Proprietary Framework · Cybersecurity Maturity

NS-CMMF v1.0

The most comprehensive, consultable, and regulatory-aligned cybersecurity maturity framework available — replacing fragmented compliance checklists and opaque maturity ratings with a single, evidence-based instrument for measurement and continuous improvement.

270Re-Engineered Controls

5-AxisScoring Model

32Frameworks & Regs Mapped

6NIST CSF Domains

L1–L5Maturity Progression

Controls 270 Fully Re-Engineered Cybersecurity Controls Scoring 5-Axis Model · Policy · Process · Technology · People · Measurement Mapped 32 Frameworks & Regulations at Article and Clause Level Standards ISO 27001 · NIST CSF 2.0 · CIS Controls · SOC 2 · DORA · NIS2 · GDPR Maturity L1 Initial → L5 Optimised · Domain-Weighted Aggregate Scoring Output Board-Ready Posture Reports · Regulatory Evidence Packs Platform Cybersecurity Maturity Platform · Continuous Maturity Tracking Controls 270 Fully Re-Engineered Cybersecurity Controls Scoring 5-Axis Model · Policy · Process · Technology · People · Measurement Mapped 32 Frameworks & Regulations at Article and Clause Level Standards ISO 27001 · NIST CSF 2.0 · CIS Controls · SOC 2 · DORA · NIS2 · GDPR Maturity L1 Initial → L5 Optimised · Domain-Weighted Aggregate Scoring Output Board-Ready Posture Reports · Regulatory Evidence Packs Platform Cybersecurity Maturity Platform · Continuous Maturity Tracking

Why NS-CMMF Was Built

Ask any experienced CISO whether their organisation is compliant, and you'll hear 'yes'. Ask them whether it is secure, and the conversation becomes considerably more nuanced. This gap is a structural failure of frameworks relied on for more than two decades.

A single Level 3 rating for 'Endpoint Protection' can conceal an enormous range of operational realities — full-coverage behavioural EDR, automated patch management, and application allowlisting scores identically to legacy antivirus on 70% of endpoints with no formal patch process. The difference is the difference between containing a ransomware attack and losing 60% of systems before detection.

NS-CMMF addresses this through Cybersecurity Maturity Intelligence — 270 specific, auditable controls replacing broad categories, with control-level regulatory mapping at article granularity, and financial quantification of every finding.

Problem 1 — Specificity

Controls are too imprecise to be useful

Where a legacy framework has one 'Endpoint Protection' control, NS-CMMF has 14 distinct, auditable sub-controls each with binary-verifiable requirements at every maturity level.

Problem 2 — Fragmentation

Compliance runs as a separate programme

Parallel ISO 27001, DORA, NIS2, and PCI DSS programmes generate five separate evidence packages from a single operational control. NS-CMMF collapses this into one.

Problem 3 — Communication

Boards cannot act on what they receive

NS-CMMF produces a weighted score, auto-generated Board Report, and financial quantification — replacing traffic-light dashboards with governance-grade maturity intelligence.

Framework Architecture

Domain Weights & Coverage

NS-CMMF maps to the 6 NIST CSF 2.0 domains. Domain weights reflect empirical observation of where organisations actually fail under regulatory scrutiny — PROTECT carries the highest weight at 27%.

GV16%

ID10%

PR27%

DE14%

RS13%

RC10%

GV — Govern Governance & Organisational Context AI governance, risk management strategy, roles and responsibilities, policy framework, supply chain risk governance, and regulatory compliance programme management — including 7 dedicated AI governance controls.

16%GOVERNANCE LAYER

ID — Identify Asset Management & Risk Assessment Asset inventory (IT, cloud, OT/ICS), vulnerability management, third-party risk identification, business environment mapping, and risk assessment methodology — including dedicated OT/ICS asset inventory control ID-08.

10%IDENTIFY LAYER

PR — Protect Protective Controls & Safeguards The largest domain at 27% — covering identity and access management, endpoint security (14 controls), network security, data protection, cloud security (13 controls), AI security (10 technical controls), and OT/ICS network security. Where organisations most commonly fail under attack.

27%HIGHEST WEIGHT

DE — Detect Threat Detection & Monitoring SIEM log ingestion and coverage, anomaly and behavioural detection, threat intelligence integration, OT/ICS threat detection, and continuous security monitoring — with control-level mapping to PCI DSS, DORA, NIS2, SOX, HIPAA, GDPR, ISO 27001, and FedRAMP.

14%DETECT LAYER

RS — Respond Incident Response & Regulatory Notification Incident response planning and execution, NIS2 three-stage notification process (RS-18), DORA major incident reporting (RS-19), OT/ICS incident response with engineering involvement, and crisis communication governance.

13%RESPOND LAYER

RC — Recover Recovery & Resilience Business continuity and disaster recovery planning, backup integrity and restoration testing, OT/ICS safety validation before operational resumption (RC-15), lessons learned integration, and resilience maturity measurement.

10%RECOVER LAYER

Framework Specification

NS-CMMF scores every control across five independent dimensions, applies seven non-negotiable hard gates, and maps each finding to its applicable regulatory obligations at the article level — producing an assessment that is simultaneously board-ready, audit-ready, and investment-grade.

