Overview
The maturity model in Hyver gives organizations a structured way to evaluate their cybersecurity posture. Each level (1–5) represents a stage of progression — from reactive and ad hoc to proactive and continuously improving. This article explains what each level means and offers real-world examples to guide your assessments.
Maturity Level Breakdown
Level 1: Initial
Description: No formal processes or assigned responsibilities exist.
Characteristics:
Ad hoc, reactive behavior
No awareness of security risks
Activities are uncoordinated
No accountability or governance
Example:
Subcategory ID.AM-1 — Physical devices and systems are inventoried
Assessment: No asset inventory is maintained.
Rating justification: No process exists. This is a Level 1 maturity.
Level 2: Developing
Description: Some processes or controls are in place, but they are inconsistent or incomplete.
Characteristics:
Initial efforts underway
Security needs recognized
Some ad hoc implementation
Formal process discussions may have started
Example:
Subcategory ID.AM-1
Assessment: Partial asset inventory exists, but coverage is limited.
Rating justification: Process is only partially implemented. This is a Level 2 maturity.
Level 3: Defined
Description: Policies and procedures are formalized, standardized, and implemented across the organization.
Characteristics:
Processes are documented and repeatable
Broader organizational understanding and participation
Proactive stance begins to emerge
Key technologies are in place
Example:
Subcategory ID.GV-1 — Information security policy is established
Assessment: Policy exists and is applied but not yet measured.
Rating justification: Defined but not monitored. This is a Level 3 maturity.
Level 4: Managed
Description: Processes are monitored, measured, and enforced. The organization uses data to evaluate effectiveness.
Characteristics:
Clear ownership of processes and outcomes
Metrics are used to guide improvements
Policies are actively enforced
Little to no security gaps remain
Level 5: Optimizing
Description: The organization focuses on continuous improvement, with systems designed for adaptability and resilience.
Characteristics:
Strong feedback loops and learning culture
Flexibility to respond to evolving risks
Comprehensive coverage of controls
Strategic focus on refining what’s already working
Example: Choosing a Level Thoughtfully
Subcategory PR.AT-1 — All users are informed and trained
Before selecting a high maturity level, ask:
Is training policy-driven and enforced?
Is it run at regular, documented intervals?
Is someone responsible for oversight?
Is training effectiveness measured or reviewed?
These questions help avoid rating based on "task completion" alone. Mature cybersecurity isn’t just about doing — it’s about doing consistently, measurably, and with accountability.
Wrap-up / Next Steps
Use this detailed view of maturity levels to guide more accurate, defensible ratings across your assessment. The more nuance you bring to each score, the more powerful your maturity model becomes in shaping your security roadmap.