3

Page 1 of 79
Copyright © 2024 ISACA
THIS ISACA MATERIAL IS FURNISHED ON AN “AS-IS” BASIS.
TO THE MAXIMUM EXTENT ALLOWED BY LAW, ISACA SPECIFICALLY DISCLAIMS ALL
WARRANTIES, WHETHER EXPRESS, IMPLIED, OR STATUTORY, REGARDING OR RELATING TO THE
CAPABILITY MATURITY MODEL INTEGRATION (CMMI), AND ALL MODEL CONTENT, INCLUDING
THE CMMI PERFORMANE SOLUTIONS ECOSYSTEM, CMMI METHOD DEFINITION DOCUMENT,
CMMI ADOPTION GUIDANCE, CMMI MODEL, CMMI TRAINING, CMMI MODEL VIEWER (“CMMI
CONTENT”), CMMI APPRAISAL SYSTEM, CMMI COURSE MANAGEMENT SYSTEM, AND CMMI
WEBSITE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, USAGE OF TRADE, AND COURSE OF DEALING OR
PERFORMANCE.
ISACA owns all copyright, trademark, and all other intellectual property rights in the CMMI
Content. You may not reproduce, duplicate, copy, sell, resell, assign, transfer, create derivative
works of, incorporate in any software or tool, or commercially exploit any portion of the CMMI
Content, without express written permission by ISACA. You are solely responsible for your use
of the CMMI Content, and agree to defend, indemnify, and hold ISACA harmless from any
claims, liability, damages, costs, or expenses incurred by ISACA arising from your use of the
CMMI Content.

Page 2
© 2024 ISACA. All rights reserved.
Document Change History

Version Date Description

3.1.01 31 October 2024 Updates include:
• Minor updates for general grammar/formatting
and consistency with the CMMI Performance
Solutions ecosystem, e.g., graphics, copyright
• Updated Figure 18 Measurement Categories and
Related Subcategories to align with updates to the
Performance Report Template
3.1 18 January 2024 Updates include:
• Minor updates for general grammar/formatting
and consistency with the CMMI Performance
Solutions ecosystem, e.g., graphics, copyright,
updates to Appendix A: Additional Resources
• Combined Figure 18 and 19 tables to include
Measurement Categories and Related
Subcategories in one table for consistency with
Performance Report Template
3.0 6 April 2023 Updates include:
• Minor updates for general grammar/formatting
and consistency with the CMMI Performance
Solutions ecosystem, e.g., graphics
• Removed information and references throughout
to transition guidance, since CMMI V1.3 is sunset
• Added information about new domains and
Practice Areas associated with CMMI V3.0
• Addition of Appendix H: Performance Categories
• Addition of Appendix I: CMMI Context Specific
Tags
2.3 12 January 2022 Updates include:
• Minor updates for general grammar/formatting
and consistency with the CMMI Product Suite, e.g.,
capitalization, acronym usage, graphic updates,
removal of V2.0 and adjustments to version
references for greater accuracy
• Inclusion of additional security and safety
considerations
• Addition of persona graphics within steps and
Appendix D: Typical CMMI Roles
• Addition of Appendix G: CMMI Practice Area
Security Adoption Examples

Page 3
© 2024 ISACA. All rights reserved.
 Version Date Description
2.2 10 March 2021 Updates include:
• Incorporated the CMMI model content additions of
Security, Safety, and Virtual Solution Delivery
• Addressed minor editorial updates for clarification
and consistency with the CMMI V2.0 Product Suite,
e.g., updates to CMMI Institute references,
updates to graphics
2.1 4 December 2018 Updated information to reflect CMMI V2.1, including
views for Development, Services, and Supplier
Management
2.0 28 March 2018 Initial baseline release.

Page 4
© 2024 ISACA. All rights reserved.
Contents
Introduction to this Guidance ...................................................................................... 7
Intended Audience .................................................................................................. 7
What is Capability Maturity Model Integration (CMMI)? .......................................... 7
Why Use CMMI? ..................................................................................................... 8
Why Use this Guidance? ......................................................................................... 9
How to use this Guidance ....................................................................................... 9

LEARN .......................................................................................................................... 13
Step 1: Learn how CMMI will benefit the organization .......................................... 13

ESTABLISH OBJECTIVES .......................................................................................... 18

Step 2: Establish performance improvement objectives aligned to your
organizational objectives ....................................................................................... 18

ANALYZE...................................................................................................................... 23
Step 3: Map current organizational processes to CMMI ....................................... 23

DEVELOP ACTION PLAN ............................................................................................ 25

Step 4: Develop and follow action plans, and keep them updated ....................... 25

DEPLOY IMPROVEMENTS ......................................................................................... 28

Step 5: Deploy improvements and measure results ............................................. 28

ASSESS CAPABILITY ................................................................................................. 32

Step 6: Assess capability and performance .......................................................... 32

Appendix A: Additional Resources............................................................................ 35

Additional References ........................................................................................... 36

Appendix B: CMMI Categories, Capability Areas, and Practice Areas ................... 37

Appendix C: Problem Identification and Resolution Using CMMI .......................... 39

Appendix D: Typical CMMI Adoption Roles .............................................................. 44

Working with a CMMI Partner-Sponsored Individual ............................................. 51

Page 5
© 2024 ISACA. All rights reserved.
 Working with ISACA .............................................................................................. 53

Appendix E: Building Goals, Risks, and KPIs .......................................................... 54

Appendix F: Define Your Current Processes ............................................................ 55

Appendix G: CMMI Practice Area Security Adoption Examples ............................. 56

Appendix H: Performance Categories ....................................................................... 67

Appendix I: Context Specific Tags............................................................................. 74

List of Figures
Figure 1. Adoption Guidance Overview .......................................................................................... 9
Figure 2. CMMI Performance Solutions Ecosystem...................................................................... 10
Figure 3. Categories and Capability Areas .................................................................................... 11
Figure 4. Steps for Applying CMMI for Continuous Improvement ............................................... 12
Figure 5. Step 1 Activities and Considerations Table .................................................................... 14
Figure 6. Critical Elements for Successful Change ........................................................................ 16
Figure 7. Step 2 Activities and Considerations Table .................................................................... 19
Figure 8. Step 3 Activities and Considerations Table .................................................................... 24
Figure 9. Step 4 Activities and Considerations Table .................................................................... 26
Figure 10. Step 5 Activities and Considerations Table.................................................................. 29
Figure 11. Step 6 Activities and Considerations Table.................................................................. 33
Figure 12. Adoption Guidance Cycle ............................................................................................. 34
Figure 13. CMMI Adoption Resources .......................................................................................... 35
Figure 14. Categories, Capability Areas, and Practice Areas ........................................................ 38
Figure 15. Problem Identification and Resolution Using CMMI ................................................... 39
Figure 16. When and How a CMMI Partner-Sponsored Individual Can Help ............................... 52
Figure 17. CMMI Practice Area Security Adoption Examples ....................................................... 56
Figure 18. Performance Report Measurement Categories and Related Subcategories .............. 67
Figure 19. CMMI Context Specific Tags ........................................................................................ 74

Page 6
© 2024 ISACA. All rights reserved.
Introduction to this Guidance
Intended Audience
The audience for this guidance includes anyone who is facing business challenges and wants to
address them by using the Capability Maturity Model Integration (CMMI®). It also includes
anyone who would like to improve the performance of their business systematically, efficiently,
and effectively by adopting CMMI.

What is Capability Maturity Model Integration (CMMI)?

CMMI is a performance improvement model for
Capability: Anything an organiza-
organizations and projects that want to achieve
tion must do well that drives
increasingly better performance and solve business meaningful business results.
challenges. Proven effective globally in business and Capabilities are what an organization
government for over 25 years, CMMI is an integrated needs to implement its business
framework of best practices that can rapidly improve model or fulfill its mission and
and sustain any organization’s performance to elevate achieve measurable business results.
quality, profitability, productivity, cybersecurity All organizations have capabilities,
resilience, and competitiveness. without them a business could not
start or grow. Capabilities are
CMMI is not prescriptive; rather it describes what to do typically organizational level skills,
to improve an organization’s capabilities, not how to do abilities, and knowledge embedded
it. This makes the model very flexible to meet the in people, processes, infrastructure,
unique needs of any business. In addition, CMMI and technology.
complements and enhances performance improvement
in conjunction with other industry models and standards. Use CMMI to establish processes that
help an organization or project meet Business Objectives and improve performance in ways that
matter most.
CMMI includes multiple domains and views. The organization can select the Capability Areas,
Practice Areas, domains, or views that are most pertinent to their business operations. For
example, for organizations required to follow security regulations, they may select the Security
domain, or the Capability Area of Managing Security and Safety. To achieve the most impactful
and productive results, it is important to incorporate a domain, like Security, into a performance
improvement initiative. This involves full integration with the organization’s activities, e.g.,
embedded within program plans and process assets, and the incorporation should not be
treated as an afterthought, e.g., adding an item to a checklist, adding a security representative
into a meeting. CMMI deliberately integrates each domain, like Security, into all aspects of the
CMMI Categories of “Doing,” “Managing,” “Enabling,” and “Improving” processes. Refer to
Figure 3. Categories and Capability Areas.

Page 7
© 2024 ISACA. All rights reserved.
Why Use CMMI?
CMMI helps businesses to quickly understand their current level of capability and performance
both in the context of their own objectives and as compared with other businesses and
organizations. If business needs and objectives are not being met, CMMI practices can guide
systematic and effective improvement to elevate and optimize performance to better serve the
needs of the business and ultimately the customer.
The need for improvement can originate from internal and external sources. Customers may
demand improvements. Market forces may drive the need to improve competitiveness.
Government or industry regulations may require changes in how an organization operates.
Rather than using multiple approaches for achieving similar performance, contractual, or
regulatory compliance goals, CMMI provides a single approach, or framework, for an
organization to address these multiple needs. For example, new security threats and
vulnerabilities are continually surfacing within industry, and in response to the increased
challenges the United States Department of Defense developed the Cybersecurity Maturity
Model Certification (CMMC). CMMI provides a solid foundation for the CMMC maturity processes
required. For instance, the CMMC model is relatively silent on process design, development,
persistence, habit, and performance, whereas CMMI provides proven holistic approaches for
each of these by providing integrated best practices for policies, processes, procedures, and
planning which are the foundational elements in CMMI for persistence and habit.
Using CMMI provides many benefits including:
• Providing a positive return on performance improvement investments
• Meeting commitments that result in:
o More timely delivery
o Fewer last-minute crunches
o Enhanced cost control
o Increased quality of solutions
• Increasing management visibility which results in:
o More rapid response to issues and risks
o Fewer surprises
o Met or exceeded customer needs and expectations
o Reduced defects and customer complaints
o Reduced rework
o Lower employee turnover
• Increasing organizational scalability, agility, and responsiveness
o Holistic view across multiple capabilities
o Performance and outcome-based approach to processes
o Flexibility to adapt processes to evolving requirements and issues such as
cybersecurity
o Project and organizational tailoring of processes to meet unique customer needs
A CMMI Performance Report Summary has been published showing tangible performance
benefits and improvements from organizations’ adoption of CMMI. Additional benefits can be

Page 8
© 2024 ISACA. All rights reserved.
found in Appendix D: Typical CMMI Adoption Roles. This appendix describes different roles
involved in adopting CMMI, the activities performed by those roles, and the associated benefits
from using the model.

Why Use this Guidance?

This adoption guidance helps any organization use CMMI as a roadmap for its performance
improvement journey. An organization can benefit the most from CMMI by tailoring its practices
in a way that best fit its business environment. This guidance places an organization on the
right track to effectively apply CMMI practices to your organizational and project processes. See
Figure 1. Adoption Guidance Overview.

Figure 1. Adoption Guidance Overview

This Guidance Is… This Guidance Is NOT…
An overview of activities and considerations A detailed checklist or “how to” guide or a set
when using CMMI to enable performance and of executable processes
process improvement
Built on lessons learned and best practices A set of activities and considerations for
derived from a broad variety of industry appraisal preparation
experiences
A reference to assist CMMI adoption The only approach for adopting CMMI

How to use this Guidance

This guidance describes high-level steps for adopting
Definitions and Tips: Throughout
CMMI in an organization. Each step includes a brief
this guidance, these blue boxes will
description, activities to perform when implementing the include definitions of CMMI terms,
step, and suggestions to consider when performing the tips, hints, and other best practices
activities. The step may include additional information to consider when adopting CMMI.
such as examples, elaborations, training, tools, and
techniques. This guidance is designed and intended to continually improve and be kept current
with the latest techniques, content, technologies, and other trends with practical input from
CMMI Partners and users.
Figure 2. CMMI Performance Solutions Ecosystem shows the parts of the CMMI Performance
Solutions ecosystem. This guidance information is just one resource in the integrated CMMI
Performance Solutions ecosystem and aids organizations with the successful adoption of CMMI.
This guidance serves as a navigator to assist users to understand how all the ecosystem
resources fit together and to efficiently utilize these resources to support their Business
Objectives.

