CMMI Adoption Transition Guidance

r
Page 1 of 69
CMMI Adoption & Transition Guidance
Copyright © 2022 ISACA

THIS ISACA MATERIAL IS FURNISHED ON AN “AS-IS” BASIS.
TO THE MAXIMUM EXTENT ALLOWED BY LAW, ISACA SPECIFICALLY DISCLAIMS ALL
WARRANTIES, WHETHER EXPRESS, IMPLIED, OR STATUTORY, REGARDING OR RELATING TO THE
CAPABILITY MATURITY MODEL INTEGRATION (CMMI), AND ALL MODEL CONTENT, INCLUDING
THE CMMI PRODUCT SUITE, CMMI METHOD DEFINITION DOCUMENT, CMMI ADOPTION AND
TRANSITION GUIDANCE, CMMI MODEL, AND CMMI MODEL VIEWER (“CMMI CONTENT”),
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, NONINFRINGEMENT, USAGE OF TRADE, AND COURSE OF DEALING OR
PERFORMANCE.
ISACA owns all copyright, trademark, and all other intellectual property rights in the CMMI
Content. You may not reproduce, duplicate, copy, sell, resell, assign, transfer, create derivative
works of, incorporate in any software or tool, or commercially exploit any portion of the CMMI
Content, without express written permission by ISACA. You are solely responsible for your use
of the CMMI Content, and agree to defend, indemnify, and hold ISACA harmless from any
claims, liability, damages, costs, or expenses incurred by ISACA arising from your use of the
CMMI Content.
© 2022 ISACA.
2
Document Change History
Version Date Description

2.3 12 January 2022 Updates include:
• Minor updates for general
grammar/formatting and consistency with
the CMMI Product Suite, e.g., capitalization,
acronym usage, graphic updates, removal of
V2.0 and adjustments to version references
for greater accuracy
• Inclusion of additional security and safety
considerations
• Addition of persona graphics within steps
and Appendix D: Typical CMMI Roles
• Addition of Appendix G: CMMI Practice Area
Security Adoption Examples
2.2 10 March 2021 Updates include:
• Incorporated the CMMI model content
additions of Security, Safety, and Virtual
Solution Delivery
• Addressed minor editorial updates for
clarification and consistency with the CMMI
V2.0 Product Suite, e.g., updates to CMMI
Institute references, updates to graphics
2.1 4 December 2018 Updated information to reflect CMMI V2.1,
including views for Development, Services, and
Supplier Management
2.0 28 March 2018 Initial baseline release.
© 2022 ISACA.
3
Contents
Introduction to this Guidance ..........................................................................................6
Intended Audience ..................................................................................................... 6

What is Capability Maturity Model Integration (CMMI)? ........................................... 6
Why Use the CMMI? .................................................................................................. 7
Why Use this Guidance? ........................................................................................... 8
How to use this Guidance ................................................................................................9
LEARN ...............................................................................................................................13
Step 1: Learn how CMMI will benefit the organization ........................................... 13
ESTABLISH OBJECTIVES ..............................................................................................18
Step 2: Establish performance improvement objectives aligned to your

organizational objectives.......................................................................................... 18
ANALYZE ..........................................................................................................................24
Step 3: Map current organizational processes to CMMI ........................................ 24
DEVELOP ACTION PLAN ................................................................................................27
Step 4: Develop and follow action plans, and keep them updated ........................ 27
DEPLOY IMPROVEMENTS .............................................................................................30
Step 5: Deploy improvements and measure results............................................... 30
ASSESS CAPABILITY .....................................................................................................34
Step 6: Assess capability and performance ........................................................... 34
Appendix A: Additional Resources ...............................................................................38
Additional References .............................................................................................. 39
© 2022 ISACA.
4
Appendix B: CMMI Categories, Capability Areas, and Practice Areas .....................40
Appendix C: Problem Identification and Resolution Using the CMMI .....................41
Appendix D: Typical CMMI Adoption Roles .................................................................46
Working with a CMMI Partner-Sponsored Individual .............................................. 52

Working with ISACA ................................................................................................. 55
Appendix E: Building Goals, Risks, and KPIs .............................................................56
Appendix F: Define Your Current Processes ...............................................................57
Appendix G: CMMI Practice Area Security Adoption Examples ...............................58
List of Figures
Figure 1. CMMI Product Suite ....................................................................................................... 10
Figure 2. Categories and Capability Areas .................................................................................... 11
Figure 3. Steps for Applying CMMI for Continuous Improvement ............................................... 12
Figure 4. Step 1 Activities and Considerations Table .................................................................... 14
Figure 5. Critical Elements for Successful Change ........................................................................ 16
Figure 10. Step 6 Activities and Considerations Table .................................................................. 35
Figure 11. Adoption and Transition Guidance Cycle..................................................................... 37
Figure 12. CMMI Adoption and Transition Resources .................................................................. 38
Figure 13. Categories, Capability Areas, and Practice Areas ........................................................ 40
Figure 14. Problem Identification and Resolution Using the CMMI ............................................. 41
Figure 15. When and How a CMMI Partner-Sponsored Individual Can Help ............................... 53
Figure 16. CMMI Practice Area Security Adoption Examples ....................................................... 58
© 2022 ISACA.
5
Introduction to this Guidance

Intended Audience
The audience for this guidance includes anyone who is facing business challenges and
wants to address them by using the Capability Maturity Model Integration (CMMI®). It
also includes anyone who would like to improve the performance of their business
systematically, efficiently, and effectively by adopting the CMMI.
What is Capability Maturity Model Integration (CMMI)?

CMMI is a performance improvement model for
Capability: Anything an organization
organizations and projects that want to achieve must do well that drives meaningful
increasingly better performance and address and business results. Capabilities are what
solve business challenges. Proven effective an organization needs to implement its
globally in business and government for over 25 business model or fulfill its mission. All
years, CMMI is an integrated framework of best organizations have capabilities,
without them a business could not
practices that can rapidly improve and sustain any start or grow. Capabilities are typically
organization’s performance to elevate quality, organizational level skills, abilities, and
profitability, productivity, cybersecurity resilience, knowledge embedded in people,
and competitiveness. processes, infrastructure, and
technology.
The CMMI model is not prescriptive; rather it
describes what to do to improve an organization’s capabilities, not how to do it. This
makes the model very flexible to meet the unique needs of any business. In addition,
CMMI complements and enhances performance improvement in conjunction with other
industry models and standards. Use CMMI to establish processes that will help an
organization or project meet business objectives and improve performance in ways that
matter most.
The CMMI includes multiple domains and views. The organization can select the
Capability Areas, Practice Areas, domains, or views that are most pertinent to their
business operations. For example, for organizations required to follow security
regulations, they may select the Security domain, or the Capability Area of Managing
Security and Safety. To achieve the most impactful and productive results, it is
important to incorporate a domain, like Security, into a performance improvement
initiative. This involves full integration with the organization’s activities, e.g., embedded
within program plans and process assets, and the incorporation should not be treated
as an afterthought, e.g., adding an item to a checklist, adding a security representative
into a meeting. The CMMI deliberately integrates each domain, like Security, into all
aspects of the CMMI Categories of “Doing,” “Managing,” “Enabling,” and “Improving”
processes. Refer to Figure 2. Categories and Capability Areas.
© 2022 ISACA.
6
Why Use the CMMI?

CMMI helps businesses to quickly understand their current level of capability and
performance both in the context of their own objectives and as compared with other
businesses and organizations. If business needs and objectives are not being met,
CMMI practices can guide systematic and effective improvement to elevate and
optimize performance to better serve the needs of the business and ultimately the
customer.
The need for improvement can originate from internal and external sources. Customers
may demand improvements. Market forces may drive the need to improve
competitiveness. Government or industry regulations may require changes in how an
organization operates. Rather than using multiple approaches for achieving similar
performance, contractual, or regulatory compliance goals, CMMI provides a single
approach, or framework, for an organization to address these multiple needs. For
example, new security threats and vulnerabilities are continually surfacing within
industry, and in response to the increased challenges the United States Department of
Defense created the Cybersecurity Maturity Model Certification (CMMC). The CMMI
provides a solid foundation for the CMMC maturity processes required for CMMC Levels
2-5. For instance, the CMMC model is relatively silent on process design, development,
persistence, habit, and performance, whereas CMMI provides proven holistic
approaches for each of these by providing integrated best practices for policies,
processes, procedures, and planning which are the foundational elements in CMMI for
persistence and habit.
Using CMMI provides many benefits including:
• Providing a positive return on performance improvement investments
• Meeting commitments that result in:
o More timely delivery
o Fewer last-minute crunches
o Enhanced cost control
o Increased quality of solutions
• Increasing management visibility which results in:
o More rapid response to issues and risks
o Fewer surprises
o Met or exceeded customer needs and expectations
o Reduced defects and customer complaints
o Reduced rework
o Lower employee turnover
• Increasing organizational scalability, agility, and responsiveness
o Holistic view across multiple capabilities
o Performance and outcome-based approach to processes
o Flexibility to adapt processes to evolving requirements and issues such as
cybersecurity
© 2022 ISACA.
7
o Project and organizational tailoring of processes to meet unique customer

needs
A CMMI Performance Report Summary has been published showing tangible
performance benefits and improvements from organizations’ adoption of CMMI.
Additional benefits can be found in Appendix D: Typical CMMI Adoption Roles. This
appendix describes different roles involved in adopting the CMMI, the activities
performed by those roles, and the associated benefits from using the model.
Why Use this Guidance?

