Continuous Improvement and Audit Programme Maturity

A maturity model defines a progression of capability levels, each more systematic and effective than the last. The underlying logic is the same across frameworks: organisations at low levels do things informally and inconsistently; organisations at high levels have documented processes, measure outcomes, and improve based on evidence. Maturity models are useful because they give an organisation a concrete picture of where it stands and a defined set of practices it must adopt to advance.

Most models converge on five levels. Level 1 is initial or ad hoc: processes exist but are not documented, results depend on individual effort, and the organisation does not measure what it does. Level 2 is managed: processes are documented and repeatable, but they are siloed and not consistently integrated across the organisation. Level 3 is defined: processes are standardised across the organisation, and staff follow them consistently. Level 4 is quantitatively managed: the organisation measures process performance and uses data to control variation. Level 5 is optimising: the organisation uses measurement data to drive continuous improvement and adapts processes when the environment changes. These level descriptions come from the CMMI framework, but the ISMS clause 10 in ISO 27001, the Internal Audit Capability Model, and most risk frameworks use a structurally identical progression.

Most organisations that have not deliberately invested in audit programme development operate somewhere between Level 1 and Level 2. The gap between Level 2 and Level 3 is the transition most organisations need to make to satisfy modern regulatory expectations: ISO 27001 certification, for instance, requires the audit programme to be risk-driven and to include a management review process, which corresponds to at least Level 3 behaviour.

The Cybersecurity Maturity Model Certification (CMMC) translates maturity levels into contractual requirements for organisations that handle US Department of Defense (DoD) data. Unlike frameworks that are adopted voluntarily, CMMC makes a specific tier a condition for contract award. An organisation that does not hold the required CMMC tier cannot bid on the relevant contract.

CMMC 2.0, released in 2021 and codified in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, defines three active tiers. Level 1 (Foundational) requires 17 practices drawn from FAR 52.204-21, covering basic cyber hygiene such as access control, identification and authentication, and media protection. Level 1 organisations self-assess annually. Level 2 (Advanced) requires 110 practices aligned to NIST SP 800-171, addressing the full range of controls for protecting Controlled Unclassified Information (CUI). Most Level 2 organisations must obtain a third-party assessment from a CMMC Third-Party Assessor Organisation (C3PAO); some may self-assess for contracts with lower CUI sensitivity. Level 3 (Expert) requires at least 110 practices from NIST SP 800-171 plus additional practices from NIST SP 800-172, and requires a government-led assessment. The three-tier structure of CMMC 2.0 maps roughly to Levels 1, 3, and 5 of the five-level maturity model, compressing the full range into the tiers that are practically achievable and contractually enforceable.

For internal audit, CMMC creates a clear mandate: the audit programme must be capable of assessing all 110 NIST SP 800-171 practices (or the relevant subset) and must do so with sufficient rigour to support a third-party assessment. Organisations preparing for CMMC Level 2 assessment typically run a gap assessment first, map findings to specific practice requirements, remediate gaps, and then run a pre-assessment internal audit before inviting the C3PAO. This sequence mirrors the ISO 27001 internal audit cycle that precedes a certification audit, and the same lessons about programme maturity apply: a low-maturity internal audit programme that misses gaps before the external assessment creates certification risk and remediation cost.

A lessons-learned review is a structured session held after each audit cycle closes. Its purpose is to identify what the programme did well, what it missed, and what it should do differently next time. The review is not a performance appraisal of the audit team; it is an analysis of the programme's processes, outputs, and outcomes.

A well-run lessons-learned review addresses four questions. First, coverage: did the audit plan reach all high-risk areas, or were some skipped because of resource constraints or outdated risk ratings? Second, accuracy: did the findings correctly identify genuine control weaknesses, or were there significant false positives that consumed remediation effort without improving security? Third, efficiency: how long did each audit take relative to the risk addressed, and where did delays occur? Fourth, remediation: how many findings from this cycle were repeat findings from the prior cycle, and what does that say about the remediation process?

The output of the review is a set of documented changes to the next audit plan. These might include adding coverage of a newly identified risk area, retiring an audit that consistently finds no issues in a stable, low-risk process, revising testing procedures that have produced high false-positive rates, or escalating findings with persistently high repeat rates to senior management or the board. The key discipline is that every change must trace to evidence from the completed cycle, not to opinion or preference.

You cannot improve what you do not measure. Audit programmes at maturity Level 4 and above define a metrics set, collect data consistently across cycles, and use the data to drive decisions. The metrics fall into three categories: coverage metrics, quality metrics, and remediation metrics.

