Capability Maturity Model Assessments Services

The vendor is required to provide capability maturity model (CMM) assessment of the information security management system (ISMS) and the security program generally, where the controls managed by the ISMS are used.
- Assessment report
•    An executive summary which summarizes the assessment findings, including a roll-up and overall maturity rating, available comparisons to healthcare and public sector industries, and a comparison to the previous report results for the areas with a change in CMM score. 
•    A detailed findings analysis, including a comparison to the previous report results. 
•    For every individual clause of iso 27001:2022 clauses 4 through 10 and all individual controls, the report will include detailed observations including detailed gap findings per clause and control assessed, recommendations, a risk severity rating and a CMM rating. 
•    The evidence used to develop the risk severity rating and CMM rating for each clause should be itemized in the report in a detailed fashion:
o    Document references should include version and page numbers, 
o    Interviews should reference date of meeting, attendees, and 
o    On an individual clause and control basis, the specific evidence artefacts used to determine ratings should be referenced in the assessment report to enable agency to determine how the ratings were developed and to enable the proponent to accurately detect changes in future assessments.
•    To assist agency with planning future assessments, the report will provide a section that outlines assessment details including the assessment plan, agency resources engaged (with schedule showing time required and order of interviews if there are dependencies), methodologies used, and an itemized bibliography of reviewed documents, artefacts, and interviews performed.
o    The methodologies may evolve in a “value-add” fashion over the course of the project, but must ensure that a consistent baseline measurement is presented to permit agency to track the progress of its efforts to mature the security program.
•    The report will include a high-level iso 27001 information security management system development roadmap “placemats” to guide agency in addressing gap findings, with 3-year and 5-year milestone columns.
o    This roadmap will leverage the results of the assessment work, current roadmap plans, be technology and vendor agnostic (i.e., at the process and “capabilities” level) and be at an appropriate level to be used by agency for strategic planning purposes. 
o    This roadmap will support the iso 27001 risk assessment approach for determining which specific technical controls are required and what the performance objectives for those controls should be. 
o    This roadmap will also provide recommendations to address the gap findings over time.

- Questions/Inquires Deadline: October 23, 2025