UNCLASSIFIED

PROTECTIVE SECURITY CAPABILITY MATURITY MODEL

The capability maturity model (CMM) presented in this paper is provided to assist agencies to
assess their current capability across a number of protective security dimensions, identify
capability levels that are appropriate to the security risks they face, and to identify some of the
ways in which capability could be lifted.

Where agencies have diverse functions it may be appropriate to apply the CMM separately rather
than attempt to build a single view.

Protective Security CMM levels (base descriptions)

Informal Processes are usually ad-hoc and undocumented. Some base practices may be performed
within the organisation, however there is a lack of consistent planning and tracking. Most
improvement activity occurs in reaction to incidents rather than proactively. Where practice is
good it reflects the expertise and effort of individuals rather than institutional knowledge.
There may be some confidence security-related activities are performed adequately, however
this performance is variable and the loss of expert staff may significantly impact capability and
practice.
Basic The importance of security is recognised and key responsibilities are explicitly assigned. At
least a base set of protective security measures are planned and tracked. Activities are more
repeatable and results more consistent compared to the ‘informal’ level, at least within
individual business units. Policies are probably well documented, but processes and
procedures may not be. Security risks and requirements are occasionally reviewed.
Corrective action is usually taken when problems are found.
Core Policies, processes and standards are well defined and are actively and consistently followed
across the organisation. All the PSR’s mandatory requirements are complied with.
Governance and management structures are in place. Risk assessment and management
activities are regularly scheduled and completed. Historic performance information is
periodically assessed and used to determine where improvements should be made.
Managed Day-to-day activity adapts dynamically and automatically in response to situational changes.
Quantitative performance measures are defined, baselined and applied to ensure security
performance is analysed objectively and can be accurately predicted in advance. In addition
to meeting all mandatory PSR requirements, the organisation also complies with many
optional ‘better practice’ requirements.
Optimised Security is a strategic issue for the organisation. Long-term planning is in place and
integrated with business planning to predict and prepare for protective security challenges.
Effective continuous process improvement is operating, supported by real-time, metrics-based
performance data. Mechanisms are also in place to encourage, develop and test innovations.
The organisation complies with all PSR mandatory requirements and all optional requirements
unless the latter are explicitly deemed not relevant.

PS CMM version 2 UNCLASSIFIED Page 1 of 12

 UNCLASSIFIED

The nature of capability maturity models are such that not every agency will need to achieve the
highest maturity level in each/any category. Depending on the agency’s security threat and risk
environment, ‘core’ will often be an appropriate target. Unnecessarily strong security measures
are expensive and can impede the delivery of public services.

Use each of the following tables to record how you rate your existing capability and also where
your agency needs to be. Bullet list items should be considered a guide rather than a complete
and authoritative list.

It is not necessary that all elements of a lower level are in place before rating at, or aiming for, a
higher level. The ‘informal’ and ‘basic’ levels are typically characterised by a lack of good practice.

Leadership and culture

Executive commitment and governance oversight Current Target

 Leadership commitment to protective security is not demonstrated or visible

Informal

 Little executive awareness of protective security initiatives

 Protective security is not adequately resourced
 Little or no reporting or access to the executive leadership team / governance board(s)
 An agency Risk & Assurance Committee is either not in place or does not consider protective security

 Leadership and governance bodies discuss security, but generally only in response to breaches
 Access to the executive team and reporting lines to governance bodies exist, but can generally only be used
Basic

when there are specific issues to be addressed

 Leaders are aware of security initiatives within their own business units
 Leaders are aware of the core skills and resources needed to effectively deliver protective security, but increased
resourcing is needed

 Leadership actively promotes good security practice

 The executive team and governance bodies receive regular updates on protective security
Core

 Governance meetings include discussions on security issues and the effectiveness of protective measures
 Protective security is a standing agenda item for the agency’s Risk & Assurance Committee
 All aspects of protective security activity are adequately resourced

