Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings
Risk settings overviewVendor risk settingsManage risk scenariosMaturity settingsSetting Risk models in General SettingsThe Data Protection Risk ModelThe Information Security / Asset Risk ModelMaturity model

Maturity settings

Configure the maturity model used to assess your organization.

Maturity Settings

The Maturity Settings screen is your organisation's built-in reference for understanding how process maturity is measured across your data protection programme. It presents the CMMI (Capability Maturity Model Integration) framework — the internationally recognised six-level scale that Priverion uses to score every data protection process you assess. Whether you are a DPO preparing for an audit, a compliance officer onboarding a new team, or a risk manager trying to interpret a dashboard, this screen gives you the authoritative definitions you need in one place.

How to open it

Navigate to Risk in the left-hand sidebar, then select Settings, and choose Maturity Model from the settings sub-menu. The Maturity Model item will be highlighted as the active screen.

Heads up: This screen is only visible to users whose role includes the Maturity Model permission. If you or a colleague see an "Access Denied" error instead of the screen, an administrator will need to add that permission to the relevant role.

What you see

The screen is split into two side-by-side panels. On the left, a compact card identifies the active maturity framework: it shows the heading CMMI Maturity Model and a small green Recommended badge, followed by a short description of what the CMMI framework is. This card answers the question "which model is my organisation using?" at a glance.

The right side of the screen is a larger card that takes up roughly three-quarters of the width. It opens with a fuller description of the CMMI model and then presents six horizontal rows — one for each maturity level, listed from least mature to most mature. In each row, the level name appears in bold on the left (separated from the description by a vertical line), and a plain-language explanation of what that level means sits on the right. You can read straight down the list to follow the natural progression from "Incomplete" all the way to "Optimized."

There are no forms to fill in, no buttons to click, and nothing that can be accidentally changed. The screen is entirely read-only.

Working with this screen

Understanding the maturity scale before a risk assessment

If your team is about to complete a process risk assessment for the first time, the most common question is: "What exactly does each maturity level mean, and which one applies to us?" This screen answers that question directly.

Before the assessment session, open the Maturity Settings screen. Start with the left panel to confirm that your organisation's assessments are scored against the CMMI framework — the green Recommended badge reinforces that this is Priverion's endorsed choice, not an arbitrary default. Then work through the six levels in the right panel:

  • Incomplete — The process is not performed or only partially performed. There are no consistent practices in place, and the process does not reliably achieve its intended purpose.
  • Initial — The process is performed, but it is reactive and unpredictable. Success depends on individual effort rather than repeatable practices.
  • Managed — The process is planned and executed in accordance with policy. Skilled people are involved, adequate resources are in place, and outputs are controlled.
  • Defined — The process is well-characterised and understood. It is described in standards, procedures, tools, and methods, and is tailored to fit the organisation's specific context.
  • Quantitatively Managed — The process is controlled using statistical and quantitative techniques. The organisation establishes measurable objectives for quality and performance.
  • Optimized — The organisation continually improves the process through incremental and innovative changes. Processes are stable, flexible, and quickly adapt to changing business objectives.

Once your team has read through these definitions together, everyone shares a common reference point before making scoring decisions in the risk questionnaire. The descriptions you see here are exactly the same text that appears inline when the CMMI reference panel is shown inside a questionnaire form, so there is no discrepancy between the two.

Explaining your scoring methodology to an auditor or leadership

When an external auditor or senior leadership asks how your organisation measures process maturity, this screen is your documentation. Rather than describing your approach in abstract terms, you can open the Maturity Settings screen and show:

  • That Priverion uses the internationally recognised CMMI framework (not a bespoke internal scale).
  • That the system formally marks it as Recommended, indicating a deliberate and documented choice.
  • The exact definition of each level, so there is no ambiguity about what a score of "Managed" or "Defined" means in practice.

This is especially useful when preparing for GDPR accountability audits or ISO 27001 assessments, where demonstrating a documented, systematic approach to process evaluation is a compliance requirement in itself.

Copying level definitions for reports and presentations

If you are writing a board presentation, a maturity heatmap report, or an internal compliance summary, you may want to quote the exact definitions used by the platform. Open the Maturity Settings screen and read from the right panel. Because the screen is entirely read-only, you can copy text freely without any risk of triggering a change or accidentally submitting anything.

