This worksheet is the culmination of over a decade of measuring the maturity of various security programs.
This current iteration is founded on the 2024 NIST Cybersecurity Framework (CSF) 2.0 with the addition of maturity levels for both policy and practice.

• Policy Maturity: How well do your corporate policies, procedures, standards, and guidelines satisfy the NIST CSF requirements?
• Practice Maturity: How well do your actual operational practices satisfy the NIST CSF requirements regardless of what your policies & standards say?

The goal of the Maturity Level descriptions is to provide some guidance around what good practices look like. If, for example, you believe that a 5% policy exception rate is to high for a Level 3 maturity, feel free to change it to better suit your needs.

Finally, this is in no way intended to infringe upon any work the good folks over at NIST have done. All of the questions and associated information on the ‘NIST CSF Details’ tab is completely owned by NIST. Certain cells are protected so the user doesn't accidentally step on a formula.

NIST CSF Framework v1.1 (February, 2024) - https://www.nist.gov/cyberframework

NIST Privacy Framework 1.0 (January, 2020) - https://www.nist.gov/privacy-framework

I hope you find this useful.