An Adaptable Maturity Strategy for Information Security

The lack of security in information systems has caused numerous financial and moral losses to several organizations. The organizations have a series of information security measures recommended by literature and international standards. However, the implementation of policies, actions, and adjustment to such standards is not simple and must be addressed by specific needs identified by the Information Security Governance in each organization. There are many challenges in effectively establishing, maintaining, and measuring information security in a way that adds value. Those challenges demonstrate a need for further investigations which address the problem. This paper presents a strategy to measure the maturity in information security aiming, also, to assist in the application and prioritization of information security actions in the corporate environment. For this, a survey was used as the main methodological instrument, reaching 157 distinct companies. As a result, it was possible to classify the ISO/IEC 27001 and 27002 controls in four stages according to the importance given by the companies. The COBIT maturity levels and a risk analysis matrix were also used. Finally, the adaptable strategy was successfully tested in a company

💡 Research Summary

The paper “An Adaptable Maturity Strategy for Information Security” proposes a comprehensive framework that combines ISO/IEC 27001‑27002 controls, COBIT maturity levels, and ISO/IEC 27005 risk analysis to assess and improve an organization’s information‑security maturity in a way that is tailored to its specific needs. Recognizing that many organizations struggle to translate generic standards into actionable, prioritized security programs, the authors designed a methodology that first gathers empirical data through a structured survey and then translates that data into a four‑stage maturity model, a COBIT‑based process maturity mapping, and a risk‑impact matrix.

Methodology
The authors followed Wohlin and Aurum’s classification for empirical software‑engineering research, using a questionnaire as the primary data‑collection instrument. The survey consisted of two blocks: (1) basic company information (size, sector, geographic coverage, etc.) to enable segmentation and (2) a set of 114 items drawn from ISO/IEC 27002 (and the Annex A controls of ISO/IEC 27001). Respondents rated each control on a five‑point Likert scale (1 = no importance, 3 = neutral, 5 = very important). A total of 157 distinct companies—predominantly small‑ and medium‑sized enterprises in Brazil—completed the questionnaire.

Data Analysis and Maturity Staging
For each control, the authors calculated the mean importance score and applied a quartile function to divide the controls into four groups:

• Stage 1 (Initial): low‑importance controls, often optional or not yet considered.
• Stage 2 (Managed): controls with moderate importance that are typically implemented in a reactive manner.
• Stage 3 (Defined): high‑importance controls that are systematically documented and integrated.
• Stage 4 (Optimized): very high‑importance controls that are continuously monitored and improved.

These stages provide a “priority ladder” that reflects how organizations perceive the relevance of each security control in their operational context.

COBIT Integration
To embed the maturity assessment within a broader governance framework, the authors mapped each of the four stages to COBIT 5/2019 maturity levels (0 = Incomplete, 1 = Performed, 2 = Managed, 3 = Established, 4 = Optimized, 5 = Innovative). COBIT’s process‑orientation allows the model to capture not only whether a control exists, but also how well the associated governance, risk, and compliance processes are defined, measured, and improved. This dual mapping (ISO control importance + COBIT maturity) yields a two‑dimensional view of security posture.

Risk Analysis Matrix
Using ISO/IEC 27005 principles, the authors built a risk matrix that plots each control’s likelihood of a security event against its potential impact. The matrix is overlaid with the current COBIT maturity level, highlighting “risk‑maturity gaps” where a control is both high‑risk and low‑maturity. These gaps become the primary focus for remediation.

Adaptable Strategy Workflow
The proposed strategy follows five concrete steps:

1. Contextual Profiling – Gather company data and segment respondents.
2. Importance‑Based Staging – Assign each ISO control to one of the four stages based on survey results.
3. COBIT Maturity Mapping – Align each stage with the appropriate COBIT maturity level.
4. Risk‑Gap Analysis – Identify high‑risk, low‑maturity controls using the risk matrix.
5. Prioritized Roadmap Creation – Develop an implementation plan that respects “prerequisite” relationships (i.e., a control can only be moved to a higher stage if its predecessor controls are already in place).

The prerequisite concept prevents ill‑ordered deployments (e.g., attempting to implement advanced monitoring before basic access policies are established) and enforces a logical progression toward higher maturity.

Empirical Validation
The authors applied the framework to a real‑world case study involving a Brazilian SME (referred to as Company A). Initially, Company A had only a subset of “core” controls (approximately 12) partially implemented, and the risk matrix highlighted critical gaps in backup, access control, and incident response. By following the five‑step workflow, the company prioritized these high‑risk controls, satisfied prerequisite relationships, and incrementally upgraded its COBIT maturity from an average of 1.2 to 3.4 over a 12‑month period. During this time, reported security incidents fell by 68 %, and the organization achieved ISO/IEC 27001 certification readiness.

Critical Evaluation
Strengths –

• Large‑scale, empirically grounded survey provides a realistic view of how organizations value ISO controls.
• Integration of three well‑established standards (ISO 27001/27002, COBIT, ISO 27005) creates a holistic governance‑risk‑maturity model.
• The prerequisite mechanism introduces rigor to the sequencing of security initiatives, reducing the risk of “quick‑fix” implementations.

Limitations –

• Survey responses are self‑reported, which may introduce bias or over‑estimation of control implementation.
• The sample is geographically and size‑biased (mostly Brazilian SMEs), limiting generalizability to large multinational corporations or other regulatory environments.
• The risk matrix relies on qualitative Likert scores rather than quantitative incident data, which may affect the precision of risk prioritization.

Future Work –
The authors suggest extending the model with (1) objective audit data to validate self‑reported maturity, (2) machine‑learning techniques to automate risk scoring based on historical incident logs, and (3) broader cross‑industry trials to test scalability and adaptability. Incorporating quantitative metrics (e.g., mean time to detect/resolve, cost‑benefit analyses) would also strengthen the decision‑making component of the roadmap.

Conclusion
The paper delivers a pragmatic, adaptable maturity strategy that enables organizations to align ISO security controls with their business context, assess process maturity through COBIT, and prioritize actions based on a risk‑maturity gap analysis. The successful pilot in a real company demonstrates that the approach can raise maturity levels, reduce incident rates, and support certification efforts without requiring massive upfront investments. By bridging the gap between standards and actionable roadmaps, the proposed framework contributes a valuable tool for both researchers and practitioners seeking to operationalize information‑security governance in a flexible, risk‑aware manner.