Design · 20%	Is the control well-designed for its intended purpose? Policy documented and reviewed within 12 months; regulatory mapping explicit; design addresses the specific threat scenario; approved by the appropriate authority.
Coverage · 25%	Is the control deployed across 100% of the in-scope population? Coverage ≥ 95% of in-scope assets; exceptions formally documented with named owner and expiry; scope confirmed through automated discovery.
Operating · 25%	Does the control operate consistently in production? 3-month operational evidence available; SLA adherence ≥ 95%; exceptions trigger formal exception process; no evidence of control bypassing or workarounds.
Monitoring · 20%	Is the control independently tested and validated? KPI or KRI defined and measured; annual independent test; exceptions trigger formal escalation; trend reporting active.
Automation · 10%	Is the control automated, self-healing, and continuously evidenced? Partial automation of evidence generation; alert on control failure; evidence does not rely entirely on manual collection.
Framework Alignment	32 frameworks and regulations mapped at article and section level — NIST CSF 2.0 · ISO/IEC 27001:2022 · CIS Controls v8 · GDPR · NIS2 · DORA · Cyber Resilience Act · HIPAA · SOX · PCI DSS v4 · FedRAMP · EU AI Act · NIST AI RMF · ISO 42001 · OWASP LLM Top 10 · IEC 62443 and more.
Hard Scoring Gates	Seven non-negotiable ceiling constraints prevent any composite score from exceeding a defined level regardless of the five-axis score: No owner → Max L2 No 3-month evidence → Max L3 No KPI/KRI → Max L4 No automation → Max L5 Reg obligation unmet → Max L2 Interview-only evidence → Max L2 Attestation-only → Max L1.5
Assessment Tool	Excel-native workbook with auto-scoring, 1,350 auto-generated recommendations (5 per control × 270 controls), priority roadmap auto-sorted by Gap × Domain Weight, 32-framework filter for instant regulatory evidence packaging, 44-row assessment history for longitudinal tracking, and 200-row evidence register with expiry management.
Delivery Model	10–12 business day engagement from scoping to final delivery. 188+ stakeholder interviews across CISO, CTO, DPO, Head of IT, AppSec, Cloud, and OT leads. Deliverables: scored assessment tool, regulatory exposure matrix, prioritised 12-month roadmap, board presentation, and 32-framework compliance reports.

Built for 2026's Threat Landscape

AI, Cloud & OT — Natively Addressed

Legacy frameworks respond to new threats at the pace of their governance committees — typically 3–5 years between major updates. NS-CMMF was built from the ground up for today's attack landscape, not retrofitted from a 2018 baseline.

Artificial Intelligence

17 AI Controls

7 GV governance + 10 PR technical

GV-29–35: AI Governance Committee, Risk Classification, Acceptable Use Policy, Shadow AI Detection, Ethics, Model Lifecycle, GenAI/LLM Risk

PR-86–95: Prompt injection prevention, model access control, output monitoring, training data provenance, adversarial testing, model supply chain security, RAG security, agentic system security, deepfake detection

EU AI ACT · NIST AI RMF · ISO 42001 · OWASP LLM TOP 10

Cloud-Native Security

13 Cloud Controls

5 new in v1.0 for multi-cloud reality

PR-81: Configuration Drift Prevention — IaC enforcement, drift detection ≤15 min

PR-82: Kubernetes Security — CIS benchmark, network policies, RBAC hardened

PR-83: Cloud Workload Protection — VMs, containers, serverless

PR-84: Multi-Cloud Identity Federation — unified governance across all CSPs

PR-85: FinSec — cost anomaly detection correlated with security events

Operational Technology

5 OT/ICS Controls

First systematic OT coverage in a general-purpose framework

ID-08: OT/ICS Asset Inventory — protocol mapping and security zone classification

PR-58: OT/ICS Network Security — IT/OT boundary firewall, unidirectional gateways

DE-25: OT/ICS Threat Detection — OT-native IDS, industrial protocol monitoring

RS-17: OT/ICS Incident Response — engineering involvement mandatory

RC-15: OT/ICS Recovery — engineering safety validation before resumption

What an NS-CMMF Assessment Produces

The output is not a report — it is an evidence base, a precision roadmap, and a financial model that any board member, regulator, or investor committee can act on directly.

Board-Ready Maturity Score

A weighted overall score defensible before a board audit committee — based on specific, documented evidence at the control level, not a traffic-light dashboard. A board member who asks "how do we know this control works?" gets directed to 3-month operational evidence and KPI trend data.

Regulatory Evidence Packages

The 32-framework filter generates instant regulatory evidence packages. When a regulator requests DORA ICT risk management capability evidence, the package for all DORA-mapped controls is immediately available — assembled during the assessment, not reconstructed under time pressure.

Prioritised Improvement Roadmap

1,350 auto-generated recommendations sorted by Priority Score (Gap × Domain Weight). A control currently at L2 receives the L2→L3 recommendation — not generic advice to 'improve'. Each recommendation includes effort estimate, target quarter, owner assignment, and status tracking.

Longitudinal Assessment History

44-row assessment history providing a board-presentable, audit-ready evidence trail demonstrating consistent security programme maturity over 3–5 years of quarterly or semi-annual assessments — one of the most compelling evidence artefacts in regulatory investigations and M&A due diligence.

Assessment Platform

Cybersecurity Maturity Platform

Purpose-built for continuous NS-CMMF assessment, scoring, and executive reporting. Turns point-in-time audits into a live maturity index that boards can track and regulators will accept. Auto-populates the roadmap from assessment findings, generates 32-framework regulatory evidence packages on demand, tracks evidence expiry through a 200-row evidence register, and produces board-ready reports with a single export.

Request a demo →

Move from checkbox compliance to measurable, defensible security maturity

We assess your posture across all 270 controls, produce a precision roadmap, and deliver regulatory evidence packages your team can act on immediately.

Request a briefing →Explore Core Pillar 1 →