Next Article in Journal
Shield-X: Vectorization and Machine Learning-Based Pipeline for Network Traffic Threat Detection
Previous Article in Journal
Design and Implementation of Gamified Augmented Reality Learning System to Enhance Biodiversity Education
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Engineering Proceedings
Volume 123
Issue 1
10.3390/engproc2026123014
engproc-logo
Submit to this Journal
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Proceeding Paper

Maturity Models in Information Security Audits †

by
Daniel Zamora-Jimenez
,
Lidia Prudente-Tixteco
* and
Pablo Ramon Mercado-Hernandez
Instituto Politecnico Nacional, Escuela Superior de Ingeniería Mecánica y Eléctrica Unidad Culhuacan, Mexico City 04440, Mexico
*
Author to whom correspondence should be addressed.
Presented at the First Summer School on Artificial Intelligence in Cybersecurity, Cancun, Mexico, 3–7 November 2025.
Eng. Proc. 2026, 123(1), 14; https://doi.org/10.3390/engproc2026123014
Published: 2 February 2026
(This article belongs to the Proceedings of First Summer School on Artificial Intelligence in Cybersecurity)
Browse Figures
Versions Notes

Abstract

Information security auditing plays an important role in information security management because it assesses the status of security mechanisms, risk management, and regulatory compliance. Most information security auditing methodologies have been based on binary assessments or checklists, an approach that is limited in the constant evolution of cyber threats. This paper presents a comparative analysis of the most recognized maturity level structures, such as the Capability Maturity Model Integration (CMMI), the Cybersecurity Capability Maturity Model (C2M2), and the Cybersecurity Maturity Model Certification (CMMC), in order to identify the most suitable one for an innovative change in the auditing process to obtain a deeper and more detailed evaluation of security controls and, consequently, better decision-making.

1. Introduction

Organizations are increasingly dependent on digital assets, and cyber threats continue to evolve, so the need to improve security assessments and auditing processes is growing. Information security audits provide senior management and stakeholders with an overview of the current state of security controls implemented to protect the confidentiality, integrity, and availability of information. However, traditional audit methods with a binary assessment approach fail to obtain the true state of security controls.
The security audit process is commonly structured in four phases. It begins with planning, where the scope, objectives and criteria for the audit are defined. Next, in the execution phase, the binary pass/fail evaluation is performed, in which evidence is collected through interviews, document review, and technical testing to evaluate controls. Subsequently, in the reporting phase, the findings and non-conformities are communicated to senior management. Finally, the cycle concludes with follow-up, where the implementation of corrective actions is verified [1]. The use of checklists approaches a compliance-oriented culture within organizations [2], rather than encouraging a strategic approach to security management within a continuous improvement cycle.
A maturity model is a framework that assesses the effectiveness and efficiency of processes [3] to make a transition from a nonexistent or barely reactive state to an optimized one, transforming the audit of the compliance exercise into a strategic tool for continuous improvement and the management of information security risk, moving from a traditional binary assessment to an assessment with maturity levels.

2. Methods

This theoretical proposal uses a comparative analysis methodology based on a review of the official documentation, implementation guides, and industry analyses related to the most relevant security maturity and assessment frameworks, specifically evaluating maturity scales as tools for assessing individual security controls.
Models selected for the analysis of their maturity levels are as follows:
1.
Capability Maturity Model Integration (CMMI): Selected for providing a framework and common language to guide process improvement across an organization, and its widespread recognition.
2.
Cybersecurity Capability Maturity Model (C2M2): Chosen for its focus on cybersecurity within critical infrastructures, including Information Technology (IT) and Operational Technology (OT).
3.
Cybersecurity Maturity Model Certification (CMMC): Selected for its regulatory nature and mandatory compliance requirements. Unlike process improvement models, CMMC is designed to audit and verify the cybersecurity capabilities within the Defense Industrial Base (DIB) of the United State Department of Defense.
Comparative analysis criteria:
  • Flexibility and Adaptability: The ability of the maturity level structure to be applied to different types of organizations, industries, and security processes.
  • Reliability: The consistency and objectivity of the assessment results produced by applying the maturity levels.
  • Track Record and Recognition: The proven track record and its acceptance within the industry as a standard for improvement.

