There are five maturity levels for assessing an organization’s information security management processes: Initial, Managed, Defined, Controlled, and Optimized.