 Leadership takes a proactive and integrated approach to leading protective security management
 Management proactively reports to the executive team and governance bodies, including to inform them of any
Managed

significant changes to the agency’s protective security risk profile

 Governance meetings include discussion of protective security as an integral aspect of strategic risk management
 Protective security resourcing is considered at a strategic level
 Leaders support inter-agency collaboration on security matters

 Leadership works collectively to seek innovative ways to continuously improve protective security
Optimised

 Oversight of protective security functions is demonstrated through governance bodies setting policies and
monitoring compliance
 The executive team and governance bodies actively inform performance targets and improvements in security
management
 Resources are deployed strategically to support the maintenance of effective protective security

PS CMM version 2 UNCLASSIFIED Page 2 of 12

 UNCLASSIFIED

Management structure, roles and responsibilities Current Target

 No or limited defined reporting structures for protective security management, issue resolution, or practice
Informal

improvement
 No senior executive is explicitly responsible for overseeing all aspects of protective security
 No supporting security management roles

 A senior executive is formally responsible for managing protective security, but in practice that person has limited
involvement
Basic

 Other protective security leadership roles are assigned at a management level

 Some additional line management and reporting structures are in place for improving protective security and
managing issues
 Communication between security leaders and other parts of the agency mainly occurs in response to breaches

 A senior executive is authorised to make decisions on protective security, including resourcing; this person is
accountable to the chief executive for security management and maintains oversight of all aspects of protective
Core

security for the agency

 Formal responsibility is assigned for each aspect of protective security, and for the implementation and
maintenance of PSR compliance

 There is clear delineation of protective security governance (e.g. strategic direction-setting and policy approval)
Managed

versus day-to-day management responsibilities

 Agency security leaders contribute to organisation risk assessment, business process design and the definition of
change programmes
 All managers view protective security management as integral to their roles

 Ongoing, regular and formal discussions on protective security occur between governance bodies, the executive
Optimised

leadership team and senior management levels

 Agency security leaders have the capability, capacity and authority to introduce protective security improvements

Monitoring and assurance Current Target

 No formal monitoring or reporting lines

Informal

 No structured assurance programme is in place; any assurance activity is ad-hoc

 Monitoring, reporting and other assurance activities are informal and occur only as issues (e.g. breaches) arise
Basic

and are managed

 The agency has some confidence it meets many of the PSR’s mandatory requirements

 The agency meets the PSR’s assurance and reporting requirements, and can provide evidence of this
 Reporting lines and responsibilities are clear and there is regular management reporting
Core

 Internal monitoring and reporting requirements are customised, well defined and assess all aspects of protective
security and related risks
 Key performance indicators are used to track and measure performance

 Assurance is built into all aspects of protective security planning, governance and operations, and includes
Managed

independent auditing
 Outcomes and outputs of assurance activity inform changes to protective security processes and responsibilities
 Key performance indicators are linked to, and seek to enable, the agency’s business strategy
 There is proactive reporting to all staff against key performance indicators

 In addition to scheduled assurance activities, performance data is automatically captured, responded to in real
Optimised

time, and used to drive all aspects of protective security improvement

 Operational and contingency plans are routinely tested and improved

PS CMM version 2 UNCLASSIFIED Page 3 of 12

 UNCLASSIFIED

Organisation culture and behaviour Current Target

 No documentation or guidance on what protective security means to the agency and why it is important
Informal

 Accountabilities relating to protective security are not clear or communicated

 No or limited modelling by senior management of protective security values
 No encouragement or support for staff to properly implement protective security practices
 No promotion or culture of reporting security breaches

 Protective security is almost exclusively a focus area for specialists; responsibility for security is seen as being
assigned to just a few personnel
 The executive team and senior managers recognise the importance of an effective security culture, but are
Basic

inconsistent in their approaches to developing this

 Principles for protective security are documented but are not incorporated into business processes
 Staff are encouraged to report security breaches, however the level of comfort by staff in doing this varies
between business units

