Enables comparison against industry norms and regulatory expectations.

• Goal Setting: Helps establish realistic, staged security goals tailored to organisational context.

• Roadmap: Offers a clear path for enhancing protective security practices over time.

• Prioritisation: Guides investment decisions by spotlighting the most pressing gaps.

• Continuous Improvement: Promotes an ongoing cycle of uplift as threats, obligations, and business objectives change.

• Risk Management: Gives Boards and executives a sharper view of how security capabilities align to the risk environment.

By using a maturity model, Boards and senior leaders gain an objective, evidence-based understanding of their security program, enabling them to guide management to attain the desired security posture.  Using a maturity model assists Boards to build stakeholder and regulatory confidence and to protect value.

Examples of security maturity models

Globally, several recognised frameworks help organisations understand and advance their security capabilities. Examples include:

• Cybersecurity Maturity Model Certification (CMMC) – developed by the United States Department of Defense for defence contractors.

• Zero Trust Maturity Model (CISA) – focusing on zero-trust security architectures.

• NIST CSF Maturity Model – supporting assessments against the NIST Cybersecurity Framework.

• Cybersecurity Capability Maturity Model (C2M2) – developed by the U.S. Department of Energy.

• Security Culture Maturity Models – to embed security into organisational culture.

By using a security maturity model, organisations can gain a better understanding of their current security posture, identify areas for improvement, and develop a roadmap for arriving at a more robust and resilient security outcome.

In Australia, entities covered by the Security of Critical Infrastructure Act 2018 (SOCI Act) and the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023 (CIRMP Rules) face specific legal obligations.  These obligations can be complex, sector-specific, and evolve as new hazards and geopolitical risks emerge.

To help organisations navigate this environment, Pentagram Advisory has developed a tailored Critical Infrastructure Risk Management Program (CIRMP) Security Maturity Model.  This model is specifically designed to reflect the unique operating context, risk environment, and sector obligations of each critical infrastructure entity.

Once tailored, the Model provides Boards, executives, and senior leaders with a clear, defensible view of their protective security capabilities aligned to CIRMP obligations. It enables benchmarking, targeted improvement planning, and transparent, risk-informed governance – building stakeholder and regulatory confidence in the organisation’s approach to managing critical assets and services.

• Alignment with legislation: The model directly maps to the 59 obligations under the SOCI Act and CIRMP Rules, ensuring assessments are defensible and targeted.

• Structured maturity levels: Typically set across four levels (adaptable to three or five), providing a practical framework to gauge progression from ad-hoc controls to embedded, strategic, all-hazards risk management.

• Eight core evaluation categories: Structured around the regulatory obligations and the critical components of an effective CIRMP, giving a comprehensive view of how security is governed and implemented.

• Visual heat maps: Results are delivered in a clear, colour-coded heat map that gives Boards and executives an immediate snapshot of strengths and priority areas.

• Scalable and repeatable: Enabling annual tracking of progress, recalibrating risk appetite, and sustaining continuous improvement.

Benefits for Boards and senior leaders

A tailored CIRMP maturity assessment offers Boards and executives:

• Clarity: An objective view of where your CIRMP stands today.

• Evidence: Documented maturity to support due diligence obligations and annual attestations under the SOCI Act.

• Improvement roadmap: A prioritised plan for targeted uplift, backed by transparent, risk-informed governance.

• Regulatory and stakeholder confidence: Demonstrates a proactive, auditable approach to protecting critical infrastructure, essential services and community trust.

• Benchmarking: Positions your organisation against sector maturity trends, reinforcing leadership in resilience.

Whether your goal is to meet the growing demands of regulators, strengthen organisational resilience, or gain a clear view of how your protective security risk management program mitigates the risks the organisation wants to address, a tailored maturity assessment provides a defensible foundation to both explain current state and enable continuous improvement.

Perhaps the ultimate marker of maturity is when an organisation reaches a genuine business-as-usual approach to managing the dynamic threat environment. At this level, most threat events are anticipated, response plans are embedded, and environmental scanning and intelligence gathering become part of daily operations. This enables timely decisions, whether to act pre-emptively or maintain course, supported by sufficient resources and meaningful KPIs that track effectiveness and return on investment.

A well-developed maturity model, aligned to your organisation’s unique context, means you can embark on this long journey, maintaining the security of your assets and operations, with confidence and clarity.