Module · Built · Comprehensive

Cyber maturity. Defensible by design.

Comprehensive cyber security maturity across 15 specialist domains, practitioner-authored. Aligned to ISO/IEC 27001:2022 and ASD Essential Eight (Australia) as regulatory add-ons live today. NZISM (New Zealand), NIST Cybersecurity Framework 2.0 (United States) and APRA Prudential Standard CPS 234 (Australia) next. HKMA Cyber Resilience Assessment Framework (Hong Kong)

Cyber Security
Cyber security
Built
CY
Cyber Security
15
Specialist domains
ISO 27001:2022
NIST CSF 2.0
APAC + AU + US
Standards aligned
2
Add-ons live · 6 next
0–4
Maturity scale
🇦🇺🇳🇿🇭🇰🇻🇳🇲🇾🇹🇼🇦🇪🇸🇦🇶🇦🇵🇰
01What it covers

Fifteen domains. One unified score.

Each domain is practitioner-authored, mapped to the regulatory add-ons, and weighted into the cross-domain cascade. Together they cover the full cyber lifecycle - from board-level governance through control execution to incident recovery.

01.1
Cyber Governance
Board oversight, risk appetite, policy framework, accountability across three lines.
01.2
Asset Management
Hardware, software and information asset inventory, classification and lifecycle.
01.3
Identity & Access
Identity lifecycle, MFA, privileged access, joiner-mover-leaver, federation.
01.4
Data Protection
Classification, DLP, encryption posture, data loss prevention across the lifecycle.
01.5
Network Security
Segmentation, perimeter controls, secure remote access, east-west traffic.
01.6
Endpoint Security
EDR, hardening, patching cadence, application whitelisting, mobile device management.
01.7
Application Security
Secure SDLC, code review, DAST/SAST, dependency management, API security.
01.8
Cloud Security
CSPM, IAM, workload protection, shared responsibility model, multi-cloud posture.
01.9
Cryptography
Key management, certificate lifecycle, algorithm governance, post-quantum readiness.
01.10
Vulnerability Management
Discovery, prioritisation, remediation cadence, exception management.
01.11
Threat Intelligence
Threat modelling, intel sources, threat hunting, attack surface monitoring.
01.12
Logging & Monitoring
SIEM coverage, log retention, detection engineering, alert fidelity.
01.13
Incident Response
Playbooks, severity model, tabletop maturity, post-incident review discipline.
01.14
Cyber Resilience
Recovery objectives, backup integrity, immutable storage, exercise frequency.
01.15
Third-Party Cyber
Supplier due diligence, fourth-party visibility, contract security obligations.
02How it scores

Five levels. One unified scale.

Every cyber domain is scored on the 0–4 maturity scale - the same scale every other MaturityOne module uses, so cyber maturity reconciles with AI, Privacy, Resilience and the rest of the platform without translation.

0
Not Established
No capability
1
Ad Hoc
Reactive · undocumented
2
Defined
Documented · inconsistent
3
Managed
Measured · consistent
4
Optimised
Continuous improvement
How a score is calculated. Each question carries a 1–5 input scale that maps deterministically to the 0–4 output. Domain scores aggregate the practitioner-weighted question scores; module score aggregates domain scores. Reviewer adjustment is captured at every level - the cascade engine uses the reviewer-signed score, never the assessor draft.
03Regulatory add-ons

Score once. Map to many.

Every regulatory add-on is a clause-level mapping from the maturity score to a specific cyber standard. Run the assessment once; produce conformity evidence against multiple frameworks. Two add-ons are live today, six in development - covering Australia, New Zealand, the United States, Hong Kong and India for genuine global reach.

