CyFun Scoring: the 5 CMMI Maturity Levels

CyFun uses a 5-level CMMI-style maturity scale. Each control is scored on two dimensions — Documentation Maturity (1-5) and Implementation Maturity (1-5). Pass threshold for every Key Measure is ≥ 2.5/5.

Two dimensions, one scale

Documentation Maturity — how well your written rules and procedures satisfy the control.
Implementation Maturity — how mature your actual operational practices are.

Both dimensions use the same 5-level CMMI-style scale. You score each control once per dimension, from 1 to 5.

Which evidence counts for which dimension?

Not every piece of evidence helps both scores. A written policy proves documentation but not implementation. A Microsoft Entra config proves implementation but not policy. A mature control has both sides covered.

Documentation evidence

What we say we do.

Policies
Procedures

Implementation evidence

What we actually do — proof the activity took place.

Config snapshots (Entra, Intune, ...)
Logs & audit trails
Test results (Secure Score, scans, ...)
Inventories (device, user, software)
Incident & exercise records
Training records (proof of completion)
Acknowledgments (signed by the employee)
External attestations (signed statement)

Integrations (Microsoft 365, Sophos, SentinelOne, ...) almost always produce implementation evidence — they observe the actual enforcement state. Policies and procedures remain manual work, though ECP drafts an initial version for you.

The 5 maturity levels (CCB canonical definitions)

Level	Documentation Maturity	Implementation Maturity
1 — Initial	No process documentation, or not formally approved by management.	Standard process does not exist.
2 — Repeatable	Formally approved process documentation exists but has not been reviewed in the previous 2 years.	Ad-hoc process exists and is done informally.
3 — Defined	Formally approved process documentation exists; exceptions are documented and approved. Documented & approved exceptions < 5% of the time.	Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
4 — Managed	Formally approved process documentation exists; exceptions are documented and approved. Documented & approved exceptions < 3% of the time.	Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established. Less than 5% of process exceptions.
5 — Optimizing	Formally approved process documentation exists; exceptions are documented and approved. Documented & approved exceptions < 0.5% of the time.	Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established and continually improving. Less than 1% of process exceptions.

Pass threshold

Under the CCB's Conformity Assessment Scheme, each Key Measure must score ≥ 2.5/5 on average across documentation and implementation. That's the pass line for audit readiness.

Levels vs tiers — don't confuse them

CyFun has two independent numbers:

4 assurance tiers — Small, Basic, Important, Essential. These define which controls you implement (7, 34, 132, or 217).
5 maturity levels — Initial through Optimizing. These define how well you implement each of those controls.

A Basic-tier organisation still scores each of its 34 controls on the 1-5 scale. An Essential-tier organisation scores all 217 on the same 1-5 scale.

Source

CCB CyberFundamentals Self-Assessment Tool (v2026-02-20) — canonical wording for all 5 maturity levels and the ≥ 2.5/5 threshold.