 Values and aspirations for protective security are communicated in clear terms and are consistently understood
throughout the agency
 The joint accountability of all staff for protective security is documented, well known and accepted; expectations
of staff are clear
Core

 Processes are in place to evaluate staff performance against expectations

 The executive team and senior managers actively and visibly demonstrate commitment to promoting good
protective security practice
 Staff are encouraged to report security breaches and are comfortable doing so

 Protective security is well integrated into business processes

 All staff understand protective security policies and accept that they shape day-to-day behaviours
 All staff and contractors are responsible for ensuring protective security principles and practices are adhered to,
Managed

and this responsibility is assessed as part of performance management

 The executive team, senior managers and governing bodies work together and with their teams to deliver
consistent, positive messages on how the agency views and manages protective security
 Agency leaders are confident all protective security incidents are appropriately managed and reported; breaches
are not hidden

 All personnel actively identify with, and take responsibility for, protective security policies and practices

Optimised

Protective security is treated as a core competency

 Transparency and accountability are the norm; issues and conflicts are resolved positively and effectively
 Agency leaders work collectively and visibly to seek innovative ways to continuously improve protective security
 All staff and contractors are comfortable identifying risks and opportunities for improvement; new insights are
acted upon collaboratively

PS CMM version 2 UNCLASSIFIED Page 4 of 12

 UNCLASSIFIED

Education and communications Current Target

 No or limited education materials are available to staff

Informal

 No formal systems exist for communicating key decisions and messages

 Staff and contractors have limited or no awareness of the PSR and its relevance to the agency
 No or limited processes to detect gaps in understanding of the agency’s protective security needs or practices
 Business units do not seek specialist guidance on protective security

 Some systems for communicating regarding protective security, but these are not formally defined
Basic

 Communication is primarily one-way: top-down

 Some compliance-based training is delivered within business units, with little central oversight
 Any lack of staff or contractor understanding of requirements may only be identified when breaches occur

 There are clear protocols for communications regarding protective security and these are regularly used
 All staff and contractors are required to undertake basic protective security training (e.g. as part of induction),
with additional clearance-based training occurring as needed
Core

 Staff and contractors are aware of the agency’s security policies and relevant resources available to them
 All staff and contractors are made aware of the requirements of relevant legislation (e.g. Crimes Act, Official
Information Act, Privacy Act) and how these apply to them
 Training is adequate in content, frequency and form, including for staff with significant security responsibilities

 Open, two-way communications are active and processes are in place to ensure key messages are received and
understood
 Training is targeted and role/job based
Managed

 Education needs are actively monitored and training is delivered when gaps are identified
 Staff and contractors’ understanding of security requirements is assessed and supplemented as needed before
they are given access to information and other resources that need to be protected, and also when security
clearances are renewed
 Training and communications are regularly revised so as to respond to an evolving security risk environment

 There is clear and frequent communication between governing bodies and functional teams, and across the
Optimised

whole agency, about protective security and the effectiveness of existing practices and initiatives
 Training and communications enable all staff and contractors to be confident they understand and meet
protective security obligations
 Training is role-specific and is regularly revised to align with best practice and continuously stimulate personnel

PS CMM version 2 UNCLASSIFIED Page 5 of 12

 UNCLASSIFIED

Planning, policies and protocols

Strategy development and delivery Current Target

 No consideration or integration of protective security in agency or business unit strategies

Informal

 The agency knows it needs to improve aspects of protective security but is doing little to address this

 Protective security needs are considered in the development of strategic plans

 A protective security plan is in place and approved by the executive team and/or governance board
Basic

 There is little visible consideration of the agency’s security risk profile and tolerance
 Improvement activities are not consistent across the agency
 The agency is able to address some of its protective security risks but does not usually act until breaches or
other issues occur

 The agency protective security plan is reviewed at least every two years to ensure it remains relevant to the
agency’s threat and risk profile, it is sustainable, and it continues to align with the PSR and other relevant
government standards
Core