Coverage metrics measure whether the programme is examining the right things. The audit coverage ratio is the percentage of in-scope assets, processes, or control domains audited within the defined cycle period. Risk-weighted coverage refines this by checking whether the audit time spent correlates with the risk ratings in the risk register. An audit programme that spends 40 percent of its time on low-risk administrative processes while several high-risk technical domains go unaudited has poor risk-weighted coverage regardless of what the raw coverage ratio shows.

Quality metrics measure whether the programme is finding what is there to find. The finding rate is the number of significant control weaknesses identified per audit, normalised by scope size. A programme that consistently finds no significant issues in complex, high-risk environments is either auditing excellently controlled environments or missing weaknesses. The false-positive rate measures how often reported findings are disputed and found, on review, not to represent genuine control failures. High false-positive rates waste remediation effort and erode stakeholder trust in audit conclusions.

Remediation metrics measure whether the programme is producing improvement, not just reports. Mean time to close (MTTC) is the average elapsed time between finding report date and verified closure date, broken down by severity. Repeat finding rate measures the percentage of findings that recurred from the prior cycle. Overdue finding rate tracks the percentage of open findings past their agreed remediation deadline. These three metrics together give a clear picture of remediation health. If MTTC is long, overdue rates are high, and repeat rates are rising, the problem is not in the audit; it is in the remediation governance structure, and the audit function should surface that to the board.

An audit programme that operates independently of the organisation's risk register will systematically audit the wrong things. Risk profiles change: a process that was low-risk two years ago may now be high-risk because of a new technology, a new business line, or a change in the threat environment. An audit plan built on the prior year's scope will miss these changes. ERM integration is the mechanism that keeps the audit plan current.

In practice, ERM integration means that the audit planning process starts with the risk register, not with the prior year's audit schedule. The chief audit executive (CAE) or audit programme manager reviews the ERM risk register at the start of each planning cycle, identifies the highest-rated risks, and builds the audit plan to provide assurance on the controls that mitigate those risks. When the risk register is updated during the year because of a new threat or a control failure, the audit plan is adjusted accordingly.

The three lines of defence model, widely used in financial services and increasingly in other sectors, describes how ERM and audit interlock. The first line is operational management, which owns and operates controls. The second line is risk management and compliance functions, which set the risk framework and monitor compliance. The third line is internal audit, which provides independent assurance on the effectiveness of the first two lines. This model is referenced in the Institute of Internal Auditors (IIA) guidance and in regulatory frameworks from the UK's Prudential Regulation Authority (PRA), the European Banking Authority (EBA), and the US Federal Financial Institutions Examination Council (FFIEC). Under this model, audit that does not read from the ERM risk register is third-line assurance that is not aligned to what the first and second lines are managing, which is a governance gap.

A culture of security improvement exists when control weaknesses are treated as information to act on, not as inconveniences to minimise or conceal. Internal audit is one of the primary mechanisms through which organisations build and sustain that culture. Its role is not only to find weaknesses but to ensure that findings reach the people with the authority and budget to correct them, and to verify that correction has actually occurred.

The reporting line of internal audit matters for culture. An internal audit function that reports to the Chief Information Security Officer (CISO) or to the IT department it is auditing does not have the independence needed to escalate uncomfortable findings without institutional pressure. The IIA standards require internal audit to have organisational independence: functionally, it should report to the audit committee of the board (or equivalent governance body), not to the management it audits. This structure gives internal audit the standing to escalate repeat findings, overdue remediation, or systematic control failures to the board without management filtering the message. The UK Corporate Governance Code, the US Sarbanes-Oxley Act (SOX) requirements for audit committees, and India's Companies Act 2013 (Section 177) all require audit committees with independent directors to oversee the internal audit function for this reason.

The PDCA cycle in ISO 27001 clause 10 provides the structural backbone for embedding continuous improvement in the ISMS. Clause 10.1 requires the organisation to react to nonconformities, take corrective action, and evaluate the effectiveness of that action. Clause 10.2 requires continual improvement of the ISMS. Internal audit produces the evidence that feeds both clauses: findings are the nonconformities, remediation verification confirms corrective action, and the trend in finding rates and MTTC across cycles is the evidence of continual improvement. Organisations that treat audit as a one-time compliance exercise rather than a recurring improvement mechanism cannot satisfy the continual improvement requirement and will not sustain ISO 27001 certification through surveillance audits.

Practical steps for building improvement culture include: publishing audit finding trend data to senior management (not just individual audit reports), tying security control remediation to management performance objectives, celebrating genuine improvements when metrics improve rather than only reporting failures, and making the lessons-learned review a standing agenda item in the annual ISMS management review. These steps move audit from a compliance function to a strategic one: the programme provides the data leadership needs to make informed security investment decisions.