Page 9
© 2024 ISACA. All rights reserved.
Figure 2. CMMI Performance Solutions Ecosystem

Page 10
© 2024 ISACA. All rights reserved.
In addition to these ecosystem components, ISACA provides several resources for adoption. For
a detailed list of adoption resources, refer to Appendix A: Additional Resources.
The adoption guidance follows the primary CMMI categories “Doing,” “Managing,” “Enabling,”
and “Improving” as part of its six-step approach. Figure 3. Categories and Capability Areas lists
the CMMI categories and their Capability Areas.

Figure 3. Categories and Capability Areas

For a list of Categories, Capabilities, and Practice Areas, refer to Appendix B: CMMI Categories,
Capability Areas, and Practice Areas in this document, and refer to the following sections in
CMMI Model, Part One: About CMMI and Executive Summary and Appendix A: Predefined Model
Views – Categories and Capability Areas.

Page 11
© 2024 ISACA. All rights reserved.
Each step in this adoption guidance lists the Category that corresponds to and supports that
step. Refer to Figure 4. Steps for Applying CMMI for Continuous Improvement.

Figure 4. Steps for Applying CMMI for Continuous Improvement

Page 12
© 2024 ISACA. All rights reserved.
LEARN
Step 1: Learn how CMMI will benefit the organization
In this step, the organization:
• Gets to know CMMI
• Learns how CMMI can be applied to the organization and
business
• Understands the benefits from adopting CMMI
• Determines the applicable Capability Areas, domains, and view
• Develops a business case for adoption
An organization must first understand its reasons for improvement and change. Communicating
with an organization’s owner or sponsor, typically a senior or executive manager, throughout
the improvement journey is vital to achieve success and drive change.

Page 13
© 2024 ISACA. All rights reserved.
To obtain the commitment necessary for a
successful CMMI adoption, it is important to: Senior Management: Senior management is
a leadership role within an organization that:
• Establish a common understanding of
• Sets the strategy, direction, and expectations
CMMI
for performance and process efforts
• Explain how CMMI provides value to the • Ensures that processes are aligned with
organization Business Objectives and needs
• Secure senior management support and • Reinforces and rewards the development and
sponsorship use of processes to ensure their
improvement and sustainment
This step establishes a foundation for
• Monitors the performance and achievements
understanding CMMI and how it fits into an of the processes
organization’s efforts to improve performance • Provides adequate resources for process and
and capability. The next step is to establish performance improvement
business and improvement objectives and
identify the areas in CMMI that can help address the organization’s needs. Figure 5. Step 1
Activities and Considerations Table provides a summary list of the key Step 1 activities and
considerations.

Figure 5. Step 1 Activities and Considerations Table

Activities Considerations
Develop a basic Research information about CMMI.
understanding of Visit the CMMI website for information about:
CMMI:
• Explore the CMMI Model
• What is CMMI? • General CMMI information
• Who uses CMMI? • Frequently Asked Questions (FAQs)
• How does it help? • The Building Organizational Capability class
• What benefits • CMMI Tech Talks
does it provide? • CMMI Case studies
Develop a basic Based on the basic understanding of
understanding of the model, at a high-level, Capability Areas: A group
how CMMI determine how CMMI Capability of related Practice Areas that
can provide improved
Capability Areas, Areas, domains, and views fit the
performance in the skills and
domains, and views organization. For example, identify activities of an organization
apply in the how Planning and Managing Work or project. A Capability Area
organization. relates to the management of the view may be selected to
organization’s projects, or how enable a concentration on
Ensuring Quality can be used to skills and activities in a
improve product and service quality. specific focal area.
Determine which domains and views
are applicable to the organization by considering:
• Contractual requirements
• Applicable industry laws, regulations, and other mandates, e.g.,
General Data Protection Regulation (GDPR)

Page 14
© 2024 ISACA. All rights reserved.
 Activities Considerations
• Industry standards and methodologies being used within the
organization
• Security requirements in products, services, and supply chain
• Security threats and vulnerabilities
• Safety considerations, e.g., social distancing requirements
Develop a business Based on a high-level understanding of CMMI and how it fits the
case. organization, develop a business case and present to senior
management to secure sponsorship and commitment. Consider the
following questions in preparing the business case:
• What is the current budget for the performance improvement
initiative?
• What existing capabilities does the organization already have in place,
and how well do they compare to industry best practices?
• Does the organization currently have experience with CMMI? If so,
would the organization benefit by incorporating additional domains or
views, e.g., Data, People, Security, Safety, Agile Development.
• What factors contribute to the timeframe and resources for the
initiative?
• What are the risks of not proceeding, including considerations of
probability of occurrence and severity if realized, e.g., fines due to
lack of compliance with regulations, risk to reputation, estimated
impact of service or system downtime?
The Harvard Business Review (HBR) has published a resource for
developing a practical business case:
• ”HBR Guide to Building Your Business Case,”
https://hbr.org/product/hbr-guide-to-building-your-business-
case/15038-PBK-ENG
• ”HBR Guide to Building Your Business Case (audible),”
https://www.audible.com/pd/HBR-Guide-to-Building-Your-Business-
Case-Audiobook/B0BM3CRBZ6

Additional Information
With any improvement effort, change is inevitable. For improvement efforts to be successful,
change must be expected, planned for, and managed. Organizations that have successfully
managed change know how to overcome the natural resistance that results from it. Resistance
to change comes in many forms and often starts early in the improvement process. As part of
looking at CMMI for its performance and improvement efforts, the organization must also
address how it manages change and any potential resulting resistance. Most notably, many
organizations have previously taken a compliance-only approach with process improvement,
which frequently results in additional overhead and cost versus clear capability enhancement
and performance gains. Making a shift from a compliance mentality to a continuous
performance improvement mentality and culture needs to be actively and consistently
addressed as part of adoption and implementation. There are several critical elements needed

Page 15
© 2024 ISACA. All rights reserved.
to make change successful. Figure 6. Critical Elements for Successful Change shows the
elements needed for successful change and what can happen if those elements are not
addressed.
At the beginning of implementing any change, an organization must communicate:
• The reason for the change
• The expected benefits
• The support and guidance needed to incorporate the change into projects
• How individuals are affected
• The need to involve everyone in the change

Figure 6. Critical Elements for Successful Change

The Organizational Behavior Toolkit provides organizations with indicators of how an

organization’s culture and behavior may support or hinder sustainable process capability and
performance improvement efforts. The Organizational Behavior Toolkit is leveraged by an
organization, at any time, to assess behavioral maturity and changes to critical behaviors that
influence and impact organizational performance. For example, this may occur at the beginning
stages of a performance improvement journey, at the end of a significant milestone for the
organization, or anything in between, e.g., an international event like the COVID-19 pandemic,
significant economic changes within the country such as war or civil unrest. The organizational
behavior survey and its resulting analysis gauges the overall characteristics and behavioral
patterns that are critical for an effective performance improvement culture. While a CMMI
appraisal determines the organization’s process maturity or capability, compared to the CMMI
reference model and relevant views, the Organizational Behavior Toolkit provides a rapid and

Page 16
© 2024 ISACA. All rights reserved.
reliable quantitative means to benchmark and monitor organizational behavior. Refer to Step 6:
Assess capability and performance for more information on a conducting a CMMI appraisal.
An integral tenant of CMMI is learning about the organization
and the people working in it. By learning more about the Adoption Tip: Developing a
communication and
organization, it becomes easier to:
stakeholder management plan
• Understand its culture and norms can help to keep the channels
• Identify and manage possible areas of resistance open when resistance is
• Learn the key issues driving behavior encountered. Recording
Frequently Asked Questions
Learning about and applying CMMI are often the easiest (FAQs) can help to ensure
aspects of performance improvement. Understanding the consistency in messaging and
organizational culture and dealing with resistance are typically understanding.
the most difficult parts of any change effort. The existing
organizational culture may either enhance or slow down the adoption of CMMI.
It is important to know the issues that matter to each group
Adoption Tip: Even if your
in the organization. For example, senior managers and
management, projects, and
executives typically focus on financial concerns and overall teams are familiar with CMMI it
impact on the organization. They may ask questions such as: is important to understand and
• How much is this going to cost? frequently communicate the
• How much time is this going to take away from improvements in the newest
version of CMMI. CMMI covers
projects?
multiple domains, e.g., Data,
• How much revenue will this produce? Security, Safety, People,
• How much profit will this add to the bottom line? Suppliers, Virtual that could be
• What is the anticipated return on investment? beneficial to how your
• How does this affect my people? organization is doing work.
• What does it take to implement the change? ISACA has information and
materials to explain the
Expect these questions to start early in the improvement benefits from adopting CMMI.
effort and to continue throughout. To manage change For example, the Performance
successfully, plan to address the issues and questions that are Summary Report contains C-
raised by each group in the organization. Be prepared to suite appropriate information
answer questions like these without using CMMI terminology on expected performance
or technical jargon. Communicate in terms that are benchmarks. This information
understood and used within the organization whenever can be used to justify the
possible. CMMI Return on Investment
(ROI).
Obtaining senior management support is often the most
critical element of successful change. Senior management should demonstrate active
commitment, support, and behavior in championing the improvement changes.

Page 17
© 2024 ISACA. All rights reserved.
ESTABLISH OBJECTIVES
Step 2: Establish performance improvement objectives aligned to your
organizational objectives
In this step, the Sponsor works with the organization to:
• Identify the most critical objectives to business success
• Establish performance improvement objectives based on the
organization’s Business Objectives
• Understand which parts of CMMI relate to these performance
improvement objectives
• Identify infrastructure needs to support improvement efforts
• Identify measures of success for meeting objectives
• Develop an improvement plan and keep it updated
• Communicate continually with stakeholders
The Sponsor may decide to obtain assistance from a CMMI
Consultant or CMMI Lead Appraiser while working to complete the
activities of this step.
All organizations typically have some idea of their Business
Objectives. Identify and prioritize the business challenges and issues
that are putting the most important objectives at risk or preventing
them from being met. Keeping each of these elements aligned is important to ensure that the
right improvements are being addressed. Figure 7. Step 2 Activities and Considerations Table
provides a summary list of the key Step 2 activities and considerations.

Page 18
© 2024 ISACA. All rights reserved.
 Figure 7. Step 2 Activities and Considerations Table
Activities Considerations
Record business List business goals, risks, and Key Performance Indicator (KPI) measures.
needs and Refer to Appendix E: Building Goals, Risks, and KPIs.
objectives. This step corresponds to and can be
supported by the Practice Areas and Adoption Tip: A key
Capability Areas contained in the CMMI feature of the CMMI
Performance Solutions
Category “Doing.”
ecosystem is the
Start by identifying any existing business Performance Report. This
goals, objectives, and strategic plans. simple, but powerful
Work with managers and affected stake- template provides a
holders to define organizational needs straightforward means to
and objectives. Affected stakeholders identify and track key
should include the people performing the business and performance
measures. The report is a
work, as they have the most insight into
required artifact in the
issues and challenges. Include both appraisal method for
short-term and long-term objectives. specific appraisal types, and
Evaluate the importance of security and available through an ISACA
safety requirements, and any integration Certified CMMI Lead
and interface or connection Appraiser.
dependencies between them, to the
organization. Ensure the set of business needs and objectives
appropriately reflect the performance needs of the business.
A Certified CMMI Lead Appraiser can use the CMMI Performance Report
as a template for recording this information and ensuring your CMMI
journey focuses on the most important aspects of your business.
Record Performance improvement objectives:
performance • Are derived from organizational business needs and objectives
improvement • Focus on addressing challenges or issues affecting the current projects
objectives. • Drive the critical measurements for improvement
• Incorporate applicable security and safety requirements
Prioritize business Prioritize objectives based on the value to the organization, risks, and
and performance constraints.
improvement
objectives.
Develop Measurable targets:
measurable • Are meaningful to the organization
targets for • Address effectiveness of the improvements
performance • Assess progress towards achieving objectives
improvement
objectives. Targets should be:
• Specific – also simple, sensible, and significant and answers the
questions: "What is to be done?" and "How will you know it is done?"