 The agency’s tolerance for security risk is defined and is used to inform resourcing and activity scheduling
 Risks and outcomes drive improvement programmes across the agency
 The agency uses root cause analysis to address significant systemic security issues

 The results of risk management and assurance activity are promptly used to inform and update the protective
security plan
Managed

 The executive team and governance bodies define the agency’s tolerance for security risk and accept the
implications, including for business continuity and the agency’s strategic objectives
 Improvement programmes result in the proactive identification and resolution of potential security issues and
risks, changes in communication and education delivered to personnel, and ongoing process enhancements

 Protective security considerations are fully integrated into the business strategy and planning lifecycle
Optimised

 Risk tolerance is regularly reviewed and formally agreed by the executive team and governance bodies, and is
informed by ongoing assessment of protective security threats, trends and expectations
 Effective processes are operating to ensure any changes in security requirements or best practice are identified
and assessed in the context of the agency’s security risk profile, and that appropriate change is delivered across
the agency

PS CMM version 2 UNCLASSIFIED Page 6 of 12

 UNCLASSIFIED

Policies, processes and procedures Current Target

 No identifiable protective security management policies, processes or procedures are in place

 There are no formal controls for ensuring protective security risks and needs are considered when designing or
Informal

reviewing business processes

 Inconsistent and incomplete consideration is given to whether the agency meets the requirements of the PSR or
other relevant government policies, standards or legislation
 Little or no due diligence is performed over third parties’ (e.g. suppliers or other agencies with which information
is shared) protective security policies, practices and procedures

 Protective security is explicitly addressed in at least some policies, processes and procedures, but these may
not be comprehensive and are not consistently followed; non-compliance is not identified
 Policies may be reviewed to ensure they comply with the PSR and other relevant requirements, though this
generally only occurs in response to identified breaches
Basic

 Security threats and risks are sometimes considered when designing or reviewing processes, procedures and
systems, but this is not compulsory
 The level of due diligence undertaken on third parties’ protective security policies, processes and procedures
varies between business units and may only occur in response to a breach
 Third party contracts (and similar, e.g. inter-agency memoranda of understanding) include security provisions as
appropriate

 Security policies, processes and procedures are relevant, comprehensive, and easy to access and understand
 There is a common approach to security management across the agency and good compliance with
requirements
 Processes and procedures are periodically reviewed, including against analysis of any changes in the PSR and
the agency’s operating, policy, legislative and regulatory environment
Core

 There are documented requirements to consider security threats and risks when designing processes,
procedures and systems
 Contract templates include standard protective security terms and conditions
 Where third parties have access to information or assets that must be secured, or where they must protect the
safety of people where the agency has a duty of care, due diligence is performed to ensure they meet the
requirements of the PSR
 Third parties are educated in incident response processes

 Staff and managers proactively contribute to designing practices to support and complement protective security
policies, identifying and communicating gaps or opportunities
 Management and security officers proactively review changes to relevant legislation and regulation, and
emerging risks, and amend the agency’s protective security policies, processes and procedures where
appropriate
Managed

 Business processes and procedures are designed specifically to mitigate security threats and risks
 Third party contract / agreement terms and conditions vary appropriately depending on the nature of the
engagement
 Contracts and agreements are entered into only where the third party’s relevant protective security capability and
practices are at least equivalent to those of the agency
 Where a third party contract or other agreement exists, there are regular reviews against security clauses and
requirements

 The principles and behaviours set out in protective security policies, processes and procedures are consistently
demonstrated by all staff and contractors
 Effective systems are in place to ensure any changes to best practice or the agency’s threat and risk profile are
quickly identified and reflected in security policies, processes and procedures
Optimised

 Third parties are assessed against relevant security requirements before any contract or other agreement is
entered into
 Audits of the security performance of third parties are performed and they are held accountable for the results
 Security risks and issues relating to contracts and other inter-organisation agreements are analysed; mitigation
strategies are put in place to improve existing and future agreements where third parties have access to
information or assets that must be secured, or where they must protect the safety of people where the agency
has a duty of care

