If cyber-related measures and projects are distributed “blindly” throughout the organization, protection against cyber threats remains piecemeal and information security incomplete. Instead, the current level of maturity should be determined using a comparable approach in order to target precisely where the company is most vulnerable at the moment.
Our globally deployed KPMG CMA method uses our own maturity model with nine domains. In addition, 100 percent coverage of the requirements of the ISO 27001 and NIST CSF 2.0 industry standards ensures that all facets of cybersecurity are examined, leaving no blind spots for the organization.
The individual control questions from the KPMG CMA can be answered either in a self-explanatory self-assessment or in a guided interview. In addition, existing cybersecurity documentation is also evaluated as part of CMA projects. All results are stored in the tool used on a central platform.
Based on all the information obtained, our clients then receive a formal final report with the triad of identified findings, underlying risks, and appropriate recommendations for action. These form the starting point for cybersecurity projects or, if desired, further project phases, such as the development of a specific cybersecurity roadmap or a benchmark with peers from the same market environment.
Our maturity model enables you to cover all areas of your cybersecurity and think outside the box: Cybersecurity is not (solely) an IT issue involving technical security controls, but involves all stakeholders in the organization.
The topics addressed in the nine domains are constantly updated, ensuring that new developments, such as AI security, are also adequately covered.
KPMG approach
project preparation
The first phase of our cyber maturity assessment lays the foundation for the success of your project. Together with your designated contact person, we prioritize the most important project areas and define the final scope (including necessary contacts and documentation). This ensures that all relevant aspects are taken into account and that the best possible results are achieved for your company.
Conducting the cybersecurity maturity analysis
In the second phase of our maturity analysis, the questions from our CMA are answered in a web-based self-assessment using the Alyne cyber GRC tool. Optionally, our KPMG experts can guide the contact persons through the questions in interviews and workshops. The tool-based approach allows the questions to be answered in parallel. This enables you to evaluate several areas of the company at the same time and identify potential risks at an early stage.
Preparation of a target group-oriented final report
All findings are summarized in a final report and the results are classified in the context of risks and threat scenarios for your company. You will receive specific improvement options for the departments concerned, which can optionally be linked to the requirements of relevant industry standards (e.g., ISO 27001:2022, NIST CSF 2.0, etc.). In addition, the link to industry standards will give you an initial assessment of whether your company could obtain ISO 27001 certification, for example (link to ISO 27001 certification). Finally, this report will give you an overview of all relevant cybersecurity areas in your company and enable you to derive proactive measures to strengthen your security in a targeted manner.
Your advantages
Systematic and comparable assessment of the current cybersecurity status quo.
Identification of appropriate recommendations for action to raise the company's cybersecurity maturity level.
Starting point for a wide range of further improvement opportunities.
Frequently asked questions
The tool used by the KPMG-CMA method can be controlled via a browser, and data is stored in AWS. It has been contractually agreed that the data obtained will always remain physically stored within the EU.
No, the tool is browser-based. Licensing is not necessary, as KPMG has sufficient licenses. This also applies if the questions are answered by the client's employees in the self-assessment.
The typical duration of a CMA project is usually 6-12 weeks.
Of course, we cannot grant you direct access. However, the findings and data obtained can be evaluated in the form of benchmarks and added to the final report.
Contact
Prof. Dr. Dirk Loomans
Partner, Consulting, Cyber Security
KPMG AG Wirtschaftsprüfungsgesellschaft
Connect with us
- Find office locations kpmg.findOfficeLocations
- kpmg.emailUs
- Social media @ KPMG kpmg.socialMedia