Performing an INFOSEC provides an organization with a clear view of the maturity of its entire security program, which can then be confidently communicate to clients and vendors in industry-recognized terms.

SecureState’s Information Security (INFOSEC) Assessment methodology utilizes Carnegie Mellon’s Capability Maturity Model Integration (CMMI) to assess the current maturity level of an organization’s security program across 16 security domains.


Annual assessments provide an organization with a clear view of the current state of its entire security program, as well as how it has changed over time. Recommendations provide essential and useful information, and ultimately add value to the business in terms of increased security, without sacrificing staff’s ability to operate efficiently and effectively.

This approach specifically reviews the design of controls through a qualitative, interview based methodology while identifying missing or broken controls. Coupled with an iRisk assessment which is used to identify and assess risks that could impact the achievement of business objectives, the organization gets a useful, holistic foundation for its security program.


Over the past decade, SecureState has performed hundreds of assessments using the INFOSEC methodology for clients ranging from small, private organizations of fewer than 100 employees, to Fortune 500 corporations with thousands of employees, across numerous verticals including healthcare, manufacturing, financial, government, and service providers. INFOSEC assessments are executed by experienced SecureState staff including ISO 27001 Auditors, PCI Qualified Security Assessors (QSA), Certified Information Privacy Professionals (CIPP/US), and Certified Information Systems Security Professionals (CISSP), among others.


Approach and Methodology

Prior to arriving onsite, SecureState will engage in several activities to prepare for the engagement, including scheduling an engagement kick-off call, providing interview scheduling guidance, and gathering initial client documentation.

While onsite, SecureState will interview personnel responsible for each of the 16 security domains within your organization. This will cross multiple boundaries, including such areas as IT, IT Security, Human Resources, Finance, and Operations. Once the onsite portion of the assessment is completed, SecureState will analyze the gathered information and begin to evaluate each control within the 16 security domains. Where applicable, SecureState may contact the client to request further documentation or schedule follow-up phone interviews to clarify findings.

Finally, SecureState will deliver the INFOSEC report which provides maturity ratings for each of the 16 security domains, an overall maturity rating, and a breakdown of controls which should be implemented to reach each domain’s next maturity level. SecureState will also benchmark your organization to help you identify where your security program compares to your peers.

Get Started!