PS CMM version 2 UNCLASSIFIED Page 7 of 12

 UNCLASSIFIED

Risk management Current Target

 No relationship between protective security functions and wider agency risk management functions
Informal

 No formal, structured or consistent process for identifying and assessing protective security threats and risks
 No or limited controls are in place specifically to prevent, detect or otherwise mitigate protective security risks
 No formal process for monitoring or reporting on protective security risks and mitigations

 There is limited interaction between protective security functions and wider agency risk management functions;
what exists is primarily designed to mitigate specific identified risks
 Security risk assessments are performed at least occasionally, though this may be viewed simply as compliance
activity; processes may be underdeveloped and not be well documented
 Security risk definitions tend to be simplistic, overly generic and insufficiently analysed
Basic

 Protective security risks are monitored on a silo’d basis in business units, with little or no cross-functional
interaction
 Control activities that respond to identified protective security risks exist, but are not formally documented or
tracked
 Protective security risk reporting is largely by exception; requirements for monitoring and reporting on controls
are not fully documented

 Protective security risk management processes align to the (inter)national standards identified in the PSR and
are generally integrated with other aspects of the agency’s organisational risk management approach
 Security threat, vulnerability and risk assessments are performed on a scheduled basis
 Protective security risks are mainly monitored within business units at an operational level, with some
Core

information on external trends held centrally

 Business continuity management controls are in place to ensure the continuity of services and to mitigate
security risks to an acceptable degree within the context of the agency’s overall risk tolerance
 Controls selected for monitoring, and the frequency with which they are evaluated, are decided based on risk
assessments
 Reporting on security risks is both regular and proactive

 Protective security risks are considered and overseen within the agency’s strategic / enterprise risk management
programme
 Protective security risks and issues are owned by the appropriate business units
 Identification and assessment of threats, vulnerabilities and risks is proactive and accepted as an enabler of
business continuity
Managed

 Monitoring includes analysis of whether risk levels have changed, whether controls are being applied effectively
and whether risk management improvements are being implemented
 Risk mitigation plans are applied and integrated across the agency; security functions coordinate these plans
and ensure mitigations are applied consistently across different areas affected by the same risks
 Management responsibility is formally assigned for regularly testing business continuity measures and reviewing
other risk controls, and for reporting on review results
 Protective security risk reporting is well defined, integrated into wider business-as-usual management reporting
and regularly reviewed at the executive level

 Protective security risk management is firmly embedded within the agency’s strategic / enterprise risk
management function
 All staff consider the identification of protective security risks as their responsibility
 Well defined, best practice and efficient threat, vulnerability and risk identification and assessment processes
are integrated into business activities across the agency; all management and staff see these processes as
Optimised

adding value to the agency and its services

 Protective security personnel / functions support the rest of the agency to improve controls and implement best
practice
 Continuous monitoring and auditing occurs to detect, monitor and prevent control breakdowns in key / high risk
areas
 The agency tracks the implementation and effectiveness of controls; all units work closely with central functions
and external reviewers to optimise security risk management and control
 Protective security risk reporting links risks to the agency’s protective security plan and key performance
indicators so that risk information is integrated into wider strategic performance reporting

PS CMM version 2 UNCLASSIFIED Page 8 of 12

 UNCLASSIFIED

Incident management Current Target

 No structured approach to managing security incidents (infringements, violations, breaches), with little
Informal

documentation or direct support being provided

 No defined requirements for reporting security incidents

 Limited staff awareness of the nature of, or potential for, different types of security incidents
Basic

 Incident response processes are informal; responses are managed within teams with limited central oversight

 Incident recording, response and escalation processes and responsibilities are well documented and are
followed
 The executive team receives reports on security incidents, the measures taken to remedy them, and any
disciplinary action taken, for instance as a result of a deliberate breach
Core

