CEO’s, executives and board members always desire to know if an organization is secure enough. Are the dollars invested in security providing them adequate security with regards to return on investment? Is the organization’s security improving over time? Is the company competitive in its sector or against its competitors? In a normal world, organizations and key executives tend to make assumptions or subjective judgments which may not be the best approach.

The existing processes and tools available at the disposal of an organization may not be sufficient to address some of the questions mentioned above. At times, benchmarking and maturity modeling becomes critical to manage a certification or regulatory compliance requirement. There are multiple areas in security and privacy where the benchmarking can be accomplished, and a typical approach is to benchmark the processes and practices encompassing information security or privacy covering relevant standards and control domains.