This adoption and transition guidance helps any organization use CMMI as a roadmap
for its performance improvement journey. An organization can benefit the most from
CMMI by tailoring its practices in a way that best fit its business environment. This
guidance places an organization on the right track to effectively apply CMMI practices.
Organizations transitioning from previous versions of the CMMI can benefit by getting
CMMI upgrade training (Step 1) and then picking up transition activities in Step 2.
This Guidance Is… This Guidance Is NOT…

An overview of activities and A detailed checklist or “how to” guide or
considerations when using CMMI to a set of executable processes
enable performance and process
improvement
Built on lessons learned and best A set of activities and considerations for
practices derived from a broad variety of appraisal preparation
industry experiences
A reference to assist CMMI adoption The only approach for adopting CMMI
© 2022 ISACA.
8
How to use this Guidance

This guidance describes high-level steps for adopting
Definitions and Tips:
CMMI in an organization. Each step includes a brief Throughout this guidance,
description, activities to perform when implementing the these blue boxes will include
step, and suggestions to consider when performing the definitions of CMMI terms, tips,
activities. The step may include additional information hints, and other best practices
such as examples, elaborations, training, tools, and to consider when adopting the
CMMI or transitioning from a
techniques. This guidance is designed and intended to
previous version.
continually improve and be kept current with the latest
techniques, content, technologies, and other trends with
practical input from CMMI Partners and users.
Figure 1. CMMI Product Suite shows the parts of the CMMI Product Suite. This guidance
information is just one resource in the integrated CMMI Product Suite and will aid
organizations with the successful adoption of, or transition to, CMMI. This guidance
serves as a navigator to assist users to understand how all the product suite resources
fit together and to efficiently utilize these resources to support their business objectives.
© 2022 ISACA.
9
Figure 1. CMMI Product Suite
In addition to other product suite elements, ISACA provides several resources for
adoption and transition. For a detailed list of adoption and transition resources, refer to
Appendix A: Additional Resources.
© 2022 ISACA.
10
The adoption and transition guidance follows the primary categories in the CMMI model
of “Doing,” “Managing,” “Enabling,” and “Improving” as part of its six-step approach.
Figure 2. Categories and Capability Areas lists these categories and their Capability
Areas. Each step in this adoption and transition guidance lists the Category that
corresponds to and supports that step. Refer to Figure 3. Steps for Applying CMMI for
Continuous Improvement.
Figure 2. Categories and Capability Areas
For a list of Categories, Capabilities, and Practice Areas, refer to Appendix B: CMMI
Categories, Capability Areas, and Practice Areas in this document, and refer to the
following sections in the CMMI Model, Part One: About CMMI and Executive Summary
and Appendix A: Predefined Model Views – Categories and Capability Areas.
© 2022 ISACA.
11
Figure 3. Steps for Applying CMMI for Continuous Improvement
© 2022 ISACA.
12
LEARN
Step 1: Learn how CMMI will benefit the organization
In this step, the organization:

• Gets to know CMMI
• Learns how CMMI can be applied to the
organization and business
• Understands the benefits from adopting CMMI
• Determines the applicable Capability Areas,
domains, and view
• Develops a business case for adoption or
transition
© 2022 ISACA.
13
An organization must first understand its reasons for Senior Management: Senior
improvement and change. Communicating with an management is a management
organization’s owner or sponsor, typically a senior or role within an organization that:
executive manager, throughout the improvement • Sets the strategy, direction, and
journey is vital to achieve success and drive change. expectations for performance
and process efforts
To obtain the commitment necessary for a successful • Ensures that processes are
CMMI adoption, it is important to: aligned with business objectives
and needs
• Establish a common understanding of CMMI • Reinforces and rewards the
• Explain how CMMI will provide value to the development and use of
organization processes to ensure their
• Secure senior management support and improvement and sustainment
• Monitors the performance and
sponsorship achievements of the processes
This step establishes a foundation for understanding • Provides adequate resources for
process and performance
CMMI and how it fits into an organization’s efforts to
improvement
improve performance and capability. The next step is
to establish business and improvement objectives
and identify the areas in CMMI that can help address the organization’s needs. Figure 4.
Step 1 Activities and Considerations Table provides a summary list of the key Step 1
activities and considerations.
Figure 4. Step 1 Activities and Considerations Table

Activities Considerations
Develop a basic Research information about CMMI.
understanding of Visit the CMMI website for information about:
CMMI:
• CMMI
• What is CMMI? • Frequently Asked Questions (FAQs)
• Who uses CMMI? • The Foundations of Capability class or other CMMI-based
• How does it help? Training
• What benefits • Case studies
does it provide?
Develop a basic Based on the basic
understanding of understanding of the model, at a Capability Areas: A group
of related Practice Areas that
how CMMI high-level, determine how CMMI
can provide improved
Capability Areas, Capability Areas, domains, and performance in the skills and
domains, and views views fit the organization. For activities of an organization
apply in the example, identify how Planning or project, in a particular
organization. and Managing Work relates to area. A Capability Area view
may be selected to enable a
the management of the
concentration on skills and
organization’s projects, or how activities in a specific focal
Ensuring Quality can be used to area.
improve product and service
© 2022 ISACA.
14
quality. Determine which domains and views are applicable to
the organization by considering:
• Contractual requirements
• Applicable industry laws, regulations, and other mandates,
e.g., General Data Protection Regulation (GDPR)
• Industry standards and methodologies being used within
the organization
• Security requirements in products, services, and supply
chain
• Security threats and vulnerabilities
• Safety considerations, e.g., social distancing requirements
Develop a business Based on a high-level understanding of CMMI and how it fits
case. the organization, develop a business case and present to
senior management to secure sponsorship and commitment.
Consider the following questions in preparing the business
case:
• What is the current budget for the performance
improvement initiative?
• What existing capabilities does the organization already
have in place, and how well do they compare to industry
best practices?
• Does the organization currently have experience with
CMMI? If so, would the organization benefit by
incorporating additional domains or views, e.g., Security,
Safety, agile with Scrum.
• What factors contribute to the timeframe and resources for
the initiative?
• What are the risks of not proceeding, including
considerations of probability of occurrence and severity if
realized, e.g., fines due to lack of compliance with
regulations, risk to reputation, estimated impact of service
or system downtime?
The Harvard Business Review (HBR) has published a great
resource for developing a practical business case:
• ”HBR Guide to Building Your Business Case,”
https://hbr.org/product/hbr-guide-to-building-your-business-
case/15038-PBK-ENG
© 2022 ISACA.
15
• ”HBR Guide to Building Your Business Case (audible),”
https://www.audible.com/pd/Business/HBR-Guide-to-
Building-Your-Business-Case-Audiobook/B012T1YEQ8
Additional Information
With any improvement effort, change is inevitable. For improvement efforts to be
successful, change must be expected, planned for, and managed. Organizations that
have successfully managed change know how to overcome the natural resistance that
results from it. Resistance to change comes in many forms and often starts early in the
improvement process. As part of looking at CMMI for its performance and improvement
efforts, the organization must also address how it will manage change and any potential
resulting resistance. Most notably, many organizations have previously taken a
compliance-only approach with process improvement, which frequently results in
additional overhead and cost versus clear capability enhancement and performance
gains. Making a shift from a compliance mentality to a continuous performance
improvement mentality and culture needs to be actively and consistently addressed as
part of adoption and implementation. There are several critical elements needed to
make change successful. Figure 5. Critical Elements for Successful Change shows the
elements needed for successful change and what can happen if those elements are not
addressed.
Figure 5. Critical Elements for Successful Change
© 2022 ISACA.
16
At the beginning of implementing any change, an organization must communicate:

• The reason for the change
• The expected benefits
• The support and guidance needed to incorporate the change into work efforts
• How individuals will be affected
• The need to involve everyone in the change
An integral tenant of CMMI is learning about the
Transition Tip: Even if your
organization and the people working in it. By learning management, projects, and
more about the organization, it becomes easier to: teams are familiar with
historical versions of CMMI it is
• Understand its culture and norms important to understand and
• Identify and manage possible areas of resistance frequently communicate the
• Learn the key issues driving behavior improvements and differences
in the latest version of the
Learning about and applying CMMI are often the easiest CMMI to obtain commitment
aspects of performance improvement. Understanding the and support for making the
organizational culture and dealing with resistance are change to the new version.
typically the most difficult parts of any change effort. ISACA has information and
materials to explain the
The existing organizational culture may either enhance benefits from adopting CMMI.
or slow down the adoption of CMMI. For example, the Performance
It is important to know the issues that matter to each Summary Report contains C-
suite appropriate information
group in the organization. For example, senior managers on expected performance
and executives typically focus on financial concerns and benchmarks. This information
overall impact on the organization. They will ask can be used to justify the
questions such as: CMMI Return on Investment
(ROI).
• How much is this going to cost?
• How much time is this going to take away from work efforts?
• How much revenue will this create?
• How much profit will this add to the bottom line?
• What is the anticipated return on investment? Adoption and Transition
• How does this affect my people? Tip: Developing a
• What will it take to implement the change? communication and
stakeholder management plan
Expect these questions to start early in the improvement can help to keep the channels
effort and continue throughout. To manage change open when resistance is
successfully, plan to address the issues and questions encountered. Recording
that are raised by each group in the organization. Be Frequently Asked Questions
(FAQs) can help to ensure
prepared to answer questions like these without using
consistency in messaging and
CMMI terminology or technical jargon. Communicate in understanding.
terms that are understood and used within the
organization whenever possible.
Obtaining senior management support is often the most critical element of successful
change. Senior management should demonstrate active commitment, support, and
behavior in championing the improvement changes.
© 2022 ISACA.
17
ESTABLISH OBJECTIVES
Step 2: Establish performance improvement objectives aligned to your
organizational objectives
In this step, the Sponsor works with the

organization to:
• Identify the most critical objectives to business
success
• Establish performance improvement objectives
based on the organization’s business objectives
• Understand which parts of CMMI relate to these
performance improvement objectives
• Identify infrastructure needs to support
improvement efforts
• Identify measures of success for meeting
objectives
• Develop an improvement plan and keep it
updated
• Communicate continually with stakeholders
© 2022 ISACA.
18
The Sponsor may decide to obtain assistance from a CMMI Consultant or CMMI Lead
Appraiser while working to complete the activities of this step.
All organizations typically have some idea of their business objectives. Identify and
prioritize the business challenges and issues that are putting the most important
objectives at risk or preventing them from being met. Keeping each of these elements
aligned is important to ensure that the right improvements are being addressed. Figure
6. Step 2 Activities and Considerations Table provides a summary list of the key Step 2
activities and considerations.