 The agency complies with PSR requirements for the external reporting of security incidents, including contact
reporting
 There is agency-wide understanding of what a security incident is (including infringements, violations and
breaches); staff and contractors know how to respond to an incident, including who to inform and the timeframe
for reporting

 The agency has a comprehensive and consistent approach to incident management; a well-defined hierarchy of
Managed

escalation triggers exists

 Security incidents are well recorded and root cause analysis is performed to inform process improvements
 A process is in place for recording and reporting on incidents, trends, risks and other relevant information

 There is ongoing research into appropriate measures for preventing and managing incidents, and this
Optimised

information is used to proactively adjust processes and systems

 All significant incidents are managed in accordance with the agency’s crisis management approach

PS CMM version 2 UNCLASSIFIED Page 9 of 12

 UNCLASSIFIED

Personnel security
Personnel security Current Target

 Limited, undefined and inconsistent controls are in place to ensure only appropriately authorised people have
access to the agency’s facilities, information and other assets
Informal

 No central register of security cleared personnel is maintained; poor controls to ensure clearances remain
current
 Personnel with expired or revoked security clearances are able to continue accessing classified information and
resources
 No reporting to the NZSIS regarding the granting and management of security clearances

 Few or no measures in place to ensure personnel remain suitable to access agency resources on an ongoing
basis
 Where personnel require access to national security classified information or resources, the requisite security
Basic

clearances are secured, following the correct process

 Little or no ongoing security clearance maintenance activity other than when renewals are needed
 Some reporting to the NZSIS regarding security clearance management, but this is limited mainly to the initial
granting of clearances to personnel

 Effective policies and procedures are in place to assess and manage the ongoing suitability of all personnel to
access / use agency resources
 When staff or contractors cease working for the agency their physical and system access privileges are
immediately revoked and they are provided with advice regarding any ongoing obligations (e.g. under
legislation)
 The agency has clearly communicated procedures in place for managing international travel by all staff and
delivering briefings, particularly where staff hold a national security clearance
 Agency policy requires all personnel report suspicious contacts
Core

 All positions requiring ongoing access to classified information and resources are identified; staff and
contractors who will work in these roles are provided with appropriate training and are required to formally
acknowledge they will comply with relevant policies and protocols
 The agency maintains an up-to-date register of all staff and contractors who hold national security clearances
 There is a review of whether a position requires a national security clearance (or clearance level change) prior
to renewal
 Regular security clearance maintenance ‘checkpoints’ are scheduled for all cleared staff and contractors, e.g. as
part of annual performance reviews
 The agency informs the NZSIS of the granting, downgrading, suspension or cancellation of all national security
clearances, and of any factors that may impact the ability of staff or contractors to maintain a clearance

 Protective security risk management activity is well informed by periodic reviews of the personnel security
threats the agency may face within its risk environment across each area of its business
 When recruitment into a role requiring a national security clearance is initiated, up-front measures are taken to
minimise the risk of engaging a person who is not eligible to undergo security vetting
Managed

 Defined processes exist and are well understood for handling cases where a person fails to gain or maintain a
clearance level that is required for a position they are seeking or currently hold
 The agency regularly reviews its register of security cleared staff and contractors, and ensures all updates are
promptly reported to the NZSIS
 Staff and contractors with national security clearances have a thorough understanding of, and proactively
comply with, ongoing maintenance requirements; when clearance renewal processes are run, few or no factors
(e.g. reportable changes in circumstances) are discovered that should have been reported earlier

 As a matter of course, any initiative that leads to the reallocation of responsibilities within the agency includes
Optimised

an assessment of impacts on position security clearance requirements

 Where the agency sponsors the vetting and national security clearance of personnel employed by third parties,
it periodically performs spot audit checks to ensure pre-vetting employment checks are completed and
appropriate records are maintained

PS CMM version 2 UNCLASSIFIED Page 10 of 12

 UNCLASSIFIED

Information security
Information security Current Target

 No identifiable information security policies or controls are in place

Informal

 Little or no proactive identification of the types of information and other assets requiring a security classification,
and little confidence classified resources are consistently handled correctly

