V2.0Cybersecurity Compliance Governance Framework

15 Dimensions of Cybersecurity Compliance Governance

Comprehensive evaluation framework across Technical Cybersecurity, Compliance & Governance, and Cultural Intelligence dimensions — aligned with NIST CSF, ISO 27001, and global cybersecurity standards

135Assessment Questions90 core + 45 adaptive

15Governance Dimensions3 categories

100Maximum ScoreNon-linear scoring

7Maturity TiersUnaware → Mastery

3-Category Weighting Model

Balanced assessment across technical capabilities, compliance maturity, and organizational culture

45%

Category A: Technical Cybersecurity

Dimensions D1-D6

25%

Category B: Compliance & Governance

Dimensions D7-D9

30%

Category C: Cultural Intelligence & Equity

Dimensions D10-D15

🔧 Category A — 45% Weight

Technical Cybersecurity

6 dimensions evaluating governance frameworks, security architecture, threat detection, identity management, and data protection capabilities

🏛️

Cybersecurity Governance Framework

Evaluates organizational commitment to cybersecurity governance, executive sponsorship, board oversight, and strategic alignment. Assesses the maturity of governance structures, policy frameworks, and accountability mechanisms.

Focus AreasBoard oversight • Executive sponsorship • Governance charter • Strategic alignment • Accountability frameworks

Standards: NIST CSF • ISO 27001 • COBIT • CIS Controls

📋

Policy & Standards Management

Measures the organization's capability to develop, maintain, and enforce cybersecurity policies. Evaluates policy lifecycle management, standards adoption, exception handling, and compliance tracking.

Focus AreasPolicy development • Standards alignment • Exception management • Compliance tracking • Version control

Standards: NIST 800-53 • ISO 27001 • CIS Benchmarks

🔒

Security Architecture & Design

Assesses technical security architecture including defense-in-depth, zero trust principles, network segmentation, and secure design patterns. Evaluates architecture documentation and review processes.

Focus AreasZero trust architecture • Network segmentation • Defense-in-depth • Secure design • Architecture review

Standards: NIST ZTA • TOGAF • SABSA

🛡️

Threat Detection & Response

Evaluates capabilities for detecting, analyzing, and responding to security threats. Assesses SOC maturity, incident response procedures, threat intelligence integration, and continuous monitoring.

Focus AreasSOC operations • Incident response • Threat intelligence • SIEM/SOAR • Continuous monitoring

Standards: NIST IR • MITRE ATT&CK • ISO 27035

🔐

Identity & Access Management

Measures IAM maturity including authentication mechanisms, authorization controls, privileged access management, and identity lifecycle. Evaluates MFA adoption, SSO integration, and access reviews.

Focus AreasMFA implementation • PAM controls • Access certification • SSO integration • Identity governance

Standards: NIST 800-63 • ISO 27001 • CIS Controls

📊

Data Protection & Privacy

Assesses data classification, encryption practices, data loss prevention, and privacy controls. Evaluates compliance with data protection regulations and cross-border data transfer mechanisms.

Focus AreasData classification • Encryption standards • DLP controls • Privacy compliance • Cross-border transfers

Standards: GDPR • CCPA • ISO 27701 • PCI DSS

⚖️ Category B — 25% Weight

Compliance & Governance

3 dimensions assessing regulatory compliance management, risk assessment practices, and third-party risk management capabilities

10%

⚖️

Regulatory Compliance Management

Evaluates the organization's capability to identify, track, and comply with applicable cybersecurity regulations. Assesses compliance monitoring, audit readiness, regulatory change management, and reporting mechanisms.

Focus AreasCompliance mapping • Audit management • Regulatory tracking • Evidence collection • Reporting automation

Standards: SOX • HIPAA • PCI DSS • FISMA • DORA

📈

Risk Assessment & Management

Measures risk identification, assessment, and mitigation capabilities. Evaluates risk appetite definition, quantitative/qualitative assessment methodologies, and risk treatment decision-making.

Focus AreasRisk identification • Risk quantification • Treatment planning • Risk appetite • Continuous assessment

Standards: NIST RMF • ISO 31000 • FAIR

🤝

Third-Party Risk Management

Assesses vendor security assessment, supply chain risk management, and third-party monitoring. Evaluates due diligence processes, contractual security requirements, and ongoing vendor oversight.

