Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Maturity model

The Maturity Model screen is your team's shared reference for the CMMI maturity scale used throughout DPMS — risk managers, DPOs, and compliance officers come here to understand exactly what each maturity level means before scoring risks, evaluating technical and organisational measures, or onboarding colleagues to the platform's risk vocabulary.

The Maturity Model screen gives every member of your compliance team a clear, consistent definition of the six CMMI maturity levels that underpin risk scoring, TOM evaluation, and reporting across DPMS. Think of it as the authoritative reference card that answers the question "what does Managed actually mean here?" before anyone fills in a risk assessment. Because the whole risk module uses this scale, it is worth spending a few minutes here early in your DPMS journey — especially when onboarding new colleagues or preparing for an audit.

How to open it

Navigate to Risk in the main left-hand sidebar, then select Risk Settings, and finally click the Maturity Model tab in the lateral settings menu that appears on the left side of the content area.

Direct URL: /risk/settings/maturity

Heads up: You need the Maturity Model read permission to view this screen. If you land on a 403 error page instead, contact your DPMS administrator and ask them to add this permission to your role.

What you see

When the screen loads you will see two distinct areas side by side. On the left, a narrow lateral settings menu lists all the sub-pages within Risk Settings — things like Asset Risk Model and Process Risk Model — with Maturity Model highlighted as your current location. This menu can be expanded or collapsed; more on that below.

The main content area on the right opens with the "Maturity Model" page heading and a breadcrumb trail showing your location within Risk Settings. Below the heading you will find the central reference card, which is divided into two columns. The narrower left column holds a small bordered card labelled CMMI Maturity Model with a green Recommended badge and a short subtitle confirming that CMMI is the organisation's chosen standard. The much wider right column carries a brief paragraph explaining what CMMI is and why it matters for privacy compliance, followed by a clean table of six maturity levels, each with its name on the left and a plain-language description on the right.

There are no form fields, no save buttons, and no editing controls anywhere on this screen — it is a read-only reference. This is intentional: the CMMI scale is a platform-wide standard, not something individual teams configure.

Working with this screen

Reading the maturity scale before scoring a risk

The most common reason to visit this screen is straightforward: you are about to assign maturity scores somewhere else in DPMS — perhaps in a risk assessment for a new processing activity — and you want to be precise. The six levels run from Incomplete (processes are partially performed or not at all; basic goals are not met) at the bottom, through Initial, Managed, Defined, and Quantitatively Managed, up to Optimized at the top (processes are stable, well-measured, and the organisation continuously improves them using quantitative data).

A common point of confusion is the distinction between levels 2 and 3. Managed means your processes are planned and tracked on a project-by-project basis. Defined means those processes have been documented as organisation-wide standards — they are understood, characterised, and described in a way that everyone follows consistently. Once you are clear on the distinction, head back to your risk assessment using the breadcrumb or the main sidebar and apply scores with confidence.

Onboarding a new colleague to the risk module

If you are introducing a new team member to DPMS's risk vocabulary, this screen is the ideal starting point. Navigate here together and walk through each level description in the right-hand column. Point out the Recommended badge on the CMMI card — it signals that this is the approved organisational standard, not a suggestion. Because the screen is purely read-only, there is nothing to accidentally change, making it a safe environment for a guided tour. After the walkthrough, you can move directly to a live risk assessment by clicking the relevant item in the lateral settings menu or by navigating to the Risk module in the main sidebar.

Collapsing the side menu for easier reading

If you find the lateral settings menu takes up too much space while you are reading through the maturity descriptions, you can hide it. Look for the small circular icon at the very left edge of the content area — when the menu is visible, the icon appears in a light colour; when the menu is collapsed, it turns blue.


Click this circle-dot toggle to hide the settings menu and give the maturity reference card the full width of your screen. DPMS remembers your choice across page refreshes and even across other screens in the Risk Settings area, so you only need to set this once per workstation. To bring the menu back, click the blue circle icon again.

Verifying the maturity framework after a platform update

After a DPMS upgrade, it is good practice to confirm that the maturity scale definitions are still intact. Open the Maturity Model screen and check that all six CMMI levels are present with their descriptions, and that the Recommended badge is still displayed next to CMMI. If anything looks different from what you expect, raise it with your DPMS administrator before proceeding with risk assessments, as any change to the reference definitions could affect the interpretation of existing scores.

Field reference

This screen contains no editable fields. The six CMMI levels and their descriptions are platform-defined reference content. For completeness, here is what each level row shows:

  • Incomplete — Level 0. Processes are not performed or are only partially performed; basic process goals are not met.
  • Initial — Level 1. Processes are unpredictable, poorly controlled, and reactive.
  • Managed — Level 2. Processes are planned, performed, measured, and controlled at the project level.
  • Defined — Level 3. Processes are characterised, well understood, and described in standards, procedures, and tools at the organisational level.
  • Quantitatively Managed — Level 4. Processes are controlled using statistical and quantitative techniques; performance is predictable.
  • Optimized — Level 5. The organisation focuses on continuous process improvement through incremental and innovative changes, guided by quantitative data.

How this connects to the rest of DPMS

The Maturity Model screen is a reference point, not a control panel — nothing you do here changes any other screen. But the vocabulary defined here flows through most of the risk module:

  • Risk assessments — when assigning maturity levels to risks or processing activities, users apply the CMMI scale defined here. Consistent use of these definitions is what makes cross-team and cross-period comparisons meaningful.
  • TOMs (Technical and Organisational Measures) — compliance officers evaluate whether a TOM achieves a particular maturity level by referring back to the definitions on this screen. Without a shared understanding, TOM ratings become subjective.
  • Risk dashboards and reports — the maturity scores that appear in charts and exported reports use CMMI vocabulary. Auditors reviewing those reports will expect the same definitions your team used when scoring, so this screen is a useful reference to share with external reviewers too.

After reviewing the maturity scale, your typical next step is to move to one of the other Risk Settings sub-screens — such as the Asset Risk Model or Process Risk Model — using the lateral settings menu. From there you can configure the thresholds and parameters that translate CMMI scores into risk ratings for your specific context.

Tips & common pitfalls

Tip: Bookmark /risk/settings/maturity or share the link directly with new team members and auditors. It is the quickest way to give anyone the full CMMI reference without exporting anything.
Heads up: The Recommended badge next to CMMI does not mean there are other models to choose from. CMMI is the only maturity framework implemented in DPMS. The badge is there to reassure you that this is the recognised standard — it is not a drop-down selector.
  • No edit button is intentional. The screen lives inside Risk Settings alongside screens that do allow editing, so it is natural to look for a form. There is none. The CMMI definitions are a platform standard and cannot be customised by individual organisations through the UI.
  • The side menu may arrive collapsed. If you or a colleague previously collapsed the lateral settings menu on another Risk Settings screen, it will still be collapsed when you land here. The blue circle-dot icon at the left edge of the content area restores it with a single click.
  • There is no built-in export. If you need to include the maturity scale in an audit pack or a compliance report, use your browser's print function (Ctrl+P / Cmd+P) or take a screenshot. The screen prints cleanly without sidebars if you select "Print to PDF" and hide headers/footers in your browser's print dialog.
  • Language matters. If your DPMS interface is set to German or another supported language, the level names and descriptions will appear in that language. Printed references or screenshots will therefore differ from those taken in English — keep this in mind when sharing materials with multilingual teams or auditors.


Was this article helpful?

English
Powered by Product Fruits