Page 19
© 2024 ISACA. All rights reserved.
 Activities Considerations
and describes the results (product) of the work to be done. The
description is written in such a way that anyone reading the objective
most likely observes and interprets it the same way operationally.
Observable means that somebody can see or hear (physically observe)
someone doing something.
• Measurable – also meaningful and motivating and answers the
question: "How will you know it meets expectations?" and defines the
objectives and their related measurements using assessable terms
(quantity, quality, frequency, costs, deadlines, productivity, etc.). It
refers to the extent to which something can be evaluated against some
standard. An objective with a quantity measurement uses operational
terms for such things as amount, percentages, etc. A frequency
measurement could be daily, weekly, 1 in 3. An objective with a quality
measurement would describe a requirement in terms of accuracy,
format, and completeness.
• Achievable – also attainable and agreed upon and answers the
questions: "Can the organization, project or person reasonably
accomplish the objective given?" It also includes the answer to: "Do
they have the experience, skills, knowledge, capability and capacity for
fulfilling the expectation?" and "Can it be done given the timeframe,
opportunity, and available resources?"
• Relevant – also reasonable, realistic, and resourced, and answers the
questions: "Should it be done?" "Why are we doing this?" and "What
will be the impact?" Does the objective and measure align well with the
organizational strategic and tactical needs, plans, and approach?
• Time-bound – also time-based, time limited, time/cost limited, timely,
time-sensitive and answers the questions: "When will it be done?"
Sometimes a task has several milestones or checkpoints to help assess
how well something is going before it is finished so that corrections or
modifications can be made to make sure the result meets expectations.
Target Practice Based on a high-level understanding of the Capability Areas identified in
Areas that relate Step 1, review the Practice Areas in each that address the objectives and
to the prioritized improvements challenges directly.
performance There are many approaches that may work in an organization; the
improvement challenge is to couple this deep understanding of CMMI with knowledge
objectives. about the unique aspects of the business and organization.
An ISACA CMMI Partner-Sponsored Individual can help an organization
perform this task.
• These professionals bring deep knowledge of CMMI and how to apply it
in a variety of organizational contexts.
• Refer to the CMMI Partner Directory for CMMI Partner-Sponsored
Individuals that meet your business needs

Page 20
© 2024 ISACA. All rights reserved.
 Activities Considerations
Establish the To ensure long-term success, performance improvement efforts require
infrastructure to an infrastructure that is sustainable over time.
support and Organizations need to identify who is involved in improvement activities
implement and define their roles and responsibilities. Typical roles include:
improvements.
• Senior management
• Improvement sponsor
• Management steering group
• Process group
• Process action teams
Additional infrastructure resources may include:
• Budget
• Time
• Tools
• Training
• Repository for process assets
• Measurement system and repository
For more details on infrastructure and sustainment, refer to content in
the following CMMI Practice Areas:
• Implementation Infrastructure (II): Ensures that the processes and
assets important to an organization’s performance are habitually and
persistently followed, used, and improved.
• Governance (GOV): Provides guidance to senior management on their
role in the sponsorship and governance of performance, processes, and
related activities.
• Process Asset Development (PAD): Develops the process assets
necessary to perform the work and keeps them updated.
For more details on measurement and performance objectives, review
the content in the following CMMI Practice Area:
• Managing Performance and Measurement (MPM): Manages
performance using measurement and analysis to achieve Business
Objectives.
Record all the The improvement plan for adoption may include a set of requirements, a
above in an budget, a schedule, risks, dependencies, stakeholders, etc.
improvement For more details on what to include in an improvement plan, review the
plan, keep it content in the following CMMI Practice Area:
updated, and
communicate • Process Management (PCM): Manages and implements the
with continuous performance improvement of processes and infrastructure
stakeholders. to meet Business Objectives by identifying and implementing the most
beneficial process improvements and making performance results
visible, accessible, and sustainable.

Page 21
© 2024 ISACA. All rights reserved.
Additional Information
Refer to the appendices in this document for more information on:
• Typical CMMI Adoption Roles and benefits (Appendix D: Typical CMMI Adoption Roles)
• Problem Identification and Resolution using CMMI (Appendix C: Problem Identification and
Resolution Using CMMI)
The following sources can be used when identifying business challenges and related
opportunities for improvement:
• Stakeholder input Adoption Tip:
• Customer feedback In the CMMI Performance Solutions
• Improvement proposals ecosystem, the term “High Maturity”
• Risks and opportunities involves the use of statistical and other
• Lessons learned quantitative techniques on selected
• Results from appraisals processes to predict improved business
• Results from root cause analysis results. High Maturity represents a
fundamental shift in how processes are
• Measurements results
understood, managed, and improved. As
• Quality evaluations or audits
organizations move up in process maturity,
When establishing measurable targets, an they gain in-depth understanding of how
organization may want to consider using the processes are used and interact, which
following resources: gives them a clear competitive advantage.
Based on actual Performance Report data,
• American Society for Quality (ASQ) - What High Maturity organizations have
are Performance Metrics? demonstrated clear and outstanding
• International Organization for Standardization improvements in achieving operational
(ISO) 10012:2003 – Measurement goals.
management systems – Requirements for
measurement processes and measuring equipment
• Society of Automotive Engineers (SAE) J2944 Operational Definitions of Driving
Performance Measures and Statistics
• Goal-Question-Metric approach to derive meaningful measures from objectives
• Goal-Driven Software Measurement designed to help you identify, select, define, and
implement measures to support your business goals
Some items to consider as part of performance improvement efforts include:
• Communication and collaboration with the improvement sponsor and senior management
when building the case for performance and process improvement
• Records of previous improvement activities, including issues, decisions, and action items
• Use of terminology that is familiar to the audience by avoiding technical jargon or CMMI
terminology
• Determination of the type and frequency of written communication and updates (verbal or
written)
The objectives must be clearly communicated to the entire organization. If people understand
the reasons for the change and the desired outcome along with their role in making the change,
the amount of potential resistance can be reduced.

Page 22
© 2024 ISACA. All rights reserved.
ANALYZE
Step 3: Map current organizational processes to CMMI
In this step, the organization, on their own, or with the help of a
CMMI Consultant:
• Maps current business processes to CMMI components and
practices
• Identifies any gaps between the business processes and the
CMMI components and practices identified for improvement
• Recommends improvements to address the gaps
This step corresponds to and can be supported by the Practice Areas
and Capability Areas contained in the CMMI Category “Enabling.”
It is important to understand the processes currently used in the
organization and the extent to which these processes meet the
intent, value, and any additional required information of the CMMI
Practice Areas and Practices. This is an important step as it forms
the basis of future improvement activities.

Page 23
© 2024 ISACA. All rights reserved.
Figure 8. Step 3 Activities and Considerations Table provides a summary list of the key Step 3
activities and considerations.

Figure 8. Step 3 Activities and Considerations Table

Activities Considerations
Perform gap analysis The gap analysis may use a formal appraisal method such as a CMMI
of current processes Evaluation Appraisal.
against the CMMI Alternatively, the gap analysis may be performed informally by doing
Practice Areas a simple comparison of selected processes to CMMI Practice Areas
identified for and other model components, e.g., domains, context specific
improvement. information.
When security is an important domain for the organization, consider
the relationships of security with Practice Areas throughout CMMI.
Refer to Appendix G: CMMI Practice Area Security Adoption
Examples, which provides example relationships of security to
Practice Areas.
This analysis does more than just identifying gaps in the processes
being used. It also involves determining if the processes are utilized,
persistent, and habitual. A well-crafted business process is of little
value if it is not used. A CMMI Partner-Sponsored Individual can help
an organization perform this task. Refer to the CMMI Partner
Directory for CMMI Partner-Sponsored Individuals to meet your
business needs.
Record the results of Use a consistent method to record the gaps. This activity should be
the gap analysis. connected to the one below to aid in tracking each gap to activities in
the action plan.
Develop and record Recommendations form the basis for improvement action plans.
recommended For more details, review the content in the following CMMI Practice
improvement Area:
activities in the action
plan to close all • Process Management (PCM): Manages and implements the
identified actions and continuous performance improvement of processes and
gaps. infrastructure to meet Business Objectives by identifying and
implementing the most beneficial process improvements and
making performance results visible, accessible, and sustainable.

Additional Information
Gap analysis information provides a reference for people in the organization to understand how
their processes relate to CMMI components and practices. This information also forms the basis
for developing action plans for performance improvement in the next step.
Appendix A: Additional Resources lists other resources.

Page 24
© 2024 ISACA. All rights reserved.
DEVELOP ACTION PLAN
Step 4: Develop and follow action plans, and keep them updated
In this step, the organization:
• Develops an improvement strategy
• Develops action plans to address performance and process
gaps identified in the previous step
• Makes changes or improvements
• Defines or updates processes
The Sponsor, on behalf of the organization, may appoint a Process
Group to support action plan development, or solicit support from a
CMMI Consultant.
This step corresponds to and can be supported by the Practice Areas and Capability Areas
contained in the CMMI Category “Managing.”

Page 25
© 2024 ISACA. All rights reserved.
The step begins by developing the organizational
improvement strategy and obtaining commitment from all Adoption Tip: Action plans
stakeholders. The strategy includes identifying the benefits should contain clear and
of capability and performance improvement and the impact measurable information on when
to organizational Business Objectives. and how actions are considered
closed. By prioritizing those
The improvement strategy requires a firm commitment from actions that have the greatest
the improvement sponsor. Active sponsorship is critical to impact on the business and
ensure that the plan and the required resources are performance rather than
available throughout the improvement effort. compliance, it is easier to
convince senior management
This step also includes the development of improvement
and stakeholders because the
action plans to address the gaps identified in the previous improvements are of value and
step and to move the organization towards achieving its need to be sustained over time.
objectives. Performing these activities may result in defining
or updating processes and making other changes needed to address process gaps. As with any
plan, it is important to keep the action plans updated as activities are added, modified, or
removed.
As the organization progresses through the action plans, monitor performance to ensure that
the desired results are achieved. Performance and results should tie back to the organizational
business improvement goals defined in the strategy. Figure 9. Step 4 Activities and
Considerations Table provides a summary list of the key Step 4 activities and considerations.

Figure 9. Step 4 Activities and Considerations Table

Activities Considerations
Develop and follow an An improvement strategy typically includes:
improvement strategy • Business considerations
and keep it updated. • Objectives and constraints
• Possible approaches to meeting the objectives and constraints
• Requirements
• Needed resources, e.g., skills, environment, tools, new
technologies
• Security requirements and considerations
• Safety requirements and considerations
• Risks and how they will be mitigated
Establish priorities for Prioritize improvement actions based on the value to the
improvement actions. organization, resource constraints, and the impact on achieving
performance objectives. This helps gauge how much work is ahead
and the order in which items should be addressed.
Develop action plans The action plans define all aspects of the effort, tying together the
to address all actions following in a logical manner:
and gaps. • Tasks
• Roles and responsibilities
• Budgets
• Schedules and milestones

Page 26
© 2024 ISACA. All rights reserved.
 Activities Considerations
• Risks
• Resources and skills
• Stakeholder involvement
For more details, review the content in the following CMMI Practice
Areas:
• Estimating (EST): Estimates the size, effort, duration, and cost of
the work and resources needed to develop, acquire, or deliver the
solution.
• Planning (PLAN): Develops plans to describe what is needed to
accomplish the work within the standards and constraints of the
organization.
• Implementation Infrastructure (II): Ensures that the
processes and assets important to an organization’s performance
are habitually and persistently followed, used, and improved.
• Governance (GOV): Provides guidance to senior management on
their role in the sponsorship and governance of performance,
processes, and related activities.
Review plans with the Verify and confirm continued visible senior management’s active
improvement sponsor engagement, sponsorship, and support for the improvement efforts.
to obtain commitment
and approval.
Make changes or Remember, even though some changes may be easy to implement,
improvements based they may take a long time to roll-out and to become persistent and
on the action plans. habitual.
Define or update • Record the processes the way they are performed.
processes where • Refer to Appendix F: Define Your Current Processes for more
appropriate. information on recording processes.
• A CMMI Partner-Sponsored Individual can help an organization
perform this task; refer to the CMMI Partner Directory to find a
CMMI Partner-Sponsored Individual.

Additional Information
It is important to involve the people affected by the changes in making the improvements. This
increases buy-in and reduces resistance to the changes.

Page 27
© 2024 ISACA. All rights reserved.
DEPLOY IMPROVEMENTS
Step 5: Deploy improvements and measure results
In this step, the organization:
• Pilots new and changed processes
• Deploys new and changed organizational processes and assets
• Measures the performance of newly deployed organizational
processes and assets against the business and performance
improvement objectives
This step corresponds to and can be supported by the Practice Areas
and Capability Areas contained in the CMMI Category “Improving.”
This step involves piloting and deploying the performance and process improvements identified
in action plans from the previous step, typically an iterative process. Improvements are often
rolled out gradually to assess performance. Piloting improvements enables an organization to
evaluate the impact of performance improvements to ensure they are successful before wider
deployment. Deployment involves managing the implementation of new or updated processes
in a consistent and sustainable way. There may be multiple
improvement initiatives, concurrent improvements, and Adoption Tip: Not every
deployments in an organization. Coordinate the deployment of improvement may scale as it
processes to avoid confusion, waste, contradictory results, and is deployed on a broader
adverse effects. basis. Piloting improvements
helps to understand which
As performance improvements are deployed, care should be improvements have the
taken to ensure that processes are built, followed, and made greatest impact and benefit
persistent and habitual. Figure 10. Step 5 Activities and for the entire organization.

Page 28
© 2024 ISACA. All rights reserved.
Considerations Table provides a summary list of the key Step 5 activities and considerations.