Record business needs List business goals, risks, and Key Performance Indicator
and objectives. (KPI) measures. Refer to Appendix E: Building Goals, Risks,
and KPIs Appendix E: Building Goals, Risks, and KPIs.
This step corresponds to and
Adoption and Transition
can be supported by the
Tip: A key feature of the
Practice Areas and Capability CMMI Product Suite is the
Areas contained in the CMMI Performance Report. This
Model Category of “Doing.” simple, but powerful
template provides a
Start by identifying any straightforward means to
existing business goals, identify and track key
objectives, and strategic plans. business and performance
Work with managers and measures. The report is a
affected stakeholders to define required artifact in the
appraisal method and
organizational needs and available through an ISACA
objectives. Affected Certified CMMI Lead
stakeholders should include Appraiser.
the people performing the
work, as they have the most insight into issues and
challenges. Include both short-term and long-term
objectives. Evaluate the importance of security and safety
requirements, and any integration and interface
dependencies between them, to the organization. Ensure the
set of business needs and objectives appropriately reflect
the performance needs of the business.
A Certified CMMI Lead Appraiser can use the CMMI
Performance Report as a template for recording this
information and ensuring your CMMI journey focuses on the
most important aspects of your business.
Record performance Performance improvement objectives:
improvement • Are derived from organizational business needs and
objectives. objectives
© 2022 ISACA.
19
• Focus on addressing challenges or issues affecting the
current projects
• Drive the critical measurements for improvement
• Incorporate applicable security and safety requirements
Prioritize business and Prioritize objectives based on the value to the organization,
performance risks, and constraints.
improvement
objectives.
Develop measurable Measurable targets:
targets for • Are meaningful to the organization
performance • Address effectiveness of the improvements
improvement • Assess progress towards achieving objectives
objectives.
Targets should be:
• Specific – also simple, sensible, and significant and
answers the questions: "What is to be done?" and "How
will you know it is done?" and describes the results
(product) of the work to be done. The description is
written in such a way that anyone reading the objective
will most likely observe and interpret it the same way
operationally. Observable means that somebody can see or
hear (physically observe) someone doing something.
• Measurable – also meaningful and motivating and answers
the question: "How will you know it meets expectations?"
and defines the objectives and their related measurements
using assessable terms (quantity, quality, frequency, costs,
deadlines, productivity, etc.). It refers to the extent to
which something can be evaluated against some standard.
An objective with a quantity measurement uses operational
terms for such things as amount, percentages, etc. A
frequency measurement could be daily, weekly, 1 in 3. An
objective with a quality measurement would describe a
requirement in terms of accuracy, format, and
completeness.
• Achievable – also attainable and agreed upon and answers
the questions: "Can the organization, project or person
reasonably accomplish the objective given?" It also
includes the answer to: "Do they have the experience,
skills, knowledge, capability and capacity for fulfilling the
expectation?" and "Can it be done given the timeframe,
opportunity, and available resources?"
© 2022 ISACA.
20
• Relevant – also reasonable, realistic, and resourced, and
answers the questions: "Should it be done?" "Why are we
doing this?" and "What will be the impact?" Does the
objective and measure align well with the organizational
strategic and tactical needs, plans, and approach?
• Time-bound – also time-based, time limited, time/cost
limited, timely, time-sensitive and answers the questions:
"When will it be done?" Sometimes a task has several
milestones or checkpoints to help assess how well
something is going before it is finished so that corrections
or modifications can be made to make sure the result
meets expectations.
Target Practice Areas Based on a high-level understanding of the Capability Areas
that relate to the identified in Step 1, review the Practice Areas in each that
prioritized address the objectives and improvements challenges
performance directly.
improvement There are many approaches that may work in an
objectives. organization; the challenge is to couple this deep
understanding of CMMI with knowledge about the unique
aspects of the business and organization.
An ISACA CMMI Partner-Sponsored Individual can help an
organization perform this task.
• These professionals bring deep knowledge of CMMI and
how to apply it in a variety of organizational contexts.
• Refer to the CMMI Partner Directory for CMMI Partner-
Sponsored Individuals that meet your business needs
Establish the To ensure long-term success, performance improvement
infrastructure to efforts require an infrastructure that is sustainable over time.
support and Organizations need to identify who is involved in
implement improvement activities and define their roles and
improvements. responsibilities. Typical roles include:
• Senior management
• Improvement sponsor
• Management steering group
• Process group
• Process action teams
Additional infrastructure resources may include:
• Budget
• Time
• Tools
© 2022 ISACA.
21
• Training
• Repository for process assets
• Measurement system and repository
For more details on infrastructure and sustainment, refer to
content in the following CMMI Practice Areas:
• Implementation Infrastructure (II): Ensures that the
processes important to an organization are persistently and
habitually used and improved.
• Governance (GOV): Provides guidance to senior
management on their role in the sponsorship and
governance of process activities.
• Process Asset Development (PAD): Develops and keeps
updated the process assets necessary to perform the work.
For more details on performance and performance
objectives, review the content in the following CMMI Practice
Area:
• Managing Performance and Measurement (MPM):
Manages performance using measurement and analysis to
achieve business objectives.
Record all the above The improvement plan for either transition or adoption may
in an improvement include a set of requirements, a budget, a schedule, risks,
plan, keep it updated, dependencies, stakeholders, etc.
and communicate with For more details on what to include in an improvement plan,
stakeholders. review the content in the following CMMI Practice Area:
• Process Management (PCM): Manages and implements
the continuous improvement of processes and
infrastructure to support accomplishing business
objectives. Identifies and implements the most beneficial
process improvements and makes performance results
visible, accessible, and sustainable
Refer to the appendices in this document for more information on:
• Typical CMMI Adoption Roles and benefits (Appendix D: Typical CMMI Adoption
Roles)
• Problem Identification and Resolution using CMMI (Appendix C: Problem
Identification and Resolution Using the CMMI)
© 2022 ISACA.
22
The following sources can be used when identifying business challenges and related
opportunities for improvement:
• Stakeholder input Transition Tip:
• Customer feedback In the CMMI Product Suite, the term “High
• Improvement proposals Maturity” involves the use of statistical and
other quantitative techniques on selected
• Risks and opportunities processes to predict improved business
• Lessons learned results. High Maturity represents a
• Results from appraisals fundamental shift in how processes are
• Results from root cause analysis understood, managed, and improved. As
organizations move up in process maturity,
• Measurements results
they gain in-depth understanding of how
• Quality evaluations or audits processes are used and interact, which
When establishing measurable targets, an gives them a clear competitive advantage.
Based on actual Performance Report data,
organization may want to consider using the
High Maturity organizations have
following resources: demonstrated clear and outstanding
improvements in achieving operational
• American Society for Quality (ASQ) -
goals.
What are Performance Metrics?
• International Organization for
Standardization (ISO) 10012:2001 – Measurement management systems –
Requirements for measurement processes and measuring equipment
• Society of Automotive Engineers (SAE) J2944 Operational Definitions of Driving
Performance Measures and Statistics
• Goal-Question-Metric approach to derive meaningful measures from objectives
• Goal-Driven Software Measurement designed to help you identify, select, define,
and implement measures to support your business goals
Some items to consider as part of performance improvement efforts include:
• Communication and collaboration with the improvement sponsor and senior
management when building the case for performance and process improvement
• Records of previous improvement activities, including issues, decisions, and
action items
• Use of terminology that is familiar to the audience by avoiding technical jargon
or CMMI terminology
• Determination of the type and frequency of written communication and updates
(verbal or written)
The objectives must be clearly communicated to the entire organization. If people
understand the reasons for the change and the desired outcome along with their role in
making the change, the amount of potential resistance can be reduced.
© 2022 ISACA.
23
ANALYZE
Step 3: Map current organizational processes to CMMI
In this step, the organization, on their own,

or with the help of a CMMI Consultant:
• Maps current business processes to
CMMI components and practices
• Identifies any gaps between the
business processes and the CMMI
components and practices identified
for improvement
• Recommends improvements to
address the gaps
© 2022 ISACA.
24
This step corresponds to and can be supported by the Transition Tip:

Practice Areas and Capability Areas contained in the CMMI Organizations who have
Model Category of “Enabling.” previously adopted CMMI
V1.3 can leverage the
It is important to understand the processes currently used in CMMI V1.3 to CMMI V2.2
the organization and the extent to which they meet the Practice Mapping to aid
intent, value, any additional required information of the CMMI in reflecting the correct
Practice Areas and Practices. This is an important step as it alignment of CMMI
requirements with their
forms the basis of future improvement activities. Figure 7.
improvement efforts.
Step 3 Activities and Considerations Table provides a
summary list of the key Step 3 activities and considerations.