For example, a DPO preparing a board slide on the organisation's process maturity profile might copy the definitions of Defined and Quantitatively Managed to ensure the descriptions presented to the board are word-for-word consistent with what the platform is actually measuring.

Orienting a new team member

A new risk manager or compliance officer who has just joined the organisation and needs to understand the DPMS before interpreting dashboards or reports can use this screen as a self-service orientation resource. Because there are no interactive elements, they can explore it freely, read at their own pace, and move on when they feel ready — with no risk of accidentally changing any configuration.

Field reference

The right-hand panel contains the following six maturity level entries. Each entry has a level name and a description. These are read-only reference definitions and cannot be edited from this screen.

  • Incomplete — The process is not performed or is only partially performed. No consistent practices exist, and the process does not reliably achieve its intended purpose. Use this level when a process simply does not exist or functions only by exception.
  • Initial — Processes are performed but are unpredictable, poorly controlled, and reactive. Success depends on individual effort rather than consistent, repeatable practices. This level is common in organisations that are beginning their compliance journey.
  • Managed — Processes are planned and executed in accordance with policy. Projects employ skilled people with adequate resources to produce controlled outputs and involve relevant stakeholders. This is often the first target level when moving away from ad-hoc practices.
  • Defined — Processes are well-characterised and understood, described in standards, procedures, tools, and methods, and tailored to fit specific project or organisational characteristics. This level signals a shift from project-by-project management to organisation-wide process standards.
  • Quantitatively Managed — Processes are controlled using statistical and other quantitative techniques. The organisation establishes quantitative objectives for quality and process performance. This level reflects a data-driven approach and is often targeted for critical data-handling processes in ISO or CMMI-based certification programmes.
  • Optimized — The organisation focuses on continually improving process performance through incremental and innovative technological changes. Processes are stable and flexible, and the organisation quickly adapts to changes in business objectives. This is the aspirational top level for a mature compliance programme.

How this connects to the rest of DPMS

The maturity levels displayed here are the foundation for every maturity-level selector that appears in risk questionnaires and process assessments elsewhere in DPMS. When a team member selects a level such as Managed or Defined on a process risk form, they are recording a value on the six-level CMMI scale defined on this screen. Those scores then feed directly into risk calculations, maturity heatmaps, and the dashboards and reports that aggregate results across your organisation.

After familiarising yourself with this screen, your next steps will typically be in the risk questionnaire or process assessment screens, where you or your team will use these definitions to score individual processes. You may also want to explore the adjacent settings screens — such as General risk settings and Process Risk Model settings — which control other parameters of the risk calculation engine that works alongside maturity scoring.

Tip: Bookmark this screen and share the URL with your team before any risk assessment exercise. It takes the guesswork out of maturity scoring and ensures everyone is working from the same definitions.

Tips & common pitfalls

Heads up: There is no Edit button on this screen, and this is intentional. If you are used to other settings screens in DPMS where you can modify values, you might expect to find one here. The ability to switch maturity models or customise level definitions is not yet available as a self-service feature. If your organisation needs to discuss alternative maturity frameworks, contact your system administrator or Priverion support.
Tip: The green Recommended badge on the CMMI card does not mean you are locked in to CMMI for all purposes outside the system. It means CMMI is the scale used for all maturity-related scoring within DPMS. If your organisation applies other frameworks in other contexts, this screen reflects only what DPMS measures.
  • The definitions here match what you see in questionnaires. When you open a risk assessment form and see a maturity-level dropdown, the descriptions shown there come from the same source as this screen. There is no hidden difference between the two views.
  • Not everyone can view this screen. If a colleague reports seeing an "Access Denied" page when trying to reach /risk/settings/maturity, their user role does not include the required permission. An administrator can grant access through the role and permissions configuration.
  • Nothing can be saved or submitted here. There are no interactive controls beyond the sidebar navigation. You cannot break anything by spending time on this screen.
  • If the text appears in the wrong language, this is most likely a localisation gap in your DPMS installation rather than a data problem. The level names and descriptions are localised through the platform's translation system. Contact your administrator if a translation appears missing or incorrect.


Was this article helpful?

English
Powered by Product Fruits