Calculate your Security Maturity Index (SMI) based on six core domains: Governance, Risk Management, Security Operations, Identity & Access, Asset Protection, and Resilience. Aligned with NIST CSF and CMMC frameworks.
Quick Start - Select Organization Profile
Security policy, leadership, strategic alignment
Risk assessment, threat intelligence, vulnerability management
Detection, monitoring, incident response, SOC
IAM, authentication, privileged access, access controls
Data protection, encryption, endpoint and network security
Business continuity, disaster recovery, backup
You might also find these calculators useful
The Security Maturity Index (SMI) Calculator provides a comprehensive assessment of your organization's cybersecurity posture across six critical domains. Based on industry frameworks like NIST CSF 2.0 and CMMC, this tool helps you identify gaps, prioritize improvements, and benchmark against industry standards.
A Security Maturity Index quantifies your organization's cybersecurity capabilities on a scale from 1 (Initial) to 5 (Optimized). It evaluates six domains: Governance & Strategy (20%), Risk Management (20%), Security Operations (20%), Identity & Access (15%), Asset Protection (15%), and Resilience (10%). This weighted approach ensures balanced security across all areas while emphasizing foundational domains.
Calculation Method
SMI = Σ(Domain Score × Domain Weight) / 100Track security improvements over time and measure ROI on security investments with quantitative metrics.
Identify the weakest domains and focus budget and resources where they'll have the greatest impact.
Communicate security posture to executives and board members with clear, actionable metrics.
Map maturity to compliance frameworks like SOC 2, ISO 27001, and NIST CSF for audit readiness.
See how your organization compares to peers in your industry and identify competitive gaps.
Higher maturity correlates with lower breach likelihood. Each level increase reduces risk exposure significantly.
Conduct yearly security assessments to track progress and set improvement goals for the upcoming period.
Assess target company security maturity during mergers and acquisitions to identify integration risks.
Evaluate third-party vendor security capabilities before onboarding critical service providers.
Justify security budget requests by showing current maturity gaps and projected improvements.
Align security capabilities with regulatory requirements before audits or new compliance mandates.
Guide new or maturing security programs with a structured framework for capability building.
Scores vary by industry and risk tolerance. Average enterprise: 45-55%. Regulated industries (finance, healthcare): 60-75%. Best-in-class: 80%+. Target Level 3 (Defined, 41-60%) minimum for most organizations, Level 4 (Managed, 61-80%) for regulated industries.
Domains map to NIST CSF 2.0 functions: Governance aligns with GOVERN, Risk Management with IDENTIFY, Security Operations with DETECT and RESPOND, Identity & Access with PROTECT, Asset Protection with PROTECT, and Resilience with RECOVER.
Conduct full assessments annually and after major changes (new threats, M&A, regulatory changes). Track key metrics quarterly. Reassess immediately after significant security incidents.
Level 1 (Initial): Ad-hoc, reactive. Level 2 (Developing): Basic controls, inconsistent. Level 3 (Defined): Documented, standardized. Level 4 (Managed): Measured, proactive. Level 5 (Optimized): Continuous improvement, automated.
Moving up one level typically takes 6-18 months depending on starting point, resources, and organizational commitment. Lower levels can improve faster with focused effort. Higher levels require more time for cultural change and automation.
Weights reflect industry consensus on domain criticality: Governance, Risk, and Operations at 20% each form the foundation; Identity and Asset Protection at 15% each address core controls; Resilience at 10% ensures recovery capability. Weights can be customized for specific industries.