Perform gap The gap analysis may use a formal appraisal method such as a
analysis of current CMMI Evaluation Appraisal. Refer to the CMMI Appraisal
processes against Method Definition Document (MDD) for more information on
the CMMI Practice conducting CMMI-based appraisals.
Areas identified for Alternatively, the gap analysis may be performed informally by
improvement. doing a simple comparison of selected processes to CMMI
Practice Areas and other model components, e.g., domains,
context specific information.
When security is an important domain for the organization,
consider the relationships of security with Practice Areas
throughout the CMMI. Refer to Appendix G: CMMI Practice Area
Security Adoption Examples, which provides example
relationships of security to Practice Areas.
This analysis does more than just identifying gaps in the
processes being used. It also involves determining if the
processes are utilized, persistent, and habitual. A well-crafted
business process is of little value if it is not used. Appraisal
information can be referenced within the MDD.
A CMMI Partner-Sponsored Individual can help an organization
perform this task. Refer to the CMMI Partner Directory for
CMMI Partner-Sponsored Individuals to meet your business
needs.
Record the results Use a consistent method to record and document the gaps.
of the gap analysis. This activity should be connected to the one below to aid in
tracking each gap to activities in the action plan.
© 2022 ISACA.
25
Develop and record Recommendations form the basis for improvement action plans.
recommended For more details, review the content in the following CMMI
improvement Practice Area:
activities in the
• Process Management (PCM): Manages and implements the
action plan to close
continuous improvement of processes and infrastructure to
all identified actions
support accomplishing business objectives. Identifies and
and gaps.
implements the most beneficial process improvements and
makes performance results visible, accessible, and
sustainable.
Gap analysis information provides a reference for people in the organization to
understand how their processes relate to CMMI components and practices. This
information also forms the basis for developing action plans for performance
improvement in the next step.
The CMMI Practice Mapping is an additional resource that can provide insights to assist
with adoption or transition activities. Appendix A: Additional Resources lists other
resources.
© 2022 ISACA.
26
DEVELOP ACTION PLAN

Step 4: Develop and follow action plans, and keep them updated

• Develops an improvement strategy
• Develops action plans to address
performance and process gaps identified
in the previous step
• Makes changes or improvements
• Defines or updates processes
The Sponsor, on behalf of the organization, may

Adoption and Transition Tip:
appoint a Process Group to support action plan Action plans should contain clear
development, or solicit support from a CMMI and measurable information on
Consultant. when and how actions are
considered closed. By prioritizing
This step corresponds to and can be supported by the those actions that have the
Practice Areas and Capability Areas contained in the greatest impact on the business
CMMI Model Category of “Managing.” and performance rather than
compliance, it is easier to
The step begins by developing the organizational convince senior management
improvement strategy and obtaining commitment from and stakeholders because the
all stakeholders. The strategy includes identifying the improvements are of value and
need to be sustained over time.
© 2022 ISACA.
27
benefits of capability and performance improvement and the impact to organizational

business objectives.
The improvement strategy requires a firm commitment from the improvement sponsor.
Active sponsorship is critical to ensure that the plan and the required resources are
available throughout the improvement effort.
This step also includes the development of improvement action plans to address the
gaps identified in the previous step and to move the organization towards achieving its
objectives. Performing these activities may result in defining or updating processes and
making other changes needed to address process gaps. As with any plan, it is important
to keep the action plans updated as activities are added, modified, or removed.
As the organization progresses through the action plans, monitor performance to
ensure that the desired results are achieved. Performance and results should tie back to
the organizational business improvement goals defined in the strategy. Figure 8. Step 4
Activities and Considerations Table provides a summary list of the key Step 4 activities
and considerations.

Develop and follow An improvement strategy typically includes:
an improvement • Business considerations
strategy and keep it • Objectives and constraints
updated. • Possible approaches to meeting the objectives and
constraints
• Requirements
• Needed resources, e.g., skills, environment, tools, new
technologies
• Security requirements and considerations
• Safety requirements and considerations
• Risks and how they will be mitigated
Establish priorities Prioritize improvement actions based on the value to the
for improvement organization, resource constraints, and the impact on
actions. achieving performance objectives. This helps gauge how much
work is ahead and the order in which items should be
addressed.
Develop action plans The action plans define all aspects of the effort, tying together
to address all the following in a logical manner:
actions and gaps. • Tasks
• Roles and responsibilities
• Budgets
• Schedules and milestones
• Risks
© 2022 ISACA.
28
• Resources and skills
• Stakeholder involvement
For more details, review the content in the following CMMI
Practice Areas:
• Estimating (EST): Estimates the size, effort, duration, and
cost of the work and resources needed to develop, acquire,
or deliver the solution
• Planning (PLAN): Develops plans to describe what is
needed to accomplish the work within the standards and
constraints of the organization.
• Implementation Infrastructure (II): Ensures that the
processes important to an organization are persistently and
habitually used and improved
• Governance (GOV): Provides guidance to senior
management on their role in the sponsorship and governance
of process activities
Review plans with Verify and confirm continued visible senior management’s
the improvement active engagement, sponsorship, and support for the
sponsor to obtain improvement efforts.
commitment and
approval.
Make changes or Remember, even though some changes may be easy to
improvements based implement, they may take a long time to roll-out and to
on the action plans. become persistent and habitual.
Define or update • Record the processes the way they are performed.
processes where • Refer to Appendix F: Define Your Current Processes for more
appropriate. information on recording processes.
• A CMMI Partner-Sponsored Individual can help an
organization perform this task; refer to the CMMI Partner
Directory to find a CMMI Partner-Sponsored Individual.
It is important to involve the people affected by the changes in making the
improvements. This increases buy-in and reduces resistance to the changes.
© 2022 ISACA.
29
DEPLOY IMPROVEMENTS
Step 5: Deploy improvements and measure results

• Pilots new and changed processes
• Deploys new and changed organizational
processes and assets
• Measures the performance of newly deployed
organizational processes and assets against
the business and performance improvement
objectives
This step corresponds to and can be supported by the Practice Areas and Capability
Areas contained in the CMMI Model Category of “Improving.”
This step involves piloting and deploying the performance
and process improvements identified in action plans from Adoption and Transition
Tip: Not every improvement
the previous step, typically an iterative process. may scale as it is deployed
Improvements are often rolled out gradually to assess on a broader basis. Piloting
performance. Piloting improvements enables an improvements helps to
organization to evaluate the impact of performance understand which
improvements to ensure they are successful before wider improvements have the
greatest impact and benefit
deployment. Deployment involves managing the for the entire organization.
implementation of new or updated processes in a
consistent and sustainable way. There may be multiple improvement initiatives,
© 2022 ISACA.
30
concurrent improvements, and deployments in an organization. Coordinate the

deployment of processes to avoid confusion, waste, contradictory results, and adverse
effects.
As performance improvements are deployed, care should be taken to ensure that
processes are built, followed, and made persistent and habitual. Figure 9. Step 5
Activities and Considerations Table provides a summary list of the key Step 5 activities
and considerations.

Measure As the organization accumulates historical data, process performance
performance can be measured.
of existing Historical data may be used to identify performance differences
processes and between current and improved processes.
their targeted
improvements.
Develop, keep The deployment plan typically includes the following:
updated, and • Deployment strategy
follow a • Improvement requirements
process • Estimated budget, schedule, risks, etc.
deployment • Updated and new process information
plan. • Communication methods
• List of affected stakeholders
• Training
• Implementation expectations
Pilot new or Define and use criteria for selecting which improvements to pilot.
changed Typical criteria include:
processes. • Risk
• Impact of change
• Number of work efforts affected
• Cost
• Expected results
Analyze Use results from pilots to:
results of • Compare performance results of the pilot to existing performance
pilots. measures
• Determine if the pilot is sufficiently successful to deploy the
process to other parts of the organization
• Make changes to the piloted process
• Update the deployment plan as needed
© 2022 ISACA.
31
Deploy Establish the necessary infrastructure to ensure that processes are
processes as built, followed, sustained, and improved over time. The term
appropriate. “infrastructure” refers to everything needed to implement, perform,
and sustain the organization’s set of processes. The infrastructure
includes:
• Recorded processes
• Resources, e.g., people, tools, consumables, facilities
• Funding to perform the processes
• Training to perform the processes
• Objective evaluations to ensure that work is performed as intended
Monitor Continue to monitor the process over time by reviewing:
adoption of • Organization’s performance measures
recently • Organization’s applicable security activities, steps, and measures
deployed • Organization’s applicable safety activities, steps, and measures
improvements. • Comparison of historical performance to the performance of new or
updated processes
• Persistence and habit in the use of and continuous improvement of
the processes and assets
By monitoring improvement adoption and performance against
organizational business objectives, an organization can verify and
quantify the benefits of the improvements.
This activity may also result in new opportunities for improvement
and updates to action plans.
For more details on deployment improvements and measuring
results, review the following CMMI Practice Areas:
• Process Management (PCM): Manages and implements the
continuous improvement of processes and infrastructure to support
accomplishing business objectives. Identifies and implements the
most beneficial process improvements and makes performance
results visible, accessible, and sustainable.
• Managing Performance and Measurement (MPM): Manages
performance using measurement and analysis to achieve business
objectives.
To avoid overwhelming stakeholders, it may be necessary to select and deploy different
improvements to different parts of the organization at different times. The selection of
improvements to deploy should be based on the criteria described above and should
also be sensitive to the needs of the various parts of the organization.
© 2022 ISACA.
32
Monitoring implementation ensures that the improvements are effectively deployed. It

also helps to understand:
• What assets are being used
• Why they are being used
• Where they are being used
• How they are being used
As processes become persistent and habitual, they become an integral part of the
organization’s norms and culture. Persistent and habitual processes endure after the
people who defined them are gone.
Review the measures collected to understand performance over time to determine if the
collected performance data is relevant and critical to the work and to the business or if
it needs to be changed. An organization may not get it right the first time, so it should
review the data and adjust plans accordingly.
© 2022 ISACA.
33
ASSESS CAPABILITY
Step 6: Assess capability and performance
In this step, the Sponsor works with the

organization and may work with a CMMI
Lead Appraiser to:
• Assess processes and assets
• Measure and assess performance
• Update improvement plans as
needed
• Continue the improvement
journey
© 2022 ISACA.
34
Organizations typically conduct a combination