Figure 10. Step 5 Activities and Considerations Table

Activities Considerations
Measure As the organization accumulates historical data, process performance can
performance of be measured.
existing Historical data may be used to identify performance differences between
processes and current and improved processes.
their targeted
improvements.
Develop, keep The deployment plan typically includes the following:
updated, and • Deployment strategy
follow a process • Improvement requirements
deployment • Estimated budget, schedule, risks, etc.
plan. • Updated and new process information
• Communication methods
• List of affected stakeholders
• Training
• Implementation expectations
Pilot new or Define and use criteria for selecting which improvements to pilot. Typical
changed criteria include:
processes. • Risk
• Impact of change
• Number of projects affected
• Cost
• Expected results
Analyze results Use results from pilots to:
of pilots. • Compare performance results of the pilot to existing performance
measures
• Determine if the pilot is sufficiently successful to deploy the process to
other parts of the organization
• Make changes to the piloted process
• Update the deployment plan as needed
Deploy Establish the necessary infrastructure to ensure that processes are built,
processes as followed, sustained, and improved over time. The term “infrastructure”
appropriate. refers to everything needed to implement, perform, and sustain the
organization’s set of processes. The infrastructure includes:
• Recorded processes
• Resources, e.g., people, tools, consumables, facilities
• Funding to perform the processes
• Training to perform the processes
• Objective evaluations to ensure that work is performed as intended

Page 29
© 2024 ISACA. All rights reserved.
 Activities Considerations
Monitor Continue to monitor the process over time by reviewing:
adoption of • Organization’s performance measures
recently • Organization’s applicable security activities, steps, and measures
deployed • Organization’s applicable safety activities, steps, and measures
improvements. • Comparison of historical performance to the performance of new or
updated processes
• Habit and persistence in the use of and continuous improvement of the
processes and assets
By monitoring improvement adoption and performance against
organizational Business Objectives, an organization can verify and quantify
the benefits of the improvements.
This activity may also result in new opportunities for improvement and
updates to action plans.
For more details on deployment improvements and measuring results,
review the following CMMI Practice Areas:
• Process Management (PCM): Manages and implements the continuous
performance improvement of processes and infrastructure to meet
Business Objectives by identifying and implementing the most beneficial
process improvements and making performance results visible,
accessible, and sustainable.
• Managing Performance and Measurement (MPM): Manages
performance using measurement and analysis to achieve Business
Objectives.

Additional Information
To avoid overwhelming stakeholders, it may be necessary to select and deploy different
improvements to different parts of the organization at different times. The selection of
improvements to deploy should be based on the criteria described above and should also be
sensitive to the needs of the various parts of the organization.
Monitoring implementation confirms that the improvements are effectively deployed. It also
helps to understand:
• What assets are being used
• Why they are being used
• Where they are being used
• How they are being used
As processes become habitual and persistent, they become an integral part of the organization’s
norms and culture. Habitual and persistent processes endure after the people who defined them
are gone.
Review the measures collected to understand performance over time to determine if the
collected performance data is relevant and critical to the work and to the business or if it needs

Page 30
© 2024 ISACA. All rights reserved.
to be changed. An organization may not get it right the first time, so it should review the data
and adjust plans accordingly.

Page 31
© 2024 ISACA. All rights reserved.
ASSESS CAPABILITY
Step 6: Assess capability and performance
In this step, the Sponsor works with the organization and may work
with a CMMI Lead Appraiser to:
• Assess processes and assets
• Measure and assess performance
• Update improvement plans as needed
• Continue the improvement journey
Organizations typically conduct a
combination of both informal and formal
assessments, to maintain an appropriate
level of momentum for performance
improvement initiatives. As such, the
Sponsor works with various roles to define
an approach for periodic assessments of
capability, including the CMMI Lead
Appraiser, CMMI Consultant, and Process Group Members.

Page 32
© 2024 ISACA. All rights reserved.
This step corresponds to and can be supported by the Practice Areas and Capability Areas
contained in the CMMI Category “Improving.”
Adoption Tip: Conducting CMMI appraisals
This step involves appraising processes and the is a proven best practice to ensure the most
improvements made to them, and then brings efficient and effective improvement results.
the CMMI adoption cycle full circle and back to CMMI-based appraisals provide reliable,
assessing the impacts of those improvements on clear, consistent, and actionable focus on
performance. performance improvements that have the
most impact on the business and help build
There are multiple ways to assess capabilities and improve capability.
and performance including:
• Conducting internal appraisals or process reviews against CMMI
• Partnering with a CMMI Partner-Sponsored Individual to conduct appraisals, e.g., CMMI
Evaluation Appraisal, CMMI Benchmark Appraisal, CMMI Sustainment Appraisal
It is important that organizations validate that their processes and performance are in
alignment with business and performance improvement objectives. CMMI appraisals assist in:
• Demonstrating the value of improvements to the business
• Motivating stakeholders for continued buy-in
• Driving continuous improvement
• Determining competitive position in the market
Figure 11. Step 6 Activities and Considerations Table provides a summary list of the key Step 6
activities and considerations.

Figure 11. Step 6 Activities and Considerations Table

Activities Considerations
Assess processes and assets. Assess progress against the improvement plan at
an appropriate frequency.
Assess performance results against The results from this assessment should help to
performance and Business Objectives. inform and drive the next iteration of
improvement.
Update improvement and action plans Improvement is not a one-time effort. As
and continue the improvement journey. organizations complete activities, they should plan
for the next iteration in a continuous improvement
journey.

Additional Information
An organization may want to achieve formal recognition of the effectiveness of their processes.
This can serve as both an internal validation of the value and benefits gained from continual
improvement efforts and an external acknowledgement of the organization’s commitment to
quality and continuous performance improvement.
Formal recognition can be gained through conducting a CMMI Benchmark Appraisal. If the
organization plans to conduct a CMMI Appraisal, an ISACA Certified CMMI Lead Appraiser must

Page 33
© 2024 ISACA. All rights reserved.
lead the appraisal. The results of a CMMI Benchmark Appraisal can be used to compare the
organization to other organizations in their industry.
The continuous improvement journey may involve:
• Evolution of the organization’s Business Objectives
• The need for improved performance
• New areas for improvement
Once this step is completed, repeat the cycle by going back to Step 1 to learn about any new
updates made to the CMMI Performance Solutions ecosystem. Refer to Figure 12. Adoption
Guidance Cycle.

Figure 12. Adoption Guidance Cycle

Page 34
© 2024 ISACA. All rights reserved.
Appendix A: Additional Resources
This Appendix contains a list of resources that are part of the integrated CMMI Performance
Solutions ecosystem to aid organizations with successful adoption. Figure 13. CMMI Adoption
Resources provides a summary of adoption resources available.

Figure 13. CMMI Adoption Resources

Resource Purpose
CMMI Account Dashboard Register for an account on the CMMI website or log in to an
existing account to find materials that you have purchased or to
which you have access based on your certified role. Based on
your access, you will find links to the CMMI Model Viewer, course
materials, and other resources on the dashboard.
CMMI Acquisition The CMMI Acquisition Handbook provides guidance for
Handbook addressing and verifying CMMI requirements in contracts and
acquisition efforts, including the essential who, what, when,
why, and how information about using CMMI in the Federal
Contracting Industry.
CMMI Partner Directory The CMMI Partner Directory is a searchable database of highly
trained individuals in organizations trusted to deliver quality,
leading-edge CMMI services and technologies throughout the
global business community. Organizations looking to get an
appraisal, obtain training, or receive consulting on implementing
CMMI processes in their organization can find a CMMI Partner to
help.
CMMI Policies The CMMI Policies page provides access to appraisal,
certification, partner, quality, and training policies.
CMMI Resource Center The CMMI Resource Center is a collection of every CMMI digital
resource in one place. Browse through the collection of
presentations, webinars, articles, case studies, whitepapers, and
more.
CMMI Tech Talks The CMMI Tech Talks provide a variety of microlearning’s to
assist in CMMI adoption. CMMI Tech Talks cover a variety of
areas from model interpretation, training, appraisals, CMMI and
other frameworks, and more.
CMMI Technical Report: The CMMI Technical Report: Performance Results provides an
Performance Results annual summary of organizations' consistent achievements of
their business goals from nearly 10,000 independently
conducted, and approved appraisals, since CMMI Performance
Solutions launched in 2019.

Page 35
© 2024 ISACA. All rights reserved.
 Resource Purpose
CMMI Training Resources Find CMMI and CMMI Partner training resources, class schedules,
and information about training and certification options on the
CMMI Training Resources page.
CMMI Website The CMMI website provides resources and information about
ISACA’s offerings to support capability and performance
improvement.
ISACA’s Customer The ISACA Customer Support Center provides individuals and
Support Center organizations with proactive support and speedy solutions to
questions. You can review the Frequently Asked Questions
(FAQs) or submit a support request at https://support.isaca.org.
Published Appraisal The Published Appraisal Results System (PARS) publishes the
Results System (PARS) CMMI level achieved by organizations who have granted
permission for their Benchmark or Sustainment Appraisal results
to be posted. Evaluation Appraisals are not currently published.

Additional References
CMMI Adoption Guidance contains references to a few external resources. These resources are
cited below.
• Park, Robert E., Wolfhart B. Goethert, and William A. Florac. Goal-Driven Software
Measurement: A Guidebook. Pittsburgh, PA: Carnegie Mellon University, Software
Engineering Institute, 1996.
• Gray, Douglass. Applying the Goal-Question-Indicator-Metric (GQIM) Method to Perform
Military Situational Analysis. Pittsburgh, PA: Carnegie Mellon University, Software
Engineering Institute, 2016.
• Sheen, Raymond, and Amy Gallo. HBR Guide to Building Your Business Case. Boston, MA:
Harvard Business Review Press, 2015.
• Solingen, Rini Van, Vic Basili, Gianluigi Caldiera, and H. Dieter Rombach. "Goal Question
Metric (GQM) Approach." Encyclopedia of Software Engineering, 2002.
doi:10.1002/0471028959.sof142.

Page 36
© 2024 ISACA. All rights reserved.
Appendix B: CMMI Categories, Capability
Areas, and Practice Areas
Figure 14. Categories, Capability Areas, and Practice Areas lists the Categories, Capability Areas,
and Practice Areas (PAs) that are part of CMMI.

Page 37
© 2024 ISACA. All rights reserved.
Figure 14. Categories, Capability Areas, and Practice Areas

Page 38
© 2024 ISACA. All rights reserved.
Appendix C: Problem Identification and
Resolution Using CMMI
Figure 15. Problem Identification and Resolution Using CMMI lists common business problems,
their possible underlying causes, and the CMMI Practice Areas (PAs) that could help.
For a list of CMMI Practice Areas, refer to Figure 14. Categories, Capability Areas, and Practice
Areas in Appendix B: CMMI Categories, Capability Areas, and Practice Areas.

Figure 15. Problem Identification and Resolution Using CMMI

Business Potential CMMI
Underlying Causes
Problem PA Solution
Delivered • Wrong solution delivered PLAN, PR, RDM,
solution does • Bad requirements PQA, SDM,
not meet • Poor testing STSM, VV
customer • No stakeholder feedback
needs • Lack of customer involvement
Customer • Inconsistent delivery EST, PQA, RDM,
complaints • Rude personnel SDM
• Always have an excuse
• Quality issues
• Service levels not met
Late delivery • Poor/no estimating or planning EST, IRP, MC,
• Poor progress tracking PLAN, RDM, RSK
• Lack of critical resources
• Excessive overtime
• Too much rework
• Constantly changing requirements
• Unexpected external incidents or other disruptions
Disruptions to • Worldwide events, e.g., COVID-19, causes fundamental CONT, ESAF,
operations shift in business operations ESEC, EVW, IRP,
caused by • Entire workforce must shift to virtual or remote delivery MST, PLAN, RSK
global events • Vulnerabilities in virtual delivery exposes organizations
or to new security disruptions
environmental • Lack of adequate planning and preparation for virtual
impacts delivery
Costly • Poor estimating/planning CM, DAR, EST,
solutions • Gold plating MC, PLAN, RDM,
• Too much rework RSK
• Acceptance of too many changes/too much work
without understanding impact
• Lack of understanding customer needs

Page 39
© 2024 ISACA. All rights reserved.
 Business Potential CMMI
Underlying Causes
Problem PA Solution
Poor quality • Badly defined requirements PLAN, PQA, PR,
• Attempts to “test quality” into services or products RDM, VV
• Lack of time to test
• Poor design
• Inexperienced technical personnel
• Lack of defined processes and procedures
Vulnerabilities • Lack of awareness or appropriate prioritization of ESEC, GOV, II,
security needs and requirements MST, DM
• Lack of an approach and infrastructure to address
threats, vulnerabilities, and mitigations
• No assigned resources, roles, or responsibilities to
address security
• Lack of continuous monitoring and improvements
• Poor security of data (e.g., personally identifiable
information (PII))
Constantly • Poor/no estimating or planning CM, DAR, EST,
stretched • Excessive overtime MC, PLAN, RDM,
resources • Wrong resources RSK, WE
• Lack of the skills needed to do the work
• Acceptance of too many changes/too much work
without understanding impact
• Poor management
• Lack of commitment
Problems are • Lack of problem anticipation CM, CONT, PAD,
always a • Poor planning PLAN, RSK, IRP
surprise • Short-term organizational “memory”
• Sugarcoating
• Problem avoidance (“burying head in the sand”)
• Lack of corrective or preventative action
• No viable responses to problem
Safety • Lack of a safety approach and infrastructure ESAF
mishaps and • Lack of awareness or appropriate prioritization of safety
events needs and requirements
interrupt • No assigned resources, roles, or responsibilities to
operations address safety
Constant • Poor/no estimating or planning CM, EST, GOV,
firefighting • Inexperienced technical personnel II, OT, MST,
• Dependency on heroes for success PCM, PLAN, RSK
• Acceptance of too many changes or work without
understanding impact
• Poor management
• Lack of commitment