3. Results

This section presents a comparative analysis of each model.
  • CMMI Maturity Levels: Defines five levels (Initial, Managed, Defined, Quantitatively Managed, Optimized) for continuous process improvement, as shown in Figure 1. The focus is on tracking process maturity levels, from ad hoc and unpredictable processes (Level 1) to a state of continuous improvement (Level 5). Its structure is flexible, offering both staged (a predefined path) and continuous representations (allowing for organizations to focus on specific process areas). It is one of the most internationally recognized models, with applications in multiple industries and support from institutions such as ISACA and SEI [4].
  • C2M2 Maturity Levels: Defines four levels (MIL0-Incomplete, MIL1-Initial, MIL2-Managed, MIL3-Defined) that measure dual progression: focus and management. It includes more than 350 practices assigned to specific MILs in ten cybersecurity domains, as shown in Figure 2. It is primarily designed for self-assessment, which gives it moderate objectivity in a formal audit context [5].
  • CMMC Maturity Levels: Defines three cumulative levels (Level 1-Foundational, Level 2-Advanced, Level 3-Expert), which are sets of compliance requirements, as shown in Figure 3. Its structure is based on controls from NIST SP 800-171 [6] and NIST SP 800-172 [7], organized into domains. This model is also a certification standard. The assessment requires third-party certification (for Levels 2 and 3), which gives it high reliability for compliance purposes, but its rigidity and specific focus on the DoD supply chain limit its overall flexibility [8].
Table 1 shows a comparative analysis of the characteristics of the selected maturity models.

4. Discussion

This analysis reveals the advantages and disadvantages of each model. However, CMMI level structure is the most suitable for integration into security audits due to the following characteristics:
  • Flexibility and Adaptability: The main advantage of CMMI is its flexibility. It allows an organization to focus on improving specific process areas that are critical for information security. CMMI has proven its applicability beyond software development in many industries and integrates effectively with modern methodologies such as Agile.
  • Reliability: The reliability of an audit depends on the consistency of its results. The CMMI assessment method offers a framework with well-documented methodologies and practices, and structured processes that allow consistent assessments in different contexts with guaranteed results.
  • Track Record and Recognition: With a track record of over 30 years and now under the leadership of ISACA, CMMI is a proven and continuously evolving global standard.
Integrating maturity levels into audits is a novel and innovative practice that offers several advantages. It transforms the audit report from a list of issues into a strategic roadmap for effective risk management and generate a more accurate risk assessment.

5. Conclusions

Evaluating controls using a simple "yes/no" system is an inefficient method that fails to reflect the complexity of current cybersecurity practices and fosters a culture of minimal compliance. The proposal to integrate maturity levels into security audits provides a more comprehensive view of an organization’s information security posture. Organizations can transform their information security audits into a strategic value-added tool by adopting the CMMI maturity levels, driving continuous improvement that goes beyond simply using a checklist. This approach will enable maturity by revealing improvement trends; realistic key performance indicators (KPIs) can be established, and continuous improvement can be enabled.

Author Contributions

D.Z.-J., L.P.-T. and P.R.M.-H. contributed equally to the conception, writing, and review of the manuscript. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

No new data were created or analyzed in this study. Data sharing is not applicable to this article.

Conflicts of Interest

The author declares no conflicts of interest.