Adoption and Transition Tip:
of both informal and formal assessments, to
Conducting CMMI appraisals is a proven
maintain an appropriate level of momentum best practice to ensure the most
for performance improvement initiatives. As efficient and effective improvement
such, the Sponsor works with various roles to results. CMMI-based appraisals provide
define an approach for periodic assessments of reliable, clear, consistent, and
actionable focus on performance
capability, including the CMMI Lead Appraiser,
improvements that have the most
CMMI Consultant, and Process Group impact on the business and help build
Members. and improve capability.
This step corresponds to and can be supported
by the Practice Areas and Capability Areas contained in the CMMI Model Category of
“Improving.”
This step involves appraising processes and the improvements made to them, and then
brings the CMMI adoption cycle full circle and back to assessing the impacts of those
improvements on performance.
There are multiple ways to assess capabilities and performance including:
• Conducting internal appraisals or process reviews against CMMI
• Partnering with a CMMI Partner-Sponsored Individual to conduct appraisals,
e.g., CMMI Evaluation Appraisal, CMMI Benchmark Appraisal, CMMI Sustainment
Appraisal
It is important that organizations validate that their processes and performance are in
alignment with business and performance improvement objectives. CMMI appraisals
assist in:
• Demonstrating the value of improvements to the business
• Motivating stakeholders for continued buy-in
• Driving continuous improvement
• Determining competitive position in the market
Figure 10. Step 6 Activities and Considerations Table provides a summary list of the key
Step 6 activities and considerations.

Assess processes and assets. Assess progress against the improvement
plan at an appropriate frequency.
Assess performance results against The results from this assessment should help
performance and business objectives. to inform and drive the next iteration of
improvement.
© 2022 ISACA.
35
Update improvement and action Improvement is not a one-time effort. As
plans and continue the improvement organizations complete activities, they should
journey. plan for the next iteration in a continuous
improvement journey.
An organization may want to achieve formal recognition of the effectiveness of their
processes. This can serve as both an internal validation of the value and benefits gained
from continual improvement efforts and an external acknowledgement of the
organization’s commitment to quality and continuous performance improvement.
Formal recognition can be gained through conducting a CMMI Benchmark Appraisal. If
the organization plans to conduct a CMMI Appraisal, an ISACA Certified CMMI Lead
Appraiser must lead the appraisal. The results of a CMMI Benchmark Appraisal can be
used to compare the organization to other organizations in their industry.
The continuous improvement journey may involve:
• Evolution of the organization’s business objectives
• The need for improved performance
• New areas for improvement
Once this step is completed, repeat the cycle by going back to Step 1 to learn about
any new updates made to the CMMI Product Suite. Refer to Figure 11. Adoption and
Transition Guidance Cycle.
© 2022 ISACA.
36
Figure 11. Adoption and Transition Guidance Cycle
© 2022 ISACA.
37
Appendix A: Additional Resources

This Appendix contains a list of resources that are part of the integrated CMMI Product
Suite to aid organizations with successful adoption or transition. Figure 12. CMMI
Adoption and Transition Resources provides a summary of the complete set of adoption
and transition resources available.
Figure 12. CMMI Adoption and Transition Resources

Resource Purpose
CMMI Website The CMMI website provides resources and information
about ISACA’s offerings to support capability and
performance improvement.
ISACA’s Customer The ISACA Customer Support Center provides individuals
Support Center and organizations with proactive support and speedy
solutions to questions. You can review the Frequently
Asked Questions (FAQs) or submit a support request at
https://support.isaca.org.
CMMI Partner Directory The CMMI Partner Directory is a searchable database of
highly trained individuals in organizations trusted to deliver
quality, leading-edge CMMI services and technologies
throughout the global business community. Organizations
looking to get an appraisal, obtain training, or receive
consulting on implementing CMMI processes in their
organization can find a Partner to help.
CMMI Resource Center The CMMI Resource Center is a collection of every CMMI
digital resource in one place. Browse through the collection
of presentations, webinars, articles, case studies,
whitepapers, and more.
CMMI Appraisal Method The MDD defines requirements, activities, and guidance for
Definition Document conducting effective and reliable appraisals against CMMI.
(MDD) The MDD is available for purchase or is available to some
CMMI certified individuals based on role.
CMMI Account Register for an account on the CMMI website or log in to
Dashboard an existing account to find materials that you have
purchased or to which you have access based on your
certified role. Based on your access, you will find links to
the CMMI Model Viewer, MDD, and course materials on the
dashboard.
© 2022 ISACA.
38
Resource Purpose
CMMI Training Find CMMI and Partner training resources, class schedules,
Resources and information about training and certification options on
the CMMI Training Resources page.
CMMI Policies The CMMI Policies page provides access to appraisal,
certification, partner, quality, and training policies.
Additional References
The CMMI Adoption and Transition Guide contains references to a few external
resources. These resources are cited below.
• Park, Robert E., Wolfhart B. Goethert, and William A. Florac. Goal-Driven
Software Measurement: A Guidebook. Pittsburgh, PA: Carnegie Mellon
University, Software Engineering Institute, 1996.
• Gray, Douglass. Applying the Goal-Question-Indicator-Metric (GQIM) Method to
Perform Military Situational Analysis. Pittsburgh, PA: Carnegie Mellon University,
Software Engineering Institute, 2016.
• Sheen, Raymond, and Amy Gallo. HBR Guide to Building Your Business Case.
Boston, MA: Harvard Business Review Press, 2015.
• Solingen, Rini Van, Vic Basili, Gianluigi Caldiera, and H. Dieter Rombach. "Goal
Question Metric (GQM) Approach." Encyclopedia of Software Engineering, 2002.
doi:10.1002/0471028959.sof142.
© 2022 ISACA.
39
Appendix B: CMMI Categories, Capability

Areas, and Practice Areas
Figure 13. Categories, Capability Areas, and Practice Areas lists the Categories,
Capability Areas, and Practice Areas that are part of CMMI.
Figure 13. Categories, Capability Areas, and Practice Areas
© 2022 ISACA.
40
Appendix C: Problem Identification and

Resolution Using the CMMI
Figure 14. Problem Identification and Resolution Using the CMMI lists common business
problems, their possible underlying causes, and the CMMI Practice Areas that could
help. For a list of CMMI Practice Areas, refer to Figure 13. Categories, Capability Areas,
and Practice Areas in Appendix B: CMMI Categories, Capability Areas, and Practice
Areas.
Figure 14. Problem Identification and Resolution Using the CMMI

Common Potential CMMI
Business Underlying Causes Solutions
Problem (by Practice Area)
Delivered • Wrong solution delivered PLAN, PR, RDM,
solution does • Bad requirements PQA, SDM, STSM,
not meet • Poor testing VV
customer • No stakeholder feedback
needs • Lack of customer involvement
Customer • Inconsistent delivery EST, PQA, RDM,
complaints • Rude personnel SDM
• Always have an excuse
• Quality issues
• Service levels not met
Late delivery • Poor/no estimating or planning EST, IRP, MC, PLAN,
• Poor progress tracking RDM, RSK
• Lack of critical resources
• Excessive overtime
• Too much rework
• Constantly changing requirements
• Unexpected external incidents or other
disruptions
Disruptions to • Worldwide events, e.g., COVID-19 causes CONT, ESAF, ESEC,
operations fundamental shift in business operations EVSD, IRP, MST,
caused by • Entire workforce must shift to virtual or PLAN, RSK
global events remote delivery
or • Vulnerabilities in virtual delivery exposes
environmental organizations to new security disruptions
impacts • Lack of adequate planning and preparation
for virtual delivery
© 2022 ISACA.
41

Costly • Poor estimating/planning CM, DAR, EST, MC,
solutions • Gold plating PLAN, RDM, RSK
• Too much rework
• Acceptance of too many changes/too much
work without understanding impact
• Lack of understanding customer needs
Poor quality • Badly defined requirements PLAN, PQA, PR,
• Attempts to “test quality” into services or RDM, VV
products
• Lack of time to test
• Poor design
• Inexperienced technical personnel
• Lack of defined processes and procedures
Vulnerabilities • Lack of awareness or appropriate ESEC, GOV, II, MST
prioritization of security needs and
requirements
• Lack of an approach and infrastructure to
address threats, vulnerabilities, and
mitigations
• No assigned resources, roles, or
responsibilities to address security
• Lack of continuous monitoring and
improvements
Constantly • Poor/no estimating or planning CM, DAR, EST, MC,
stretched • Excessive overtime PLAN, RDM, RSK
resources • Wrong resources
• Poor management
• Lack of commitment
Problems are • Lack of problem anticipation CM, CONT, PAD,
always a • Poor planning PLAN, RSK, IRP
surprise • Short-term organizational “memory”
• Sugarcoating
• Problem avoidance (“burying head in the
sand”)
• Lack of corrective or preventative action
• No viable responses to problem
© 2022 ISACA.
42