Page 40
© 2024 ISACA. All rights reserved.
 Business Potential CMMI
Underlying Causes
Problem PA Solution
Poor retention • Over reliance on heroes CM, EST, OT,
of personnel • Poor/no estimating or planning PAD, PCM,
• Excessive overtime PLAN, WE
• Wrong resources
• Acceptance of too many changes/too much work
without understanding impact
• Poor management
• Poor morale
• Corporate “brain drain” (loss of key personnel and
experience)
Everything is • Poor planning DAR, PLAN, RDM
priority 1 • Poor morale
• Excessive overtime
• Poor quality
• Lack of focus on what is important to the business and
performance
Too much • Poor planning MC, PLAN, PQA,
rework • Excess or unnecessary cost PR, VV
• Poor morale
• Excessive overtime
• Poor quality
Constantly • No sustainable infrastructure DAR, II, PAD,
reinventing • Lack of clear repeatable process PCM, TS
the wheel • Sporadic or no training/learning
• Lack of focused training for business needs
• No organizational memory
Supply chain • Lack of clear requirements PLAN, PQA, RSK,
issues • Ambiguous or no agreements SAM
• Limited selection of solutions
• Risks in the supply chain
• Lack of clear and consistent responsibilities
• Delivery delays
• Poor quality
Inexperienced • Lack of clear governance GOV, MC, OT,
personnel and • Lack of clear repeatable process PLAN, PQA
management • Lack of clear and consistent responsibilities
• Sporadic or no training/learning
• Lack of focused training for business needs
• No organizational memory
• Poor resource, skills, and knowledge planning
• Poor quality

Page 41
© 2024 ISACA. All rights reserved.
 Business Potential CMMI
Underlying Causes
Problem PA Solution
Low • Lack of clear, repeatable processes EST, GOV, II,
productivity • Lack of training OT, PLAN
• Poor morale
• Poor accountability
• Lack of infrastructure
Inconsistent • Lack of a collaborative approach between the service CONT, IRP, PQA,
service provider and customer SAM, SDM,
delivery • Lack of an approved service agreement and lack of STSM
adherence to it
• Inability to deliver services due to any of the following
factors: failure of service components, failure to check
readiness of the service system, absence of clear service
delivery procedures or lack of awareness about such
procedures (if they exist)
• Dependency on heroes to deliver services rather than
on established practices and procedures
Never • Incorrect scoping EST, II, MC,
finishing • Incorrect estimation methods PLAN, RSK
• Failure to revise plans and schedules based on changing
customer demands
• Inadequate resources/incorrect resource estimation and
planning
• Lack of obtaining commitments from affected
stakeholders
Never enough • Poor planning EST, GOV, MC,
time/budget • Lack of resources PLAN, RSK
• Excess or unnecessary cost
• Poor monitoring
• Excessive overtime
Constant • Incorrect and/or incomplete change management CM, MC, PLAN,
requirements process PR, RDM, VV
changes • Lack of clearly understood requirements process
• Weak or inadequate validation, verification, and peer
review processes
Poor decision • Not sure of the exact “problem” (and so not able to DAR, II, OT,
making define the problem statement) PLAN, SAM, TS,
• Lack of relevant and adequate skill sets to use decision- DQ
making techniques and to determine the risks and
impacts of decisions
• Not making data driven decisions or making decisions
based from incomplete or poor data

Page 42
© 2024 ISACA. All rights reserved.
 Business Potential CMMI
Underlying Causes
Problem PA Solution
• Not involving affected stakeholders during problem
definition and/or decision-making process
• Taking decisions based on “assumptions” rather than on
actual (measurable and verifiable) data
• Inability to identify criteria for evaluation of alternatives
• Inability to identify alternatives for particular problem
• Inability to define a problem from a state of confusion
Incorrect • Insufficient configuration management processes and CM, PI
version infrastructure to support version management
released to • Lack of version control
customer • Unclear authoritative source
• Unclear integration and interface or connection
requirements

Page 43
© 2024 ISACA. All rights reserved.
Appendix D: Typical CMMI Adoption Roles
This section contains information and perspectives on people who use and commonly benefit
from CMMI. Each of the roles are described along with their unique perspective, approach, and
the benefits they realize leveraging CMMI. These are roles and not individuals or positions, and
may be combined, split, or fulfilled differently in each organization.

Buyer
Role Description
• The Buyer role includes senior management and those who control the budget, select,
and manage solution suppliers, and hold approval authority for buying solutions for an
organization. This role appreciates the business value that suppliers and vendors
leveraging CMMI demonstrate through high quality delivery of products and services.
Role Activities
• Uses practices for supplier selection and management
• Understands the risk of doing business using suppliers and the risks each may bring
• Mitigates supplier risks
• Requires suppliers to adopt CMMI and understand what a supplier’s CMMI capability, or
maturity, means
• Uses CMMI practices to understand and address risk in the supply chain
• Evaluates risk and determines the quality required to rank incoming proposals to eliminate
unsuitable bidders and select the supplier with the lowest risk
• Manages technical interactions
• Manages contractual issues on both sides
• Manages acceptance of deliverables
• Manages transitions of deliverables and solutions to operations
• Identifies and manages approaches to addressing security requirements
• Identifies and manages approaches to addressing safety requirements
• Establishes policy; provides budget and resources for remote workforce & virtual delivery
Benefits to Role
• Effectively and efficiently reduces risk to the buying organization
• Ensures that the highest quality suppliers are identified and selected, which meet
knowledge, skills, and experience requirements
• Suppliers are managed throughout the solution period of performance
• Results in clear and unambiguous agreements

Page 44
© 2024 ISACA. All rights reserved.
 • Improves the interactions between suppliers and the buying organization
• Minimizes disputes
• Minimizes supply chain disruptions associated with safety and security issues

Sponsor
Role Description
• The Sponsor role includes senior management, including the “C-Suite,” e.g., Chief
Executive Officer (CEO), Chief Operating Officer (COO), Chief Financial Officer (CFO),
Chief Information Officer (CIO), but these roles are specific to those organizations
adopting CMMI and conducting appraisals and other forms of assessments to determine
their capability.
Role Activities
• Funds and oversees performance improvement initiatives
• Articulates the strategy and Business Objectives, including security and safety objectives
• Ensures alignment of strategy and Business Objectives
• Sets priorities for improvements, and verifies alignment with performance objectives
• Provides explicit requirements for senior management activities in supporting and
sustaining improvement efforts
• Ensures that resources are available to implement the improvement efforts
• Approves appraisal objectives
Benefits to Role
• Enables process consistency across the organization
• Ensures the improvement effort supports achieving objectives
• Promotes a common understanding of the performance improvement objectives
• Fosters better coordination and communication among work groups
• Increases customer satisfaction
• Emphasizes and actively supports the importance of addressing security needs and
requirements in the solution
• Reduces cost
• Monitors alignment and achievement of objectives
• Gains competitive advantage
• Attracts and retains top talent
• Positions organization for growth
• Reduces overhead cost
• Improves time to market

Page 45
© 2024 ISACA. All rights reserved.
• Keeps current with market trends
• Uses integrated model to strengthen position in the market
• Increases growth and expands marketability
• Gets assurance of improvements
• Emphasizes and actively supports the importance of addressing safety needs and
requirements in the solution
• Uses flexibility in model to meet organizational needs and reduce process overhead
• Improves workforce management
• Provides career path for developing the workforce
• Changes organizational behavior to better achieve strategy and Business Objectives
• Addresses and sells a wider set of capabilities because of the integrated model
• Provides a basis for tangible performance improvements, including safety and security
considerations

Page 46
© 2024 ISACA. All rights reserved.
Practitioner
Role Description
• The Practitioner role includes people in an organization who are following the processes
and who get the most direct benefit from using and improving processes. It is crucial that
these people are involved with the improvement activities, as they are the ones who must
live with them every day.
Role Activities
• Follows the processes, and adheres to policies
• Provides feedback, inputs, and ideas for improving process and performance
• Participates in process groups, action teams, etc.
Benefits to Role
• Reduces rework
• Understands what is being done and why
• Provides structure for how work is done
• Stops reinventing the wheel
• Does the job better
• Minimizes overtime
• Shares best practices
• Reduces chaos and stress
• Gives a voice to practitioners in determining and making commitments
• Provides structure for defining explicit roles and responsibilities
• Ensures they have the skills and expertise needed to perform their roles and
responsibilities
• Provides an environment conducive to increased performance
• Provides guidance for working together effectively and efficiently
• Provides guidance for navigating multiple priorities and reporting relationships
• Sustains existing expertise across the organization
• Increases individual competency growth
• Improves individual performance
• Participates in specific security awareness training
• Participates in specific safety awareness training

Page 47
© 2024 ISACA. All rights reserved.
Process Group Member
Role Description
• The Process Group Member role includes the people assigned responsibility for
improving and sustaining process and performance in the organization. The assignments
can be full-time or part-time.
Role Activities
• Ensures improvement priorities and activities are aligned with improving performance and
meeting business strategy and objectives
• Provides performance improvement guidance to promote understanding throughout the
organization
• Coordinates and communicates improvement activities and benefits with stakeholders
• Solves organizational process and performance problems
• Assesses process capabilities and performance
• Identifies and provides needed improvements and training
• Identifies and addresses gaps in process implementation
• Uses source model disciplines in an integrated way
• Verifies process and performance integration, infrastructure, and alignment of results to
Business Objectives
Benefits to Role
• Plans improvement efforts using a clear evolutionary path within Practice Areas
• Supports process persistence and sustainment with explicit infrastructure and governance
• Changes organizational behavior to better achieve strategy and Business Objectives
• Reduces the impact of process changes
• Establishes common process roles

Page 48
© 2024 ISACA. All rights reserved.
Quality Manager
Role Description
• The Quality Manager role includes individuals or groups whose main responsibility is for
ensuring end-to-end holistic quality in the processes, their execution, and resulting
solutions. This includes quality control, quality assurance, peer reviews, testing,
verification and validation, and related activities.
Role Activities
• Identifies potential performance and process improvements
• Identifies security related quality issues
• Identifies safety related quality issues
• Provides guidance for determining if processes are being followed
• Helps identify if current processes support the existing work
• Supports providing management and stakeholders insight into process adoption and
effectiveness
• Identifies non-compliance issues in process implementation
• Analyzes quality data to:
o Identify patterns and trends
o Anticipate problems and issues
Benefits to Role
• Maximizes quality of solutions
• Increases customer experience and satisfaction
• Enhances brand reputation
• Improves performance by avoiding non-valued-added activities
• Ensures processes work more effectively for practitioners and the organization
• Reduces rework
• Improves practitioner satisfaction and morale

Page 49
© 2024 ISACA. All rights reserved.
Project Manager
Role Description
• The Project Manager role includes managers who are responsible for managing the day-
to-day activities for producing and delivering solutions. This can include task, project, and
program-level management roles. It also includes activities required to develop and
sustain the skills and experience of the project team members to meet the current and
future needs of the organization.
Role Activities
• Supports the performance improvement activities
• Negotiates and confirms commitments
• Organizes teams and projects
• Reviews project and improvements
• Keeps senior management informed
• Enables communications throughout the organization
• Leverages the skills and experience of employees
• Provides guidance for effective career development, with alignment to needs of project
and organization
• Encourages and enables active participation in improvement efforts
• Revises plans, schedules, budget, and resources as needed
• Integrates security and safety needs and approaches into plans
• Enables consistent employee evaluations, aligning compensation, rewards, and recognition
with performance
• Enables empowerment of project team members
• Provides a framework for:
o Establishing a productive work environment
o Providing effective training and mentoring
o Communication and coordination, including virtual considerations when appropriate
Benefits to Role
• Manages project to ensure solutions are on-time and within budget
• Provides oversight to ensure solutions meet identified requirements and meet or exceed
performance expectations, including security and safety
• Enables effective allocation of resources, to support business strategies and objectives
• Reduces employee turnover and supports positive employee morale
• Increases clarity of assignments
• Minimizes non-value-added activities

Page 50
© 2024 ISACA. All rights reserved.
 • Ensures delivered solutions satisfy customer needs and expectations
• Ensures practitioners maintain their skillsets to support project and organization

Working with a CMMI Partner-Sponsored Individual

What is a CMMI Partner-Sponsored Individual?

ISACA certifies individuals as CMMI Lead Appraisers to lead CMMI appraisals and certifies
individuals as CMMI Instructors to teach official CMMI courses. These CMMI Instructors and
CMMI Lead Appraisers may provide consulting services for organizations wanting to adopt
CMMI. When working with one of these individuals, make sure that they work under the
sponsorship of a CMMI Partner organization.
When acting as technical advisors, these experienced professionals work with clients to help
them adopt CMMI to best meet their business needs and objectives. In some cases, this
involves conducting a CMMI appraisal. Based on their experience in the industry and their
quality record, these experts have been certified by ISACA to deliver official training courses
and appraisal services.

