Framework

CR-CMM

The Cyber Resilience Capability Maturity Model lets you measure, benchmark, and improve resilience across 10 core domains.

About CR-CMM

Inspired by the SOC-CMM (Security Operations Capability Maturity Model) and CTI-CMM (Cyber Threat Intelligence Capability Maturity Model), the CR-CMM provides a structured pathway for organizations to assess and advance their resilience capabilities.

Unlike traditional compliance-focused assessments, CR-CMM emphasizes operational survivability, business continuity, and the ability to adapt and recover from disruptions.

“With a one-hour workshop we pinpointed our biggest resilience gaps...”

— CISO, healthcare sector

10 Core Practices

The foundational domains of cyber resilience capability.

Practice 01

Asset Inventory & Criticality

Comprehensive visibility into organizational assets, their interdependencies, and their criticality to core business functions.

Practice 02

Threat Intelligence Integration

Systematic collection, analysis, and operationalization of threat intelligence to anticipate and prepare for emerging threats.

Practice 03

Vulnerability Management

Continuous identification, prioritization, and remediation of vulnerabilities across the attack surface.

Practice 04

Incident Detection & Response

Automated detection capabilities and well-rehearsed response procedures that minimize dwell time and impact.

Practice 05

Business Continuity Planning

Documented and regularly tested plans to maintain critical operations during and after disruptive events.

Practice 06

Recovery & Restoration

Pre-planned recovery procedures with clear RTOs/RPOs and regularly tested restoration capabilities.

Practice 07

Third-Party Risk Management

Assessment and ongoing monitoring of supply chain and partner risks that could affect organizational resilience.

Practice 08

Security Architecture

Defense-in-depth architecture designed for graceful degradation and minimal blast radius.

Practice 09

Governance & Accountability

Clear ownership, reporting structures, and board-level oversight of resilience initiatives.

Practice 10

Continuous Improvement

Post-incident analysis, lessons learned, and systematic enhancement of resilience capabilities.

Maturity Levels

From ad-hoc responses to predictive optimization.

Initial

Level 1

Ad-hoc responses to incidents. Limited visibility into assets and threats. Reactive posture.

Developing

Level 2

Basic processes documented. Some automation in place. Limited testing and training.

Defined

Level 3

Formalized procedures. Regular testing. Clear governance and accountability structures.

Managed

Level 4

Quantitative metrics in place. Continuous monitoring. Proactive threat hunting.

Optimizing

Level 5

Predictive capabilities. Fully automated response. Continuous improvement driven by data.

Frequently Asked Questions

Common questions about the CR-CMM framework.

What is the CR-CMM?

The Cyber Resilience Capability Maturity Model (CR-CMM) is a framework inspired by SOC-CMM and CTI-CMM that provides a structured approach to assessing and improving organizational cyber resilience capabilities across 10 core domains.

Who can use the CR-CMM?

The CR-CMM is designed for CISOs, security leaders, risk officers, and practitioners across all sectors who want to measure and improve their organization's resilience posture.

How long does an assessment take?

A typical self-assessment can be completed in 2-4 hours. A comprehensive external assessment may take 1-2 days depending on organization size.

Is the CR-CMM free to use?

Yes, the framework is freely available. Organizations can use it for self-assessment or engage certified practitioners for external evaluations.

How does CR-CMM compare to other maturity models?

CR-CMM is specifically designed for cyber resilience rather than security or compliance. It focuses on business survivability and operational continuity rather than threat prevention.

Can CR-CMM be integrated with existing frameworks?

Yes, CR-CMM is designed to complement existing frameworks like NIST CSF, ISO 27001, and SOC 2, providing a resilience-focused lens on top of these baselines.

How often should an organization reassess?

We recommend annual reassessment, with interim reviews after significant incidents, organizational changes, or major technology deployments.

Where can I learn more about implementation?

Visit cr-cmm.org for detailed implementation guides, training resources, and information about certified practitioners.

Ready to assess your resilience?

Download the complete CR-CMM framework or learn more about implementation.

Download the CR-CMM More info