Safety • Lack of a safety approach and infrastructure ESAF
mishaps and • Lack of awareness or appropriate
events prioritization of safety needs and
interrupt requirements
operations • No assigned resources, roles, or
responsibilities to address safety
Constant • Poor/no estimating or planning CM, EST, GOV, II,
firefighting • Inexperienced technical personnel OT, MST, PCM,
• Dependency on heroes for success PLAN, RSK
• Acceptance of too many changes or work
without understanding impact
• Poor management
• Lack of commitment
Poor retention • Over reliance on heroes CM, EST, OT, PAD,
of personnel • Poor/no estimating or planning PCM, PLAN
• Wrong resources
• Poor management
• Poor morale
• Corporate “brain drain” (loss of key
personnel and experience)
Everything is • Poor planning DAR, PLAN, RDM
priority 1 • Poor morale
• Poor quality
• Lack of focus on what is important to the
business and performance
Too much • Poor planning MC, PLAN, PQA, PR,
rework • Excess or unnecessary cost VV
• Poor morale
• Poor quality
Constantly • No sustainable infrastructure DAR, II, PAD, PCM,
reinventing • Lack of clear repeatable process TS
the wheel • Sporadic or no training/learning
• Lack of focused training for business needs
• No organizational memory
© 2022 ISACA.
43

Supply chain • Lack of clear requirements PLAN, PQA, RSK,
issues • Ambiguous or no agreements SAM, SSS
• Limited selection of solutions
• Risks in the supply chain
• Lack of clear and consistent responsibilities
• Delivery delays
• Poor quality
Inexperienced • Lack of clear governance GOV, MC, OT, PLAN,
personnel and • Lack of clear repeatable process PQA
management • Lack of clear and consistent responsibilities
• Sporadic or no training/learning
• Lack of focused training for business needs
• No organizational memory
• Poor resource, skills, and knowledge
planning
• Poor quality
Low • Lack of clear, repeatable processes EST, GOV, II, OT,
productivity • Lack of training PLAN
• Poor morale
• Poor accountability
• Lack of infrastructure
Inconsistent • Lack of a collaborative approach between CONT, IRP, PQA,
service the service provider and customer SAM, SDM, STSM
delivery • Lack of an approved service agreement and
lack of adherence to it
• Inability to deliver services due to any of the
following factors: failure of service
components, failure to check readiness of
the service system, absence of clear service
delivery procedures or lack of awareness
about such procedures (if they exist)
• Dependency on heroes to deliver services
rather than on established practices and
procedures
Never • Incorrect scoping EST, II, MC, PLAN,
finishing • Incorrect estimation methods RSK
• Failure to revise plans and schedules based
on changing customer demands
• Inadequate resources/incorrect resource
estimation and planning
© 2022 ISACA.
44

• Lack of obtaining commitments from relevant
stakeholders
Never enough • Poor planning EST, GOV, MC,
time/budget • Lack of resources PLAN, RSK
• Excess or unnecessary cost
• Poor monitoring
Constant • Incorrect and/or incomplete change CM, MC, PLAN, PR,
requirements management process RDM, VV
changes • Lack of clearly understood requirements
process
• Weak or inadequate validation, verification,
and peer review processes
Poor decision • Not sure of the exact “problem” (and so not DAR, II, OT, PLAN,
making able to define the problem statement) SAM, TS
• Lack of relevant and adequate skill sets to
use decision-making techniques and to
determine the risks and impacts of decisions
• Not involving affected stakeholders during
problem definition and/or decision-making
process
• Taking decisions based on “assumptions”
rather than on actual (measurable and
verifiable) data
• Inability to identify criteria for evaluation of
alternatives
• Inability to identify alternatives for particular
problem
• Inability to define a problem from a state of
confusion
Incorrect • Insufficient configuration management CM, PI
version processes and infrastructure to support
released to version management
customer • Lack of version control
• Unclear authoritative source
• Unclear integration and interface
requirements
© 2022 ISACA.
45
Appendix D: Typical CMMI Adoption Roles

This section contains information and perspectives on people who use and commonly
benefit from CMMI. Each of the roles are described along with their unique perspective,
approach, and the benefits they realize leveraging the CMMI model. These are roles
and not individuals or positions, and may be combined, split, or fulfilled differently in
each organization.
Role Description
• This role includes senior management and those who control the budget, select,
and manage solution suppliers, and hold approval authority for buying solutions
for an organization. This role appreciates the business value that suppliers and
vendors leveraging CMMI demonstrate through high quality delivery of products
and services.
Role Activities
• Uses practices for supplier selection and management
• Understands the risk of doing business using suppliers and the risks each may
bring
• Mitigates supplier risks
• Requires suppliers to adopt the CMMI and understand what a supplier’s CMMI
capability, or maturity, means
• Uses the CMMI practices to understand and address risk in the supply chain
• Evaluates risk and determines the quality required to rank incoming proposals to
eliminate unsuitable bidders and select the supplier with the lowest risk
• Manages technical interactions
• Manages contractual issues on both sides
• Manages acceptance of deliverables
• Manages transitions of deliverables and solutions to operations
• Identifies and manages approaches to addressing security requirements
• Identifies and manages approaches to addressing safety requirements
• Establishes policy, and provides budget and resources for remote workforce and
virtual delivery
© 2022 ISACA.
46
Benefits to Role
• Effectively and efficiently reduces risk to the buying organization
• Ensures that the highest quality suppliers are identified and selected, which
meet knowledge, skills, and experience requirements
• Suppliers are managed throughout the solution period of performance
• Results in clear and unambiguous agreements
• Improves the interactions between suppliers and the buying organization
• Minimizes disputes
• Minimizes supply chain disruptions associated with safety and security issues
Role Description
• This role includes senior management, including the “C-Suite,” e.g., Chief
Executive Officer (CEO), Chief Operating Officer (COO), Chief Financial Officer
(CFO), Chief Information Officer (CIO), but these roles are specific to those
organizations adopting the CMMI and conducting appraisals and other forms of
assessments to determine their capability.
Role Activities
• Funds and oversees performance improvement initiatives
• Articulates the strategy and business objectives, including security and safety
objectives
• Ensures alignment of strategy and business objectives
• Sets priorities for improvements, and ensures alignment with performance
objectives
• Provides explicit requirements for senior management activities in supporting
and sustaining improvement efforts
• Ensures that resources are available to implement the improvement efforts
• Approves appraisal objectives
Benefits to Role
• Enables process consistency across the organization
• Ensures the improvement effort supports achieving objectives
© 2022 ISACA.
47
• Promotes a common understanding of the performance improvement objectives

• Fosters better coordination and communication among work groups
• Increases customer satisfaction
• Emphasizes and actively supports the importance of addressing security needs
and requirements in the solution
• Reduces cost
• Monitors alignment and achievement of objectives
• Gains competitive advantage
• Attracts and retains top talent
• Positions organization for growth
• Reduces overhead cost
• Improves time to market
• Keeps current with market trends
• Uses integrated model to strengthen position in the market
• Increases growth and expands marketability
• Gets assurance of improvements
• Emphasizes and actively supports the importance of addressing safety needs
and requirements in the solution
• Uses flexibility in model to meet organizational needs and reduce process
overhead
• Improves workforce management
• Provides career path for developing the workforce
• Changes organizational behavior to better achieve strategy and business
objectives
• Addresses and sells a wider set of capabilities because of the integrated model
• Provides a basis for tangible performance improvements, including safety and
security considerations
Role Description
• This role includes people in an organization who are following the processes and
who get the most direct benefit from using and improving processes. It is crucial
that these people are involved with the improvement activities, as they are the
ones who must live with them every day.
© 2022 ISACA.
48
Role Activities
• Follows the processes, and adheres to policies
• Provides feedback, inputs, and ideas for improving process and performance
• Participates in process groups, action teams, etc.
Benefits to Role
• Reduces rework
• Understands what is being done and why
• Provides structure for how work is done
• Stops reinventing the wheel
• Does the job better
• Minimizes overtime
• Shares best practices
• Reduces chaos and stress
• Gives a voice to practitioners in determining and making commitments
• Provides structure for defining explicit roles and responsibilities
• Ensures they have the skills and expertise needed to perform their roles and
responsibilities
• Provides an environment conducive to increased performance
• Provides guidance for working together effectively and efficiently
• Provides guidance for navigating multiple priorities and reporting relationships
• Sustains existing expertise across the organization
• Increases individual competency growth
• Improves individual performance
• Participates in specific security awareness training
• Participates in specific safety awareness training
Role Description
• This role includes the people assigned responsibility for improving and sustaining
process and performance in the organization. The assignments can be full-time
or part-time.
© 2022 ISACA.
49
Role Activities
• Ensures improvement priorities and activities are aligned with improving
performance and meeting business strategy and objectives
• Provides performance improvement guidance to promote understanding
throughout the organization
• Coordinates and communicates improvement activities and benefits with
stakeholders
• Solves organizational process and performance problems
• Assesses process capabilities and performance
• Identifies and provides needed improvements and training
• Identifies and addresses gaps in process implementation
• Uses source model disciplines in an integrated way
• Verifies process and performance integration, infrastructure, and alignment of
results to business objectives
Benefits to Role
• Plans improvement efforts using a clear evolutionary path within Practice Areas
• Supports process persistence and sustainment with explicit infrastructure and
governance
• Changes organizational behavior to better achieve strategy and business
objectives
• Reduces the impact of process changes
• Establishes common process roles
Role Description
• This role includes individuals or groups whose main responsibility is for ensuring
end-to-end holistic quality in the processes, their execution, and resulting
solutions. This includes quality control, quality assurance, peer reviews, testing,
verification and validation, and related activities.
Role Activities
• Identifies potential performance and process improvements
• Identifies security related quality issues
• Identifies safety related quality issues
• Provides guidance for determining if processes are being followed
© 2022 ISACA.
50
• Helps identify if current processes support the existing work