How to find a CMMI Partner-Sponsored Individual

ISACA works with a network of licensed CMMI Partner organizations that employ certified
individuals who are qualified to provide official courses and appraisals services. CMMI Partner-
Sponsored Individuals can be found in the CMMI Partner Directory. Additionally, ISACA can
provide services directly to your organization.
The CMMI Partner Network and certified individuals provide a vast, global reach to help to
connect CMMI with users, managers, and executives who can benefit from CMMI solutions.
ISACA and CMMI Partners are the only source for authentic CMMI services. Consider
needs and expectations when searching for and hiring a CMMI Partner. The CMMI Partner
should be familiar with items such as:
• The type or domain of work performed by the organization, e.g., data, development,
services
• The requirements of the methodologies used by the organization, e.g., Agile
Development, DevSecOps, security, safety
• The scope of the implementation, e.g., large organization, small organization
• The industry, e.g., standards, best practices
• The applicable constraints, e.g., laws, regulations
An organization should ask the certified individual for references and examples of work that are
similar to its needs, goals, and circumstances. Figure 16. When and How a CMMI Partner-
Sponsored Individual Can Help provides a list of adoption steps and considerations for getting
help from a CMMI Partner-Sponsored Individual.

Page 51
© 2024 ISACA. All rights reserved.
 Figure 16. When and How a CMMI Partner-Sponsored Individual Can Help
Adoption Steps Considerations
LEARN: Learn how A CMMI Partner-Sponsored Individual may help with:
CMMI will benefit the • Providing an overview of CMMI to the organization
organization. • Facilitating management buy-in. (Consider an external sponsored
individual if management is more likely to listen to external
expertise rather than internal.)
• Answering questions about CMMI
• Providing advice for starting improvement efforts
• Assisting with proposal efforts
ESTABLISH An expert perspective may provide insights and valuable input for:
OBJECTIVES: Develop • Identification of issues and needs
and communicate • Definition of business, performance, and improvement objectives
business, performance, • Alignment of improvement efforts with needs and objectives
and improvement
objectives.
ANALYZE: Map current A CMMI Partner-Sponsored Individual may compare the
organizational organization’s current processes to CMMI by:
processes to CMMI. • Performing an independent gap analysis
• Leading the organization’s personnel in conducting a gap analysis
or evaluation
An external expert can add credibility to the delivery and
acceptance of the analysis results.
DEVELOP ACTION A CMMI Partner-Sponsored Individual may be able to give
PLAN: Develop, keep management a better idea of what is needed for an improvement
updated, and effort, including:
implement an • Resources
improvement plan to • Activities
get from the current • Schedule
state to the desired • Cost
state.
An expert may be able to assist in identifying appropriate
measurements for addressing business, performance, and
improvement objectives.
DEPLOY The continued assistance of a CMMI Partner-Sponsored Individual
IMPROVEMENTS: can help provide knowledge and expertise to help an organization
Deploy improvements. efficiently deploy improvements and monitor adoption.
ASSESS CAPABILITY: A CMMI Partner-Sponsored Individual may help an organization:
Assess organizational • Monitor improvement efforts and performance targets
capabilities. • Help adjust the improvement plan
• Plan for formal CMMI Appraisals, if needed

Page 52
© 2024 ISACA. All rights reserved.
 Adoption Steps Considerations
To be formally appraised, the organization needs to choose a
Certified CMMI Lead Appraiser working under the sponsorship of a
CMMI Partner. The Lead Appraiser can help with:
• Identifying the organizational and model scope
• Selecting and training Appraisal Team Members
• Planning the appraisal activities

Working with ISACA

The Role of ISACA

ISACA is the owner and steward of the CMMI Performance Solutions ecosystem; including the
model, appraisal method, courses, certifications, systems, and associated intellectual property.

When to Use ISACA

An organization can contact ISACA by visiting Customer Support, which provides general help
information and the ability to submit a support request. ISACA can assist through their
Customer Success team as an organization adopts CMMI. When new methods, approaches, or
other content are identified for potential inclusion in future model updates, ISACA maintains the
requirements, updates, and release plans and schedule for the CMMI Performance Solutions
ecosystem.
Generally, ISACA points you to experienced CMMI Partner-Sponsored Individuals available
through the CMMI Partner Network. However, in limited situations, ISACA may work directly
with organizations to provide support to:
• Corporate programs for large organizations looking to develop an enterprise-wide
improvement program
• Organizations wanting to build internal CMMI subject matter expertise and consulting
• Industry programs for trade associations or government agencies that want to build a
strategy for improving performance across an industry
• Organizations interested in piloting new content, methods, or approaches for CMMI
If this describes your organization’s goals, contact ISACA at https://support.isaca.org.

How to Use ISACA

If you have any questions about how to engage ISACA directly, contact ISACA at
https://support.isaca.org.

Page 53
© 2024 ISACA. All rights reserved.
Appendix E: Building Goals, Risks, and KPIs
To improve your organization’s performance, you must first understand your business goals
along with your ability to meet those goals. This information can also be recorded using the
Performance Report template that a Certified CMMI Lead Appraiser uses as a part of appraisal
activities.
• List the top 3-5 business goals for your organization:

1.
2.
3.
4.
5.

• List the top 3-5 Key Performance Indicators (KPIs) for your organization:

1.
2.
3.
4.
5.

• Quantify your current performance (list your current KPIs):

1.
2.
3.
4.
5.

• List the issues or risks impacting your ability to meet your business goals:

1.
2.
3.
4.
5.

Page 54
© 2024 ISACA. All rights reserved.
Appendix F: Define Your Current Processes
WHY (What, How, Your CMMI)
What do you do today? List the tasks associated with current activities.
• Work, program, project, and task management
o Identify the activities, e.g., planning, staffing, scheduling, estimating
• Designing, developing, building, and delivering a service or product
o Identify the activities, e.g., recording what the customer wants (identifying the
“requirements”), elaborating these requirements to determine how the customer’s
needs are met, designing the service or product, building the service or product,
testing the service or product to determine if it meets the needs of the customers,
deliver the service or product
• Collateral activities associated with service or production
o Identify the activities, e.g., ensure consistent delivery of service or product
(configuration management), ensure consistent and repeatable performance of
building service or product (quality), measure activities associated with the production
and delivery of service or product, identify risks associated with service or product
production
• Organizational support and infrastructure
o Identify the activities the organization performs to enable quality and consistent
services and products, e.g., record practices and processes to be used across all
services and products, and training associated with enabling the workforce to perform
their tasks

How do you perform these tasks? After the required activities are identified, elaborate each
activity with “how” you perform the activities – the “how” can be bullets, checklists, documents.
The formality of the “how” can be determined by your organization.

Your CMMI: Use this list of activities and their associated elaborations and map them to
the activities your organization will perform within the context of CMMI, using the view of CMMI
that most applies to your organization and its capability and performance goals.

Page 55
© 2024 ISACA. All rights reserved.
Appendix G: CMMI Practice Area Security
Adoption Examples
Figure 17. CMMI Practice Area Security Adoption Examples includes examples of security
relationships and impacts.
This is not a comprehensive list of all possibilities.

Figure 17. CMMI Practice Area Security Adoption Examples

Practice Description of Example Security Relationship Potential Impacts
Area Security Relationships Details of Not Addressing
Category: DOING
Capability Area: Delivery & Managing Services (DMS)
Service In planning for services to • Data under • Service
Delivery offered by an consideration may organization
Management organization, the ability to include: personnel reputation could
(SDM) ensure customer security information, financial be harmed
is essential. Often services information, • Personnel data
Strategic competition sensitive leaks could result
involve the collection of
Service information, and in identity theft
customer data. This data
Management proprietary data. These • Proprietary or
is provided assuming the
(STSM) are just a few data competition
data is shared only
through authorized access types and content that sensitive data
anchored in principles of can be considered a leaks could cause
least privilege and need to threat if compromised. loss of business
know. Security • Work should be
requirements, including performed offline to
physical security the extent possible to
requirements, associated avoid internet
with the service delivery compromises
should be an integral part • Access controls and
of the service objectives, multi-factor
approach, and authentication
incorporated within the parameters should be
service system. The defined and
organization’s security implemented
approach and security • Physical security
controls are critical to the parameters should be
organization’s reputation established to ensure
within the industry and secure service delivery
with their customers.

Page 56
© 2024 ISACA. All rights reserved.
 Practice Description of Example Security Relationship Potential Impacts
Area Security Relationships Details of Not Addressing
Capability Area: Engineering & Developing Products (EDP)
Product While developing • New threats are • System could be
Integration (PI) functional solutions for continually being disabled
products, security threats identified and product • Unplanned
Technical design should focus on reduced
and vulnerabilities must be
Solution (TS) anticipating new capabilities might
anticipated. The results of
these occurring should be threats before they occur
analyzed to ensure that become an issue. It is • Total crashing of
the product design recommended to the system,
minimizes or avoids their designate a specific preventing
occurrence. In order to individual or group in business
account for the security charge of tracking the operations might
requirements and various government happen
vulnerabilities that are not security related • Revenue could be
known, the use of regulations, standards, lost
exception handling is and laws, and
utilized to respond to the researching the latest
occurrence of exceptions – vulnerabilities.
anomalous or exceptional • Periodically remind
conditions requiring individuals, e.g.,
special processing – requirements analysts
during the execution of a and testers, to watch
program. If they do occur, for abnormalities
disruptions should be • Ensure the design
minimized and analyzed to incorporates
determine what the consideration of known
tolerance of acceptance is security threats
for the product. When • Concepts associated
integrating the system with defense in depth
components, security should be considered
threats should be tested • Have backup plans,
for their disruption and e.g., shut down when a
effect, in addition to new threat is
testing for security recognized, revert to
requirements. alternative code
• Establish mechanisms
for frequent system
backups, including
when data should be
stored off site
Capability Area: Ensuring Quality (ENQ)
Peer Reviews Security is NOT an • Security and access
(PR) afterthought. It is critical rights may affect who

Page 57
© 2024 ISACA. All rights reserved.
 Practice Description of Example Security Relationship Potential Impacts
Area Security Relationships Details of Not Addressing
Process Quality that it is included in all can review documents, • System or data
Assurance activities associated with audit processes, or test breach could
(PQA) the development of a functionality. Ensure all happen
product or service. personnel involved with • Data could be lost
Requirements Security requirements these activities have or compromised
Development & should be integrated into relevant clearances or • Sensitive data
Management the functional access rights. could be disclosed
(RDM) requirements for both • Requirements should • Jobs could be lost
Verification & products and services. include strong because of a
Validation (VV) Their prioritization and authentication violation of the
assignment to components requirements, e.g., regulations
is coordinated with other multi-factor • Fines could be
requirements. Security authentication imposed due to
requirements, attributes, • Requirements should violations of
and controls should be also include any regulations
included in peer reviews external regulatory • Plant could be
during the planning and security requirements shut down when
development of the that have been regulations result
product or service. Peer imposed by the country in remediation
review checklists should or customer • Work may be
include security as part of • Quality should also delayed or
the normal verification audit for regulatory prevented if
activity. The security compliance throughout clearances or
attributes and controls the lifecycle of the access rights are
should be verified and product or service. not in place
validated throughout the Audits should be
lifecycle. Quality activities periodic and event
that are prescribed during driven.
the lifecycle should include
security not as an
extension but as a vital
part of the functionality of
the product or service.
Quality checklists should
include security within the
normal audits.
Capability Area: Selecting & Managing Suppliers (SMS)
Supplier When suppliers are • Suppliers should be • Organization’s
Agreement selected and supplier assigned end item reputation could
Management agreements are made, responsibilities for be damaged since
(SAM) security should be a security compliance for supplier is
factor. Security each delivered product working under
requirements should be or service

Page 58
© 2024 ISACA. All rights reserved.
 Practice Description of Example Security Relationship Potential Impacts
Area Security Relationships Details of Not Addressing
allocated as appropriate to • Supplier should be the organization's
all suppliers. Security required to direction
controls within the demonstrate • System shutdown
functional solution are compliance to any or service
often further projected product or service stoppage could
into functional security regulation occur
components and these are • Before the organization • Loss of revenue
often out of the direct accepts a supplier
control of the provider. deliverable, they
The requirements are should ensure
allocated to components regulatory compliance,
and likewise to the error exception
organizations responsible handling, and
for the production of operational continuity
individual components or after a threat or
the organization vulnerability is
responsible for the service. detected, and backup
The supplier must assume capabilities (if needed)
responsibility for supplier
associated security
responsibilities.
Category: MANAGING
Capability Area: Managing Business Resilience (MBR)
Continuity It is important to consider • Comprehensive • Sudden
(CONT) that regardless of how continuity planning is unpredicted
robust the system is, necessary to manage system/service
Incident all possible disruptions shut down might
security threats and
Resolution & to the business occur
vulnerabilities may still
Prevention • Threats and • There could be a
occur. Many threats and
(IRP) vulnerabilities are long period of
vulnerabilities are
Risk & unknown and will continue continuously evolving. time without
Opportunity to evolve throughout the New ones continue to recovery.
Management lifespan of the system or be identified. It is Customers left
(RSK) service. Monitoring the important to predict as without system or
system for vulnerabilities much as possible service for an
is a non-ending activity. incidents and risks that undetermined
When vulnerabilities are can occur and how amount of time.
first identified, they are they can be handled.
considered as risks. They • Hacking into your
are prioritized and system might happen;
analyzed for probability of it is important to know
occurrence. Plans for when to shut down
acceptance or mitigations