References

  1. Cooke, I. IS Audit Basics: Innovation in the IT Audit Process. Available online: https://www.isaca.org/es-es/resources/isaca-journal/issues/2018/volume-2/is-audit-basics-innovation-in-the-it-audit-process (accessed on 25 January 2025).
  2. Auliani, A.S.; Candiwan. Information Security Assessment On Court Tracking Information System: A Case Study from Mataram District Court. In Proceedings of the 2021 IEEE 12th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), New York, NY, USA, 1–4 December 2021; pp. 0226–0230. [Google Scholar] [CrossRef]
  3. Cobos, S.; Garayar, A.; Mauricio, D. Cybersecurity Maturity Model Against Ransomware Attacks for the Financial Sector. In Proceedings of the 2024 IEEE ANDESCON, Cusco, Peru, 11–13 September 2024; pp. 1–6. [Google Scholar] [CrossRef]
  4. CMMI Institute. Appraisals. 2025. Available online: https://cmmiinstitute.com/learning/appraisals/levels (accessed on 25 January 2025).
  5. U.S. Department of Energy. Office of Cybersecurity, Energy Security, and Emergency Response, Cybersecurity Capability Maturity Model (C2M2), Version 2.1; U.S. DOE: Washington, DC, USA, 2022. Available online: https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2 (accessed on 25 January 2025).
  6. NIST SP 800-171r3; Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. National Institute of Standards and Technology: Gaithersburg, ML, USA, 2024.
  7. NIST SP 800-172r3; Enhanced Security Requirements for Protecting Controlled Unclassified Information. National Institute of Standards and Technology: Gaithersburg, ML, USA, 2024.
  8. U.S. Department of Defense. Cybersecurity Maturity Model Certification (CMMC), Model Overview Version 2.0; U.S. Department of Defense: Washington, DC, USA, 2021. Available online: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverview_V2.0_FINAL2_20211202_508.pdf (accessed on 25 January 2025).
Engproc 123 00014 g001
Figure 1. CMMI maturity levels.
Figure 1. CMMI maturity levels.
Engproc 123 00014 g001
Engproc 123 00014 g002
Figure 2. C2M2 model architecture.
Figure 2. C2M2 model architecture.
Engproc 123 00014 g002
Engproc 123 00014 g003
Figure 3. CMMC maturity levels.
Figure 3. CMMC maturity levels.
Engproc 123 00014 g003
Table 1. Comparative analysis of maturity models.
Table 1. Comparative analysis of maturity models.
FeatureCMMI (Capability Maturity Model Integration)C2M2 (Cybersecurity Capability Maturity Model)CMMC (Cybersecurity Maturity Model Certification)
PurposeEvaluate and improve process efficiency and capabilities in organizations across any industry.Evaluate and enhance cybersecurity capabilities in critical infrastructure, both IT and OT.Ensure the implementation of good cybersecurity practices in organizations working with the U.S. DoD.
Maturity Levels5 levels of maturity.10 domains and 4 maturity levels.3 levels of maturity (Foundational, Advanced, and Expert).
Flexibility and AdaptabilityIt is very flexible. It allows an organization to focus on specific areas, it is applicable in various industries, and integrates well with methodologies such as Agile.Designed for the energy sector, but adaptable to other critical infrastructure. Flexible in its application as a self-assessment tool.It lacks flexibility. It is a regulatory compliance requirement with prescriptive practices that organizations must follow to obtain certification.
ReliabilityHigh. It offers a framework with well-documented methodologies and practices that allow for consistent evaluations across different contexts, with guaranteed results.Consistency may vary as this is a self-assessment model, although its structured framework provides a reliable basis for internal improvement.High. Reliability is ensured through mandatory audits and certifications performed by accredited third-party assessment organizations (C3PAOs).
Track Record and RecognitionWith over 30 years of history, it is a proven and continuously evolving global standard, currently managed by ISACA.Developed by the U.S. DOE, it is a recognized model primarily used in the energy sector and other critical infrastructure areas.It is mandated by the U.S. DoD. It is a mandatory and recognized compliance standard within the DIB.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Zamora-Jimenez, D.; Prudente-Tixteco, L.; Mercado-Hernandez, P.R. Maturity Models in Information Security Audits. Eng. Proc. 2026, 123, 14. https://doi.org/10.3390/engproc2026123014

AMA Style

Zamora-Jimenez D, Prudente-Tixteco L, Mercado-Hernandez PR. Maturity Models in Information Security Audits. Engineering Proceedings. 2026; 123(1):14. https://doi.org/10.3390/engproc2026123014

Chicago/Turabian Style

Zamora-Jimenez, Daniel, Lidia Prudente-Tixteco, and Pablo Ramon Mercado-Hernandez. 2026. "Maturity Models in Information Security Audits" Engineering Proceedings 123, no. 1: 14. https://doi.org/10.3390/engproc2026123014

APA Style

Zamora-Jimenez, D., Prudente-Tixteco, L., & Mercado-Hernandez, P. R. (2026). Maturity Models in Information Security Audits. Engineering Proceedings, 123(1), 14. https://doi.org/10.3390/engproc2026123014

Article Metrics

Back to TopTop