• Supports providing management and stakeholders insight into process adoption
and effectiveness
• Identifies non-compliance issues in process implementation
• Analyzes quality data to:
o Identify patterns and trends
o Anticipate problems and issues
Benefits to Role
• Maximizes quality of solutions
• Increases customer experience and satisfaction
• Enhances brand reputation
• Improves performance by avoiding non-valued-added activities
• Ensures processes work more effectively for practitioners and the organization
• Reduces rework
• Improves practitioner satisfaction and morale
Role Description
• This role includes managers who are responsible for managing the day-to-day
activities for producing and delivering solutions. This can include task, project,
and program-level management roles. It also includes activities required to
develop and sustain the skills and experience of the project team members to
meet the current and future needs of the organization.
Role Activities
• Supports the performance improvement activities
• Negotiates and confirms commitments
• Organizes teams and projects
• Reviews project and improvements
• Keeps senior management informed
• Enables communications throughout the organization
• Leverages the skills and experience of employees
© 2022 ISACA.
51
• Provides guidance for effective career development, with alignment to needs of

project and organization
• Encourages and enables active participation in improvement efforts
• Revises plans, schedules, budget, and resources as needed
• Integrates security and safety needs and approaches into plans
• Enables consistent employee evaluations, aligning compensation, rewards, and
recognition with performance
• Enables empowerment of project team members
• Provides a framework for:
o Establishing a productive work environment
o Providing effective training and mentoring
o Communication and coordination, including virtual considerations when
appropriate
Benefits to Role
• Manages project to ensure solutions are on-time and within budget
• Provides oversight to ensure solutions meet identified requirements and meet or
exceed performance expectations, including security and safety
• Enables effective allocation of resources, to support business strategies and
objectives
• Reduces employee turnover and supports positive employee morale
• Increases clarity of assignments
• Minimizes non-value-added activities
• Ensures delivered solutions satisfy customer needs and expectations
• Ensures practitioners maintain their skillsets to support project and organization
Working with a CMMI Partner-Sponsored Individual
What is a CMMI Partner-Sponsored Individual?

ISACA certifies individuals as CMMI Lead Appraisers to lead CMMI appraisals and
certifies individuals as CMMI Instructors to teach official CMMI courses. These CMMI
Instructors and CMMI Lead Appraisers may provide consulting services for organizations
wanting to adopt the CMMI. When working with one of these individuals, make sure
that they work under the sponsorship of a CMMI Partner organization.
When acting as technical advisors, these experienced professionals work with clients to
help them adopt CMMI to best meet their business needs and objectives. In some
cases, this involves conducting a CMMI appraisal. Based on their experience in the
industry and their quality record, these experts have been certified by ISACA to deliver
official training courses and appraisal services.
© 2022 ISACA.
52
How to find a CMMI Partner-Sponsored Individual

ISACA works with a network of licensed Partner organizations that employ certified
individuals who are qualified to provide official courses and appraisals services. CMMI
Partner-Sponsored Individuals can be found in the CMMI Partner Directory. Additionally,
ISACA can provide services directly to your organization.
The CMMI Partner Network and certified individuals provide a vast, global reach to help
to connect CMMI with users, managers, and executives who can benefit from CMMI
solutions. ISACA and CMMI Partners are the only source for authentic CMMI
services. Consider needs and expectations when searching for and hiring a CMMI
Partner. The Partner should be familiar with items such as:
• The type or domain of work performed by the organization, e.g., supplier
management, development, services
• The requirements of the methodologies used by the organization, e.g., Scrum,
DevOps, security, safety
• The scope of the implementation, e.g., large organization, small organization
• The industry, e.g., standards, best practices
• The applicable constraints, e.g., laws, regulations
An organization should ask the certified individual for references and examples of work
that are similar to its needs, goals, and circumstances. Figure 15. When and How a
CMMI Partner-Sponsored Individual Can Help provides a list of adoption steps and
considerations for getting help from a CMMI Partner-Sponsored Individual.
Figure 15. When and How a CMMI Partner-Sponsored Individual Can Help
Adoption Steps Considerations
LEARN: Learn how A CMMI Partner-Sponsored Individual may help with:
CMMI will benefit the • Providing an overview of CMMI to the organization
organization. • Facilitating management buy-in. (Consider an external
sponsored individual if management is more likely to
listen to external expertise rather than internal.)
• Answering questions about CMMI
• Providing advice for starting improvement efforts
• Assisting with proposal efforts
ESTABLISH An expert perspective may provide insights and valuable
OBJECTIVES: Develop input for:
and communicate • Identification of issues and needs
business, performance, • Definition of business, performance, and improvement
and improvement objectives
objectives. • Alignment of improvement efforts with needs and
objectives
© 2022 ISACA.
53
Adoption Steps Considerations

ANALYZE: Map current A CMMI Partner-Sponsored Individual may compare the
organizational organization’s current processes to the CMMI by:
processes to the CMMI. • Performing an independent gap analysis
• Leading the organization’s personnel in conducting a gap
analysis or evaluation
An external expert can add credibility to the delivery and
acceptance of the analysis results.
DEVELOP ACTION A CMMI Partner-Sponsored Individual may be able to give
PLAN: Develop, keep management a better idea of what is needed for an
updated, and improvement effort, including:
implement an • Resources
improvement plan to • Activities
get from the current • Schedule
state to the desired • Cost
state.
An expert may be able to assist in identifying appropriate
measurements for addressing business, performance, and
improvement objectives.
DEPLOY The continued assistance of a CMMI Partner-Sponsored
IMPROVEMENTS: Individual can help provide knowledge and expertise to
Deploy improvements. help an organization efficiently deploy improvements and
monitor adoption.
ASSESS CAPABILITY: A CMMI Partner-Sponsored Individual may help an

Assess organizational organization:
capabilities. • Monitor improvement efforts and performance targets
• Help adjust the improvement plan
• Plan for formal CMMI Appraisals, if needed
To be formally appraised, the organization will need to
choose a Certified CMMI Lead Appraiser working under the
sponsorship of a CMMI Partner. The Lead Appraiser will
help with:
• Identifying the organizational and model scope
• Selecting and training Appraisal Team Members
• Planning the appraisal activities
© 2022 ISACA.
54
Working with ISACA
The Role of ISACA

ISACA is the owner and steward of the CMMI Product Suite: including the model,
appraisal method, courses, certifications, systems, and associated intellectual property.
When to use ISACA

An organization can contact ISACA by visiting Customer Support, which provides
general help information and the ability to submit a support request. ISACA can assist
through their customer success team as an organization adopts CMMI. When new
methods, approaches, or other content are identified for potential inclusion in future
model updates, ISACA maintains the requirements, updates, and release plans and
schedule for the CMMI Product Suite.
Generally, ISACA will point you to experienced CMMI Partner-Sponsored Individuals
available through the CMMI Partner network. However, in limited situations, ISACA may
work directly with organizations to provide support to:
• Corporate programs for large organizations looking to develop an enterprise-
wide improvement program
• Organizations wanting to build internal CMMI subject matter expertise and
consulting
• Industry programs for trade associations or government agencies that want to
build a strategy for improving performance across an industry
• Organizations interested in piloting new content, methods, or approaches for
CMMI
If this describes your organization’s goals, contact ISACA at https://support.isaca.org.
How to use ISACA

If you have any questions about how to engage ISACA directly, contact ISACA at
https://support.isaca.org.
© 2022 ISACA.
55
Appendix E: Building Goals, Risks, and KPIs

To improve your organization’s performance, you must first understand your business
goals along with your ability to meet those goals. This information can also be recorded
using the MDD-required Performance Report template that a Certified CMMI Lead
Appraiser uses as a part of appraisal activities.
• List the top 3-5 business goals for your organization:
1.
2.
3.
4.
5.
• List the top 3-5 Key Performance Indicators (KPIs) for your organization:
1.
2.
3.
4.
5.
• Quantify your current performance (list your current KPIs):
1.
2.
3.
4.
5.
• List the issues or risks impacting your ability to meet your business goals:
1.
2.
3.
4.
5.
© 2022 ISACA.
56
Appendix F: Define Your Current Processes

WHY (What, How, Your CMMI)
What do you do today? List the tasks associated with current activities.
• Work, program, project, and task management
o Identify the activities, e.g., planning, staffing, scheduling, estimating
• Designing, developing, building, and delivering a service or product
o Identify the activities, e.g., documenting what the customer wants
(identifying the “requirements”), elaborating these requirements to
determine how the customer’s needs are met, designing the service or
product, building the service or product, testing the service or product to
determine if it meets the needs of the customers, deliver the service or
product
• Collateral activities associated with service or production
o Identify the activities, e.g., ensure consistent delivery of service or
product (configuration management), ensure consistent and repeatable
performance of building service or product (quality), measure activities
associated with the production and delivery of service or product, identify
risks associated with service or product production
• Organizational support and infrastructure
o Identify the activities the organization performs to enable quality and
consistent services and products, e.g., document practices and processes
to be used across all services and products, and training associated with
enabling the workforce to perform their tasks
How do you perform these tasks? After the required activities have been identified
elaborate each activity with “how” you perform the activities – the “how” can be bullets,
checklists, documents. The formality of the “how” can be determined by your
organization.
Your CMMI: Use this list of activities and their associated elaborations and map
them to the activities your organization will perform within the context of the CMMI,
using the view of the CMMI that most applies to your organization and its capability and
performance goals.
© 2022 ISACA.
57
Appendix G: CMMI Practice Area Security

Adoption Examples
Figure 16. CMMI Practice Area Security Adoption Examples includes examples of
security relationships and impacts. This should not be considered a
comprehensive list of all possibilities.
Figure 16. CMMI Practice Area Security Adoption Examples