Page 59
© 2024 ISACA. All rights reserved.
 Practice Description of Example Security Relationship Potential Impacts
Area Security Relationships Details of Not Addressing
can be put in place. Part • Phishing emails could
of that plan should be be sent to you;
planning for an actual educating the
threat or vulnerability operators is critical
disrupting business. A full • Additionally, part of
business continuity plan this handling can be
addressing the business the determination of
operations after a the results from
disruption should be realizing the threat and
developed and this plan what the
should be dry run to system/service can
ensure all responsibilities tolerate, when to shut
are covered and business down
is restored. Incidents such • Incident response
as threats and teams are often
vulnerabilities should be defined and trained, so
solved, and it is important they can react and
to prioritize and prevent manage incidents that
these occurrences from affect the system when
recurring. Prevention they occur
activities also include
preparing for and avoiding
possible future unknown
incidents.
Capability Area: Managing the Workforce (MWF)
Organizational Training associated with • Security training is • Inappropriate
Training (OT) security should include varied and dependent access to
internal and external on the individual roles sensitive
Enabling Virtual and responsibilities information from
security approaches,
Work (EVW) • The entire organization outside (hackers)
objectives, and controls.
Workforce The organization itself will should take security • Lack of trained
Empowerment have a significant amount awareness and personnel may
(WE) of data that cannot risk education training. This lead to
being compromised. This should include how to unintentional
data includes personnel address suspicious vulnerabilities
data, competition sensitive emails, • Personnel not
data, and customer customer/supplier aware of or
specific data. All personnel access to company properly following
should be trained in the data, password physical security
protection of this data and protection, visitor logs, protocols can lead
their individual badge entry, company to unauthorized
responsibilities in the sensitive versus public visitor access,
protection of that data. information, which can result

Page 60
© 2024 ISACA. All rights reserved.
 Practice Description of Example Security Relationship Potential Impacts
Area Security Relationships Details of Not Addressing
Security attributes should implications of in theft of
also be included in the regulatory physical or
product and service requirements etc. intellectual
development lifecycle. As • Product and service property
far as virtual delivery, developers should be • Inappropriate
since this assumes trained in how to access to virtual
communication over very incorporate security meetings enables
often non-secure into functional outsiders to gain
communication lines, solutions access to
personnel should • Business Objectives competitive or
understand what can be should incorporate internally
shared across these lines, security goals. These sensitive
how to handle should be information
conversations on these communicated
lines, and other throughout the
restrictions. organization.
• Virtual training should
include access to
virtual meetings, e.g.,
passwords are typical
for access to virtual
lobbies
Capability Area: Planning & Managing Work (PMW)
Estimating Planning for product • Quality estimates on • If security is not
(EST) development and service additional security planned for the
delivery includes the regulatory audits must product or
Planning be considered and service, security
incorporation of security in
(PLAN) incorporated issues may be
all aspects of the lifecycle.
Monitor & Estimating security • Estimates for product discovered too
Control (MC) assumes the same and service tests late and therefore
diligence of all other associated with more costly to fix
requirements. They should security requirement
be planned for at the and associated
inception of the job and planning must also be
monitored through the considered and
production cycle. Data on incorporated
the planning should be • Security requirements
kept ensuring security should also be
estimates in the future are estimated and planned
based on real when accepting
organizational experience. supplier components
• The size, frequency,
timing, and nature of
specific security

Page 61
© 2024 ISACA. All rights reserved.
 Practice Description of Example Security Relationship Potential Impacts
Area Security Relationships Details of Not Addressing
activities should be
estimated and planned
to ensure that
personnel with the
necessary clearances,
access rights,
knowledge and skills
are in position to
perform their duties at
the appropriate time.
This may include
service delivery tasks
or product
development tasks that
necessitate access to
sensitive or security
restricted information.
Category: ENABLING
Capability Area: Managing Data (MD)
Data A data security approach • Data related to • Unauthorized
Management should include defined personal identifiable access to data or
(DM) data needs, data information (PII) or a data breach
criticality, and identified personal health • Loss of trade
Data Quality information (PHI) must secrets or
required compliance with
(DQ) be secure and comply intellectual
appropriate laws and
regulations. with laws and property (IP)
regulations. • Noncompliance
It is essential that an
• Administrative control with regulatory
organization plans for data
using the principle of requirements,
resiliency so it can recover
“least privilege access,” which could result
from any type of business
restricting or limiting in fines
disruptions or cyber
authorized users • Loss of
attacks.
• Access controls need to confidence from
be put in place to users and/or
protect data such as consumers if data
encryption, data is not protected
masking, redaction of
sensitive information
Capability Area: Supporting Implementation (SI)
Causal Analysis Security issues will occur. • When a security event • Threats may
& Resolution These will be both causes system or continue if root
(CAR) disruptive and may impact service disruption, it is causes of

Page 62
© 2024 ISACA. All rights reserved.
 Practice Description of Example Security Relationship Potential Impacts
Area Security Relationships Details of Not Addressing
more than initially critical that an vulnerabilities are
anticipated. Those appropriate analysis be not addressed
outcomes which should performed to avoid • New product or
never be repeated should recurrence service
be analyzed using • Other security development will
traditional root cause outcomes like data not have
analysis to avoid their breaches and physical opportunity for
reoccurrence. Likewise, if theft may also warrant good estimating
a security outcome is further analysis before and planning
particularly effective, it ensuring that the without insights
should be analyzed to occurrence will not from previous
promote further use. recur initiatives
• Work products like • Without
Configuration Work products associated
security event root alternative
Management with security (e.g.,
cause analysis, security solutions, a
(CM) requirements, objectives,
training, security determination of
approaches) should be
strategies, security the right solution
identified for configuration
approaches for is hampered. If
management. The same
products and services, there are issues
rigor associated with
and security plans with the solution,
development and service
should be included in it would be
work products should be
the organization difficult and often
applied.
configuration costly to restart
Decision As the security management data with an
Analysis & requirements are finalized • When determining a evaluation of
Resolution and the lifecycle security solution for alternatives.
(DAR) progresses to determining functional solutions,
a viable security approach alternatives like multi-
and system, alternative factor authentication,
solutions may be varying levels of
identified. These security for data, and
alternative solutions are system privileges
prioritized and categorized should be considered
to make the best
selection. In product or
service system
development, security
considerations should be a
high priority in the
determination of the
appropriate technical
solution.

Page 63
© 2024 ISACA. All rights reserved.
 Practice Description of Example Security Relationship Potential Impacts
Area Security Relationships Details of Not Addressing
Capability Area: Managing Security & Safety (MSS)
Enabling This Capability Area is • The security strategy • If security and
Security (ESEC) dedicated to Safety and and safety strategy safety are put at
Security. For security this determine the an auxiliary or
Enabling Safety momentum and support level
establishes the
(ESAF) commitment of the versus a primary
organizational security
Managing strategy, security organization to the initiative, this can
Security approach, and security importance of security cause the impacts
Threats & objectives. It is important and safety, both of security threats
Vulnerabilities to note that this security internally and and safety
(MST) approach incorporates any externally hazards to be
security framework or • The security approach more impacting
security regulations that and likewise the safety and recovery less
may be required for the approach determine structured. It can
organization. This area roles and take longer for
also confirms that security responsibilities, how the organization
threats and vulnerabilities the organization to recover and
are given additional focus implements the proceed
beyond risks or incidents. security strategy, and operationally.
It specifically looks at safety strategy
security risks and security respectively
incidents as threats and • Managing the security
vulnerabilities. It raises threats and
the importance to ensure vulnerabilities
that the attention to enhances the
threats and vulnerabilities organization’s existing
are managed. The risk and opportunity
organization also management system
determines their tolerance with establishing
for accepting the possible threats and
disruptions. For safety, vulnerabilities with the
similarly to security, this critical visibility they
area establishes the need
organization’s safety • Managing threats that
strategy, safety approach, are in a constant
and safety objectives. evolution is a challenge
and clearly goes
beyond the constraints
of a risk

Page 64
© 2024 ISACA. All rights reserved.
 Practice Description of Example Security Relationship Potential Impacts
Area Security Relationships Details of Not Addressing
Category: IMPROVING
Capability Area: Improving Performance (IMP)
Managing The organizational security • When recording • Central focus on
Performance & strategy should be policies and security is missing
Measurement integrated into all procedures, concepts • Repeating
(MPM) operations of the associated with security
organization. The process defense in depth, approaches
Process Asset defining multiple layers independently for
assets should include
Development of security controls, every product and
security specific policies,
(PAD) should be understood service is
procedures, work
Process instructions, while existing • Policies and procedures ineffective
Management operational process assets with common • Risk of missing a
(PCM) should include security approaches for security threat or
considerations and should be established vulnerability that
requirements. • Tailoring guidance is already known
Improvement activities should be available on
should include those those aspects that may
specific to security, and be security dependent
for any improvement for customers and
identified, security needs contracts
and requirements must • Security metrics should
also be addressed. include security threat
Security metrics should be and vulnerabilities,
incorporated within the e.g., metrics on time to
organizational resolve, compliance
measurement repository. metrics associated with
The metrics should be at audits, disruption
the organization as well as metrics - time to return
the product and service to full operability,
levels. These metrics continuity plan dry run
should be collected, metrics.
reviewed, analyzed, and
stored.
Capability Area: Sustaining Habit & Persistence (SHP)
Governance Any process strategy • Business Objectives • Lack of a focused
(GOV) needs top-down support including management approach to
and an organizational commitment to security security, which
Implementation are important includes the
structure to enable and
Infrastructure • Goals associated with necessary
support its deployment.
(II) security specific and resources and
Senior management must
ensure that the overall measurable security budget and is
Business Objectives driven by senior

Page 65
© 2024 ISACA. All rights reserved.
Practice Description of Example Security Relationship Potential Impacts
Area Security Relationships Details of Not Addressing
include the security initiatives must be management, can
strategy and approach. included be detrimental to
Business Objectives may • Security training is the longevity of
enable derived security critical the organization,
objectives to align the • Universal knowledge of through a
organization with its security and its role in negative
regulations and security the organization is key reputation or the
frameworks. Also, the for everyone inability to keep
organization must provide • Top-down approach to systems and
the time, budget, security, e.g., policies services available
education, tools, and driven and reinforced
people needed to by senior management,
accomplish security are instrumental to
requirements, approaches, laying the foundation
and meet security for security within the
expectations. organization

Page 66
© 2024 ISACA. All rights reserved.
Appendix H: Performance Categories
Figure 18. Performance Report Measurement Categories and Related Subcategories includes
examples of security relationships and impacts. The Performance Report is an important aspect
of the CMMI® appraisal process. It places emphasis on the performance improvements that
come from adopting a CMMI-based performance improvement approach. The report enables an
appraisal team to provide valuable information to the Appraisal Sponsor and the organization
about their performance as compared to their stated objectives. The appraisal team uses the
organization’s own performance data to provide feedback to the Appraisal Sponsor and the rest
of the organization.
It is important for an organization to consider what they want to measure, why they are
measuring it, and how it will help the organization meet its Business Objectives. The
performance report summary is based on the categories and subcategories below in Figure 18.
Performance Report Measurement Categories and Related Subcategories. Consider the
categories and subcategories listed below for your improvement efforts.

Figure 18. Performance Report Measurement Categories and Related

Subcategories

Definitions
Category Definition Related Description
Subcategories
Financial Financial Budget Related Budgeting activities.
Performance management, Cost Management Actual costs compared to
revenue, and estimated or budgeted costs or
profitability general cost related objective
targets. or reduction.
Cost Variance Difference in estimated or
planned and actual costs.
Effort Variance Difference between a planned
and actual effort for various
phases. within the project.
Finance General finance related
measure, that is not reflected
by other subcategories.
First Time Right Process is followed so that
resulting solution is correct the
first time and every time.
Gross Revenue Amount of money made over
Growth time.
Margins The degree to which a
business activity makes
money.

Page 67
© 2024 ISACA. All rights reserved.
 Definitions
Category Definition Related Description
Subcategories
Market Growth Change in market share.
Net Income Growth How much net income has
increased over a period.
On Time Payment or Payments or invoices that are
Invoicing sent or received on time.
Sales Growth Increase in sales as compared
to the previous period.
Operational Measures how Contract Compliance Monitoring and controlling the
Performance well a company procedures and norms outlined
performs its core by a contract with another
business entity.
activities. Customer Satisfaction General customer satisfaction
and expectations related
measures, that is not reflected
by other subcategories.
Operational Activities General operational efficiencies
and activities, that is not
reflected by other
subcategories.
Risk Management Identification and management
of various types of risks and
opportunities.
Service Level Agreed to measure of service
Agreement expected between a customer
and a supplier.
Process An indication of Process General process related
Performance activities based measures, that is not reflected
on standard by other subcategories.
procedures. Process Compliance Objective evaluation of process
performance and outcomes
including resolving issues, non-
compliances, or to meet
regulatory requirements.
Process Cycle Time Time taken to perform
processes.
Process Improvement Measures of improving
solutions or processes.
Productivity An evaluation of Code Coverage Amount of all code covered by
Performance resource test cases including both
efficiency for manual and automated.