ISO/IEC 27001:2022Information security management · International
Live
Full Annex A control mapping (93 controls across 4 themes). The maturity assessment maps directly to organisational, people, physical and technological controls. Run the cyber module once; export an ISO/IEC 27001 Statement of Applicability draft and conformity evidence against every clause.
Annex A · 4 themes93 controls
ASD Essential EightAustralian Signals Directorate · Australia
Live
All eight mitigation strategies, all four maturity levels. The Australian government's baseline cyber maturity model - application control, patch applications, configure macros, user application hardening, restrict admin privileges, patch operating systems, multi-factor authentication, daily backups. Required for Australian Government entities and a de-facto baseline for regulated industries across Australia.
8 strategiesML0–ML3 · Australia
NIST Cybersecurity Framework 2.0National Institute of Standards and Technology · United States
Next
All six CSF 2.0 functions - Govern, Identify, Protect, Detect, Respond, Recover. The United States National Institute of Standards and Technology framework, widely adopted across US federal, financial services and critical infrastructure, and increasingly the global reference for cyber maturity programs.
Coming next6 functions · 23 categories
APRA Prudential Standard CPS 234Australian Prudential Regulation Authority · Australia
Next
The Australian prudential standard for information security. Coming next - required by Australian Prudential Regulation Authority-regulated financial institutions and superannuation funds. Maps the cyber module to CPS 234 sections on capability, policy framework, control implementation and incident notification.
Coming nextAPRA-regulated entities
NZISM New ZealandNew Zealand Information Security Manual · NZ
Next
New Zealand's principal cyber and information security framework. Coming next - required for New Zealand government agencies and increasingly adopted by regulated industries across New Zealand. Maps the cyber module to the NZISM governance, personnel, physical and technical controls.
Coming nextNZISM · New Zealand
HKMA Cyber Resilience Assessment FrameworkHong Kong Monetary Authority · C-RAF 2.0 · Hong Kong
Roadmap
Hong Kong's mandatory cyber resilience framework for authorised institutions. The Hong Kong Monetary Authority's three-step framework: inherent risk assessment, maturity assessment, and intelligence-led cyber attack simulation testing. Required for all authorised institutions operating in Hong Kong.
Roadmap · 20263-step framework · Hong Kong
CIS Controls v8Center for Internet Security · International
Roadmap
All 18 Center for Internet Security Critical Security Controls - the prescriptive, prioritised set of cyber actions that defend against the most pervasive attacks. Three implementation groups (IG1, IG2, IG3) for organisations of different scale. Widely adopted across mid-market and small-to-medium enterprises globally.
Roadmap · 202618 controls · 3 IGs
04Cross-domain integration

Cyber doesn't live alone. Neither does its score.

Most cyber tools treat the discipline as a silo - its own scale, its own taxonomy, its own report. MaturityOne wires cyber into the cross-domain cascade engine. When the board sets cyber risk appetite in Enterprise Risk, this module's targets move automatically. When findings here change residual risk, Enterprise Risk sees it. This is how cyber maturity stops being a standalone audit and starts informing the business.

- Appetite cascades in

From Enterprise Risk to cyber targets

When the board sets cyber risk appetite in Enterprise Risk, this module's target maturity moves / targets cascade across all 15 cyber domains. When AI Governance flags a high-risk model deployment, cyber assessment refresh triggers automatically.

- Findings cascade out

From cyber assessments to residual risk

Cyber findings - gaps below target, control weaknesses, exposure changes - flow back to Enterprise Risk's residual risk view. Vendor exposure findings flow into Third Party Risk to trigger re-tier. Control gaps with regulatory significance flow into Compliance.

- Triggers fire sideways

Cross-discipline escalations, automatic

A material cyber incident triggers a Resilience tolerance review, a Privacy assessment refresh if personal data was in scope, and a Compliance reporting evaluation - all firing automatically so the cyber team does not have to remember them.

What this looks like in practice. The board approves a "low" appetite for cyber risk in the Q1 review. Within minutes: cyber target maturity moves to ML3 across 15 domains; Third Party Risk tightens due-diligence requirements for technology vendors; Resilience shrinks recovery tolerance windows for cyber-impacted services; Projects adds Black-gating thresholds for high-cyber-risk initiatives. One board decision. The cyber program responds. Five other modules respond.
Pulls from
Enterprise RiskAppetite
Data GovernanceUpstream
Third Party RiskVendor exposure
ProjectsCross-trigger
CY
- Cyber security
Feeds
Enterprise RiskResidual risk
ResilienceTolerance
PrivacyDownstream
ComplianceReporting
05Sample output

Two views. One source of truth.

The assessor sees granular detail across all 15 domains. The executive sees a single score, the cascade impact, and a board-ready narrative. Both views derive from the same signed-off data - there's no "executive summary" that diverges from the underlying numbers.

Assessor viewCapture · evidence

Per-domain breakdown with weighted markers.

2.8/ 4Defined → Managed
Cyber Governance
Identity & Access
Endpoint Security
Cloud Security
Vulnerability Management
Third-Party Cyber

Assessor sees per-question scores, evidence references, reviewer comments, and the gap-to-target for every domain. Drillable to source.

Executive viewRead-only · board

Single score with cascade impact.

2.8/ 4Defined → Managed
→ AI Governance impact
→ Resilience impact
→ Privacy impact
ISO 27001:2022 conformity
ASD Essential Eight (ML)

Executive sees a single number, downstream cascade, regulatory conformity, and a plain-English board narrative - generated automatically from the signed-off assessor data.

06See it work

Thirty minutes. A practitioner.

A walkthrough of the cyber module isn't a product demo. It's a practitioner showing you how the 15 domains score, how ISO/IEC 27001:2022 and ASD Essential Eight (Australia) add-ons map clause-by-clause, how the cascade actually moves when scores change, and the honest picture of what it can and can't do. If we're not the right fit, we'll tell you.