Capability Maturity Model
MATURITY MODELS for control over IT processes consist of developing a method of scoring so that an organization can
grade itself from non-existent to optimized (from 0 to 5). This approach has been derived from the Maturity Model that the
Software Engineering Institute defined for the maturity of the software development capability2. Against these levels, developed
for each of COBIT’s 34 IT processes, management can map:
- The current status of the organization — where the organization is today
- The current status of (best-in-class in) the industry — the comparison
- The current status of international standards — additional comparison
- The organization’s strategy for improvement — where the organization wants to be
The five levels of maturity are:
- Non-Existent — Complete lack of any recognisable processes. The organisation has not even recognised that there is an
issue to be addressed.
- Initial — There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are
however no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or
case by case basis. The overall approach to management is disorganised.
- Repeatable — Processes have developed to the stage where similar procedures are followed by different people undertaking
the same task. There is no formal training or communication of standard procedures and responsibility is left to the
individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.
- Defined — Procedures have been standardised and documented, and communicated through training. It is however left to
the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are
not sophisticated but are the formalisation of existing practices.
- Managed — It is possible to monitor and measure compliance with procedures and to take action where processes appear
not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools
are used in a limited or fragmented way.
- Optimized — Processes have been refined to a level of best practice, based on the results of continuous improvement and
maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to
improve quality and effectiveness, making the enterprise quick to adapt.
The Maturity Model is a way of measuring how well developed management processes are. How well developed they
should be depends on specific business needs. The Information Criteria contained in the COBIT Framework help to make sure that focus is on the right management aspects when describing actual practice. For
example, planning and organizing focuses on the management goals of effectiveness and efficiency, whereas ensuring systems
security will focus on the management of confidentiality and integrity.
The Maturity Model scales will help explain where IT management shortcomings exist and set
targets for where they need to be by comparing their organization’s control practices to the best practice examples. The right
maturity level will be influenced by the enterprise’s business objectives and operating environment. Specifically, the level of
control maturity will depend on the enterprise’s dependence on IT, the technology sophistication and, most importantly, the
value of its information.