Page 68
© 2024 ISACA. All rights reserved.
 Definitions
Category Definition Related Description
Subcategories
delivering Defect Removal Measure of the ability to
solutions. Efficiency remove defects prior to
release.
Development Ability to efficiently write
Productivity software during a specific
period.
Peer Review Efficiency Defects detected compared to
time spent.
Productivity General productivity related
measure or objective, that is
not reflected by other
subcategories.
Project or Solution Amount of work completed
Productivity during a specific period.
Resource Utilization Measures the actual usage or
consumption of resources in
relation to their availability.
Reuse Rate Existing software, hardware, or
other materials or resources
that are reused for new
solutions.
Rework Time or effort spent making
changes to the prior version
because of issues.
Solution Availability Duration of time the solution is
available for use.
Sprint Efficiency Work completed versus work
committed per sprint.
Testing Productivity Ability to effectively perform
testing activities in a specific
period.
Velocity Amount of work completed in
a given iteration.
Workload Variance Difference between estimated
or planned, and actual
workload.
Quality Delivered solution Data Quality General data quality related
Performance performs as measure or objective.
expected. Defect Containment Measure of the ability to
minimize defects that escape
to downstream activities.

Page 69
© 2024 ISACA. All rights reserved.
 Definitions
Category Definition Related Description
Subcategories
Defect Density Measures the number of
defects per unit of output.
Defect Detection Rate defects are discovered.
Defect Injection Rate Rate defects are introduced
into a solution.
Delivered Solution Ability to design, develop,
Quality validate, and deploy solutions
that effectively address
requirements.
Mean Time Between A measure of the reliability of
Failures a system or component.
Quality General quality related
measure, that is not reflected
by other subcategories.
Safety Prevention and Lost Time Injury An injury sustained on the job
Management control of harm. that results in the loss of
productive work time.
Safety Activities General safety related
activities, that is not reflected
by other subcategories.
Safety Incidents Number of unplanned events
that can cause injury, damage,
or disrupt normal operations.
Safety Violations Number of safety policies or
procedures violated.
Security Systematic Devices Running Devices running unsanctioned
Management identification, Unauthorized software.
assessment, Software
control, and Mean Time to Contain Time to secure all
resolution of (MTTC) compromised endpoints and
security needs attack vectors.
and threats. Mean Time to Detect Average time between when
(MTTD) an incident occurs and it is
detected.
Mean Time to Average time to neutralize a
Response (MTTR) threat and regain control of
compromised systems.
Privileged Account Number of users with
Access privileged account access.
Recovery Point Measure of how much data
Objective can be lost after a disruption

Page 70
© 2024 ISACA. All rights reserved.
 Definitions
Category Definition Related Description
Subcategories
before it exceeds an
organization's acceptable level.
Recovery Time Maximum amount of time a
Objective business can tolerate before
resuming normal operations
after a disruption.
Security General security related
measures or controls, that is
not reflected by other
subcategories.
Security Incidents Occurrence of security related
events.
Security Patch Time from when the patch is
Management available until it is deployed in
production.
Security Training Measure of personnel
Coverage compliant with current security
training.
Supplier Supply chain Supply Chain Activities General supply chain
Performance management measures, that is not reflected
activities. by other subcategories.
Supplier Defect Measure of the ability to
Containment minimize supplier defects that
escape to downstream
activities.
Supplier Defect Defects delivered in a supplier
Density solution.
Supplier Peer Reviews Review of a project's artifacts
including documentation,
requirements, code, design,
test cases, etc.
Supplier Peer Review Supplier defects detected
Efficiency compared to time spent.
Supplier Quality Supplier's ability to deliver
goods or services that satisfy
customers' needs.
Supplier Test Measurement used to describe
Coverage the degree to which the
supplier source code or
requirements of a solution are
tested by test cases.

Page 71
© 2024 ISACA. All rights reserved.
 Definitions
Category Definition Related Description
Subcategories
Supplier Testing Supplier defects detected
Effectiveness during a testing period.
Technical Activities related On Time Delivery Measure of target dates
Performance to the creation, achieved.
delivery, or Requirements General functionality related
performance of Achievement measure or number of
solutions. requirements completed.
Requirements Percent requirements change
Volatility from their baselined state.
Schedule Activities General schedule related
measure or objective.
Schedule Performance An earned value measure of
Index the conformance of actual
progress to the planned
progress.
Schedule Variance Difference in estimated or
planned and actual schedule.
Technical Activities General technical related
activities, that is not reflected
by other subcategories.
Test Automation Extent to which automated
tests cover different aspects of
the solution.
Test Coverage Measurement used to describe
the degree to which the source
code or requirements of a
solution are tested by test
cases.
Testing Effectiveness Defects detected during a
testing period.
Workforce Having the right Diversity, Equity, and Tracking of Diversity, Equity,
Management human resources Inclusion and Inclusion (DEI) efforts of
with the needed the organization based on DEI
knowledge and goals, initiatives, or targets.
skills, and the Employee Attendance Amount of time employees are
capacity to deliver absent from work.
the organization’s Employee Retention Measures the number of
solutions. employees who remain
employed at an organization
over a specific period.

Page 72
© 2024 ISACA. All rights reserved.
 Definitions
Category Definition Related Description
Subcategories
Employee Satisfaction Level of employee
contentment of an
organization's employees.
Headcount Total number of employees.
Key Employee Turnover rate in key positions
Turnover in the organization.
Length of Service Time spent in a particular
position.
Organizational Organization wide activity to
Development increase effectiveness and
culture.
Staff Development Activities to increase workforce
knowledge, skills, capacity,
and readiness to deliver
solutions.
Time to Fill Time to find and hire a new
candidate into the role.
Time to Proficiency Time for employees to reach
performance expectations once
they are in a new role.
Virtual or Hybrid Measure of the workforce that
Workforce includes use of virtual, remote,
or hybrid methods to manage
personnel, work efforts,
communication, and
collaboration.
Workforce Activities General workforce related
activities, that is not reflected
by other subcategories.
Workforce Measure of work loss due to
Opportunity Costs lack of skilled resources or
their availability.

Page 73
© 2024 ISACA. All rights reserved.
Appendix I: Context Specific Tags
Within in CMMI, there are two types of informative material: “explanatory” and “context
specific.” The “Context Specific” section contains information that is relevant to a context and
establishes common ground for a specific industry, methodology, or discipline. The context
specific information mirrors the structure of the required and explanatory information, including
links to additional informative material. It includes the:
• Context specific identifier and description
• Context specific explanation
• Intent and value of the context specific information as it relates to the practice, as needed
• Example activities in addition to those listed in the explanatory information material, as
needed
• Context specific work product examples and definitions, attributes, or type of things to
include in the work product content in this context, as needed
• External links or information, e.g., training, templates, example assets
Examples of contexts may include:
• Agile Development
• Data
• Development
• DevSecOps
• People
• Safety
• Security
• Services
• Suppliers
Figure 19. CMMI Context Specific Tags references all locations of all the context specific tags in
CMMI. Reviewing the context specific information can help for adoption for organizations in
specific industries or that use specific methodologies or disciplines.

Figure 19. CMMI Context Specific Tags

Context Specific Tag Practice Area/Practice
Agile Development • CAR PA Overview
• CM PA Overview
• DAR PA Overview
• EST PA Overview
• MPM PA Overview
• MC PA Overview
• PR PA Overview
• PLAN PA Overview
• PLAN 2.1
• PAD PA Overview
• PCM PA Overview
• PQA PA Overview

Page 74
© 2024 ISACA. All rights reserved.
 Context Specific Tag Practice Area/Practice
• PI PA Overview
• RDM PA Overview
• RSK PA Overview
• TS PA Overview
• VV PA Overview
Data • CM 2.5
• GOV PA Overview
• II PA Overview
• MPM PA Overview
• MPM 4.1
• MC PA Overview
• OT PA Overview
• OT 3.4
• PLAN PA Overview
• PAD PA Overview
• PQA 2.2
• PI PA Overview
• RDM PA Overview
• RDM 2.2
• TS PA Overview
• TS 3.1
Development • CM PA Overview
• CM 2.3
• DAR PA Overview
• DAR 2.1
• MPM 4.1
• PLAN PA Overview
• PLAN 2.1
• PLAN 2.8
• PLAN 3.2
• PLAN 3.4
• RDM PA Overview
• RDM 3.1
• RDM 3.4
• SAM 3.1
• VV 2.1
DevSecOps • CAR PA Overview
• CAR 2.1
• CM PA Overview
• CM 2.2
• ESEC PA Overview
• ESEC 3.2
• ESEC 3.3
• EVW PA Overview

Page 75
© 2024 ISACA. All rights reserved.
 Context Specific Tag Practice Area/Practice
• II PA Overview
• II 2.1
• II 2.2
• MPM PA Overview
• MPM 2.2
• MC PA Overview
• OT 3.4
• PR PA Overview
• PR 2.1
• PR 2.2
• PR 2.3
• PR 3.1
• PLAN PA Overview
• PAD PA Overview
• PAD 3.2
• PAD 3.3
• PI PA Overview
• PI 2.1
• PI 2.2
• PI 2.3
• PI 2.4
• PI 2.5
• PI 2.6
• PI 3.1
• PI 3.2
• PI 3.3
• TS PA Overview
People • CM 2.1
• EST PA Overview
• GOV PA Overview
• II 3.1
• MPM 2.1
• MPM 2.2
• OT 3.2
• PLAN PA Overview
Safety • CM 2.1
• CONT PA Overview
• GOV PA Overview
• II PA Overview
• II 3.3
• IRP PA Overview
• MPM PA Overview
• MPM 2.1
• OT 2.1

Page 76
© 2024 ISACA. All rights reserved.
 Context Specific Tag Practice Area/Practice
• OT 3.4
• PLAN PA Overview
• PAD PA Overview
• PAD 3.2
• PAD 3.3
• PQA 2.2
• RDM 2.1
• RDM 2.2
• RDM 2.3
• RDM 2.4
• RSK 3.2
• RSK 3.4
• SAM 2.4
• TS PA Overview
• TS 2.1
• VV PA Overview
Security • CM 2.1
• GOV PA Overview
• II PA Overview
• II 3.3
• IRP 2.1
• MPM PA Overview
• MPM 2.1
• OT 2.1
• OT 3.4
• PLAN PA Overview
• PLAN 2.1
• PLAN 2.5
• PLAN 3.4
• PAD PA Overview
• PAD 3.2
• PAD 3.3
• PQA 2.2
• PI 2.2
• RDM PA Overview
• SAM PA Overview
• SAM 2.2
• SAM 2.3
• SAM 2.4
• TS PA Overview
• TS 2.1
• TS 3.1
• VV PA Overview
Services • DAR 2.1

Page 77
© 2024 ISACA. All rights reserved.
 Context Specific Tag Practice Area/Practice
• EST 2.2
• EST 2.3
• MPM 2.2
• MPM 3.5
• MST PA Overview
• MC 2.1
• MC 2.2
• MC 2.4
• MC 3.1
• OT PA Overview
• PLAN PA Overview
• PLAN 1.1
• PLAN 2.1
• PLAN 2.2
• PLAN 2.3
• PLAN 2.4
• PLAN 3.1
• PLAN 3.2
• PLAN 3.4
• PAD 3.4
• PI PA Overview
• PI 3.1
• PI 3.2
• PI 3.3
• RDM PA Overview
• RDM 2.4
• RDM 3.6
• TS PA Overview
• VV PA Overview
• VV 2.1
Suppliers • CAR PA Overview
• DAR PA Overview
• DAR 2.1
• DAR 2.3
• EST 2.1
• EST 2.2
• EST 2.3
• EST 3.2
• MPM PA Overview
• MPM 1.1
• MPM 2.1
• MPM 2.2
• MPM 2.3
• MPM 2.4
• MPM 2.5

Page 78
© 2024 ISACA. All rights reserved.
Context Specific Tag Practice Area/Practice
• MST PA Overview
• MC PA Overview
• MC 2.1
• MC 2.3
• MC 2.4
• MC 3.1
• MC 3.2
• MC 3.4
• PLAN PA Overview
• PLAN 2.1
• PLAN 2.2
• PLAN 2.3
• PLAN 2.4
• PLAN 2.5
• PLAN 2.6
• PLAN 3.1
• PLAN 3.4
• RDM PA Overview
• RDM 2.3
• RDM 2.4
• RDM 3.3
• RDM 3.6
• RSK 3.4

Page 79
© 2024 ISACA. All rights reserved.