If measures and projects of a cyber nature are distributed "blindly" throughout the organisation, protection against cyber threats will remain piecemeal and information security will be patchy. Instead, the current level of maturity should be determined using a comparable approach in order to target precisely where the company is currently most vulnerable.

Our KPMG CMA method, which is used worldwide, utilises its own maturity model with nine domains. In addition, 100% coverage of the requirements of the ISO 27001 and NIST CSF 2.0 industry standards ensures that all facets of cybersecurity are examined and that there are no blind spots for the organisation.

Triad of findings, risks and recommendations for action

The individual control questions from the KPMG CMA can be answered either in the self-explanatory self-assessment or in a guided interview. In addition, the existing cybersecurity documentation is also analysed as part of CMA projects. All results are stored in the tool used on a central platform.

Based on all the information obtained, our customers then receive a formal final report with a triad of identified findings, underlying risks and appropriate recommendations for action. These form the starting point for cybersecurity projects or - if desired - further project phases, such as the development of a specific cybersecurity roadmap or a benchmark with peers from the same market environment.

Our maturity model enables you to cover all areas of your cybersecurity and look beyond the horizon: Cybersecurity is not (solely) an IT issue with technical security controls, but involves all stakeholders in the organisation.

The topics addressed in the nine domains are constantly updated: this guarantees that new developments, such as AI security, are also adequately addressed.

Ready to talk? Contact us

KPMG approach

Project preparation

The first phase of our cyber maturity assessment lays the foundations for the success of your project. Together with your designated contact person, the most important project focal points are prioritised and the final scope (including necessary contact persons and documentation) is defined. This ensures that all relevant aspects are taken into account and the best possible results are achieved for your company.

Carrying out the cybersecurity maturity analysis

In the second phase of our maturity analysis, the questions from our CMA are answered in a web-based self-assessment using the cyber GRC tool Alyne. Optionally, our KPMG experts guide the contact persons through the questions in interviews and workshops. The tool-supported approach allows the questions to be answered in parallel. This allows you to analyse several areas of the company simultaneously and identify potential risks at an early stage.

Preparation of a target group-orientated final report

All findings are summarised in a final report and the results are classified in the context of risks and threat scenarios for your company. You receive specific improvement options for the affected departments, which can optionally be linked to the requirements of relevant industry standards (e.g. ISO 27001:2022, NIST CSF 2.0, etc.). In addition, the link to industry standards gives you an initial assessment of whether your company could achieve ISO 27001 certification, for example (link to ISO 27001 certification). Finally, this report provides you with an overview of all relevant cybersecurity areas of your company and enables you to derive proactive measures to strengthen your security in a targeted manner.

Your advantages

Systematic and comparable assessment of the current cybersecurity status quo.
Identification of suitable recommendations for action for the company in order to raise the level of cybersecurity maturity to a higher level.
Starting point for a multitude of further improvement options.

Interested in our services? Contact us

Frequently asked questions

The tool used by the KPMG CMA method can be controlled via a browser and the data is stored in AWS. It has been contractually agreed that the data obtained will always be physically stored within the EU.

No, the tool is browser-based. Licensing is not necessary as KPMG holds sufficient licences. This also applies if the questions are answered by the client's employees in the self-assessment.

The typical duration of a CMA project is usually 6-12 weeks.

Of course, you will not be granted direct access. However, the findings and data obtained can be analysed in the form of benchmarks and added to the final report.