Focus AreasVendor assessment • Supply chain security • Due diligence • Contract management • Continuous monitoring

Standards: NIST 800-161 • ISO 27036 • SIG/CAIQ

🌍 Category C — 30% Weight

Cultural Intelligence & Equity

6 dimensions evaluating global awareness, equitable implementation, stakeholder engagement, training effectiveness, innovation capacity, and strategic readiness

🌍

D10

Global Compliance Awareness

Evaluates understanding of international cybersecurity frameworks and cross-cultural compliance considerations. Assesses global regulatory awareness and adaptation to regional requirements.

Focus AreasInternational frameworks • Regional requirements • Cross-cultural awareness • Global standards • Localization

Standards: EU NIS2 • UK Cyber • Singapore CSA • Australia ACSC

🤲

D11

Equitable Compliance Implementation

Measures fairness and equity in cybersecurity implementation across organizational units. Evaluates resource allocation equity, accessibility of security tools, and inclusive policy development.

Focus AreasResource equity • Tool accessibility • Inclusive design • Policy fairness • Disparate impact analysis

Standards: WCAG • Section 508 • ISO 27001 A.7

📢

D12

Stakeholder Communication & Engagement

Assesses communication effectiveness with diverse stakeholder groups. Evaluates security messaging, incident communication, and engagement strategies across different organizational levels.

Focus AreasExecutive communication • Employee engagement • Customer communication • Vendor coordination • Crisis communication

Standards: NIST CSF PR.AT • ISO 27001 A.7.3

📚

D13

Compliance Training & Capability Building

Evaluates security awareness and training program effectiveness. Assesses role-based training, phishing simulation, compliance education, and capability development initiatives.

Focus AreasRole-based training • Phishing simulation • Compliance education • Skill development • Certification support

Standards: NIST SP 800-50 • ISO 27001 A.7.2 • SANS

💡

D14

Innovation & Adaptation

Measures organizational ability to adapt to evolving threats and adopt emerging security technologies. Evaluates innovation culture, technology adoption, and continuous improvement mechanisms.

Focus AreasEmerging technology • Threat adaptation • Security innovation • Technology adoption • Continuous improvement

Standards: NIST CSF ID.RA • ISO 27001 Clause 10

🔮

D15

Strategic Vision & Future Readiness

Assesses strategic security planning, future-state architecture, and organizational resilience planning. Evaluates long-term security roadmap and alignment with business transformation initiatives.

Focus AreasSecurity roadmap • Future-state planning • Business alignment • Resilience planning • Transformation integration

Standards: NIST CSF • ISO 27001 A.5.1 • COBIT

7-Tier Maturity Model

Your assessment results map to a maturity tier with specific capability indicators, governance benchmarks, and improvement pathways

Unaware

0-14%

No formal cybersecurity governance

Emerging

15-28%

Initial awareness and ad-hoc practices

Developing

29-42%

Documented policies and basic controls

Proficient

43-57%

Defined processes and consistent implementation

Advanced

58-71%

Measured and optimized controls

Expert

72-85%

Industry-leading practices and proactive posture

Mastery

86-100%

Continuous innovation and strategic excellence

Advanced Scoring Methodology

Psychometrically validated assessment with adaptive branching and evidence-based feedback

🎯

Non-Linear Scoring

Progressive scale (0, 1, 3, 4, 5) rewards mature capabilities with higher point differentiation

🔄

Adaptive Branching

Questions adapt based on responses: Low, Medium, or High path for targeted evaluation

📊

Psychometric Validation

Cronbach's α: 0.87 | ICC: 0.89 | Cohen's κ: 0.82 — research-grade reliability

📝

Evidence Requirements

Each question includes specific evidence requirements for governance documentation

Assess Your Cybersecurity Maturity

Discover your organization's cybersecurity compliance posture across all 15 dimensions and receive tier-specific recommendations for improvement

Start CCG Assessment →View Methodology

About & Resources

Libraries

📹 Featured Learning Resource

AI Educational Evolution: Past, Present, Future

📹 Assessment Introduction

Why AI Governance Assessment Matters

Get Involved

Learn More

📹 Featured Community Video

Diversity in AI: Overcoming Bias

Training Levels

Advanced Training

📹 Training Preview

Why AI Governance Training Matters

For Professionals

For Organizations

Complete Site Navigation

Framework

Resources

Tools

Training

Certification

Use Cases

Videos

Community

Pricing

About

Legal

Quick Start Options

Expert Support

Why AI Governance Matters

By Organization Type

More Sectors

Professional Services

Assessment Tools

Business Tools

📹 Featured Tools Video

AI & Innovation in Business

Get Support

Pricing & Credentials

📹 See AI's Impact in Action

AI in Higher Education: Impact & Risks