 Some information security policy and framework elements are in place, but these may not be comprehensive
Basic

and are not consistently followed; non-compliance is not identified

 There are pockets of good information security behaviour and controls (e.g. for ICT systems), but standards are
not applied over all information holdings across the agency

 A comprehensive risk-based information security policy is documented, well communicated, and supported by a
defined management framework, documented procedures, and effective controls, in compliance with the PSR
(including the New Zealand Information Security Manual)
 All information and other assets requiring classification are consistently classified, marked, accessed and
handled in accordance with the New Zealand Government Security Classification System and other relevant
legislation (e.g. the Privacy Act, the Public Records Act) and standards; this treatment extends to resources
Core

originating from another agency or jurisdiction, and to resources held by third parties on behalf of the agency
 Effective business continuity measures are in place to protect against the loss or unavailability of information
and other assets
 Access controls and activity audits support the integrity of ICT systems and the data they hold
 Systems are in place to deter, detect and report on unauthorised or otherwise inappropriate access to
information (including paper-based) and ICT systems, including during systems development and throughout
the information lifecycle

 Staff proactively contribute to refining information management processes and controls; changes are consistent
with the agency’s security risk profile and integrated with wider protective security policy
 Information is protected as a strategic asset; process design considers information security needs from
inception, including for data aggregations
 All relevant personnel understand the New Zealand Government Security Classification System and accept the
importance of appropriately classifying, marking, handling and accessing information and other assets
Managed

 Agency-specific guidelines and tools are in place to help personnel understand and comply with the New
Zealand Government Security Classification System and associated handling requirements
 Information usage records and environment scans are used to inform changes to information security policy and
controls
 Personnel responsibilities are appropriately segregated to reduce opportunities for unauthorised or unintentional
modification or misuse of classified information assets
 Access controls are automatically updated when personnel change roles or leave the agency
 Information security is subject to both scheduled and unannounced testing and audit on an ongoing basis

 The principles and behaviours defined in the information security policy and supporting controls are consistently
Optimised

demonstrated by all staff and contractors; innovation proposals are encouraged and actively assessed
 Systems are in place to automatically detect, monitor and respond to irregular access to information in real time

PS CMM version 2 UNCLASSIFIED Page 11 of 12

 UNCLASSIFIED

Physical security
Physical security Current Target

 No identifiable physical security policies or controls are in place

Informal

 The agency cannot be confident it would quickly detect the theft of, or attacks on, physical assets and
information

 Some physical security policy and framework elements are in place, but these may not be comprehensive and
Basic

are not consistently followed; non-compliance is not identified

 There are pockets of good physical security behaviour and controls, but standards are not consistently applied
across the agency

 A comprehensive risk-based physical security policy is documented, communicated, and supported by

systems for protecting and supporting people (including customers and members of the public as relevant),
and for incident response and reporting
 The agency’s physical security policy addresses the safety and security of personnel and assets when offsite
Core

 Effective and proportionate measures are in place to prevent, detect and impede attacks on, or the
unauthorised removal of, physical assets and information
 Physical security and safety needs are actively considered from the early stage of any premises relocation,
refurbishment or construction; corresponding zone and control design and certification requirements are
complied with

 Staff proactively contribute to evolving physical security controls; changes are consistent with the agency’s
Managed

security risk profile, integrate with wider protective security policy and are promptly communicated
 Systems are in place to immediately detect, monitor and respond to physical security breaches
 Enhanced physical security measures are automatically adopted in response to emergencies or a heightened
threat environment; all staff and contractors are aware of their responsibilities in such situations

 The principles and behaviours defined in the physical security policy and supporting controls are consistently
Optimised

demonstrated by all staff and contractors

 Physical security is subject to regular spot audit checks; all staff and contractors appreciate the importance of
these and accept the consequences of significant and/or repeated breaches of standards

PS CMM version 2 UNCLASSIFIED Page 12 of 12