Description of Security Potential
Practice
Example Security Relationship Impacts of Not
Area
Relationships Details Addressing
Category: DOING
Capability Area: Delivery & Managing Services (DMS)
Service Delivery In planning for services • Data under • Service
Management to be offered by an consideration may organization
(SDM) organization, the ability include: personnel reputation could
to ensure customer information, be harmed
Strategic
security is essential. financial • Personnel data
Service
Often services involve information, leaks could
Management
the collection of competition result in identity
(STSM)
customer data. This sensitive theft
data is provided information, and • Proprietary or
assuming the data is proprietary data. competition
only shared through These are just a sensitive data
authorized access few data types and leaks could
anchored in principles content that can be cause loss of
of least privilege and considered a threat business
need to know. Security if compromised.
requirements, including • Work should be
physical security performed offline to
requirements, the extent possible
associated with the to avoid internet
service delivery should compromises
be an integral part of • Access controls and
the service objectives, multi-factor
approach, and authentication
incorporated within the parameters should
service system. The be defined and
organization's security implemented
approach and security • Physical security
controls are critical to parameters should
© 2022 ISACA.
58

Practice
Area
the organization's be established to
reputation within the ensure secure
industry and with their service delivery
customers.
Capability Area: Engineering & Developing Products (EDP)
Product While developing • New threats are • System could
Integration (PI) functional solutions for continually being be disabled
products, security identified and • Unplanned
Technical
threats and product design reduced
Solution (TS) should focus on
vulnerabilities must be capabilities
anticipated. The results anticipating new might occur
of these occurring threats before they • Total crashing
should be analyzed to become an issue. It of the system,
ensure that the product is recommended to preventing
design minimizes or designate a specific business
avoids their occurrence. individual or group operations
In order to account for in charge of might happen
the security tracking the various • Revenue could
requirements and government be lost
vulnerabilities that are security related
not known, the use of regulations,
exception handling is standards, and
utilized to respond to laws, and
the occurrence of researching the
exceptions – anomalous latest
or exceptional vulnerabilities.
conditions requiring • Periodically remind
special processing – individuals, e.g.,
during the execution of requirements
a program. If they do analysts and
occur, disruptions testers, to watch
should be minimized for abnormalities
and analyzed to • Ensure the design
determine what the incorporates
tolerance of acceptance consideration of
is for the product. known security
When integrating the threats
system components, • Concepts
security threats should associated with
be tested for their defense in depth
© 2022 ISACA.
59

Practice
Area
disruption and effect, in should be
addition to testing for considered
security requirements. • Have backup plans,
e.g., shut down
when a new threat
is recognized,
revert to alternative
code
• Establish
mechanisms for
frequent system
backups, including
when data should
be stored off site
Capability Area: Ensuring Quality (ENQ)
Peer Reviews Security is NOT an • Security and access • System or data
(PR) afterthought. It is rights may affect breach could
critical that it is who can review happen
Process Quality
included in all activities documents, audit • Data could be
Assurance
associated with the processes, or test lost or
(PQA)
development of a functionality. compromised
Requirements product or service. Ensure all • Sensitive data
Development & Security requirements personnel involved could be
Management should be integrated with these activities disclosed
(RDM) into the functional have relevant • Jobs could be
requirements for both clearances or lost because of
Verification &
products and services. access rights. a violation of
Validation (VV)
Their prioritization and • Requirements the regulations
assignment to should include • Fines could be
components is strong imposed due to
coordinated with other authentication violations of
requirements. Security requirements, e.g., regulations
requirements, multi-factor • Plant could be
attributes, and controls authentication shut down
should be included in • Requirements when
peer reviews during the should also include regulations
planning and any external result in
development of the regulatory security remediation
product or service. Peer requirements that • Work may be
review checklists should have been imposed delayed or
© 2022 ISACA.
60

Practice
Area
include security as part by the country or prevented if
of the normal customer clearances or
verification activity. The • Quality should also access rights
security attributes and audit for regulatory are not in place
controls should be compliance
verified and validated throughout the
throughout the lifecycle of the
lifecycle. Quality product or service.
activities that are Audits should be
prescribed during the periodic and event
lifecycle should include driven.
security not as an
extension but as a vital
part of the functionality
of the product or
service. Quality
checklists should
include security within
the normal audits.
Capability Area: Selecting & Managing Suppliers (SMS)
Supplier When suppliers are • Suppliers should be • Organization's
Agreement selected and supplier assigned end item reputation could
Management agreements are made, responsibilities for be damaged
(SAM) security should be a security compliance since supplier is
factor. Security for each delivered working under
Supplier Source
requirements should be product or service the
Selection (SSS)
allocated as appropriate • Supplier should be organization's
to all suppliers. Security required to direction
controls within the demonstrate • System
functional solution are compliance to any shutdown or
often further projected product or service service
into functional security regulation stoppage could
components and these • Before the occur
are often out of the organization • Loss of revenue
direct control of the accepts a supplier
provider. The deliverable, they
requirements are should ensure
allocated to regulatory
components and compliance, error
likewise to the exception handling,
© 2022 ISACA.
61

Practice
Area
organizations and operational
responsible for the continuity after a
production of individual threat or
components or the vulnerability is
organization responsible detected, and
for the service. The backup capabilities
supplier must assume (if needed)
responsibility for
supplier associated
security responsibilities.
Category: MANAGING
Capability Area: Managing Business Resilience (MBR)
Continuity It is important to • Comprehensive • Sudden
(CONT) consider that regardless continuity planning unpredicted
of how robust the is necessary to system/service
Incident
system is, security manage all possible shut down
Resolution &
threats and disruptions to the might occur
Prevention
vulnerabilities may still business • There could be
(IRP)
occur. Many threats • Threats and a long period of
Risk & and vulnerabilities are vulnerabilities are time without
Opportunity unknown and will continuously recovery.
Management continue to evolve evolving. New ones Customers left
(RSK) throughout the lifespan continue to be without system
of the system or identified. It is or service for an
service. Monitoring the important to predict undetermined
system for as much as possible amount of time.
vulnerabilities is a non- incidents and risks
ending activity. When that can occur and
vulnerabilities are first how they can be
identified, they are handled.
considered as risks. • Hacking into your
They are prioritized and system might
analyzed for probability happen; it is
of occurrence. Plans for important to know
acceptance or when to shut down
mitigations can be put • Phishing emails
in place. Part of that could be sent to
plan should be planning you; educating the
for an actual threat or operators is critical
vulnerability disrupting
© 2022 ISACA.
62

Practice
Area
business. A full • Additionally, part of
business continuity plan this handling can be
addressing the business the determination
operations after a of the results from
disruption should be realizing the threat
developed and this plan and what the
should be dry run to system/service can
ensure all tolerate, when to
responsibilities are shut down
covered and business is • Incident response
restored. Incidents such teams are often
as threats and defined and
vulnerabilities should be trained, so they can
solved, and it is react and manage
important to prioritize incidents that affect
and prevent these the system when
occurrences from they occur
recurring. Prevention
activities also include
preparing for and
avoiding possible future
unknown incidents.
Capability Area: Managing the Workforce (MWF)
Organizational Training associated with • Security training is • Inappropriate
Training (OT) security should include varied and access to
internal and external dependent on the sensitive
Enabling Virtual
security approaches, individual roles and information
Solution
objectives, and responsibilities from outside
Delivery (EVSD)
controls. The • The entire (hackers)
organization itself will organization should • Lack of trained
have a significant take security personnel may
amount of data that awareness and lead to
cannot risk being education training. unintentional
compromised. This data This should include vulnerabilities
includes personnel how to address • Personnel not
data, competition suspicious emails, aware of or
sensitive data, and customer/supplier properly
customer specific data. access to company following
All personnel should be data, password physical security
trained in the protection protection, visitor protocols can
© 2022 ISACA.
63

Practice
Area
of this data and their logs, badge entry, lead to
individual company sensitive unauthorized
responsibilities in the versus public visitor access,
protection of that data. information, which can result
Security attributes implications of in theft of
should also be included regulatory physical or
in the product and requirements etc. intellectual
service development • Product and service property
lifecycle. As far as developers should • Inappropriate
virtual delivery, since be trained in how access to virtual
this assumes to incorporate meetings
communication over security into enables
very often non-secure functional solutions outsiders to
communication lines, • Business objectives gain access to
personnel should should incorporate competitive or
understand what can security goals. internally
be shared across these These should be sensitive
lines, how to handle communicated information
conversations on these throughout the
lines, and other organization.
restrictions. • Virtual training
should include
access to virtual
meetings, e.g.,
passwords are
typical for access to
virtual lobbies
Capability Area: Planning & Managing Work (PMW)
Estimating Planning for product • Quality estimates • If security is not
(EST) development and on additional planned for the
service delivery includes security regulatory product or
Planning audits must be service, security
the incorporation of
(PLAN)
security in all aspects of considered and issues may be
Monitor & the lifecycle. Estimating incorporated discovered too
Control (MC) security assumes the • Estimates for late and
same diligence of all product and service therefore more
other requirements. tests associated costly to fix
They should be planned with security
for at the inception of requirement and
the job and monitored associated planning
© 2022 ISACA.
64

Practice
Area
through the production must also be
cycle. Data on the considered and
planning should be kept incorporated
ensuring security • Security
estimates in the future requirements
are based on real should also be
organizational estimated and
experience. planned when
accepting supplier
components
• The size,
frequency, timing,
and nature of
specific security
activities should be
estimated and
planned to ensure
that personnel with
the necessary
clearances, access
rights, knowledge
and skills are in
position to perform
their duties at the
appropriate time.
This may include
service delivery
tasks or product
development tasks
that necessitate
access to sensitive
or security
restricted
information.
Category: ENABLING
Capability Area: Supporting Implementation (SI)
Causal Analysis Security issues will • When a security • Threats may
& Resolution occur. These will be event causes continue if root
(CAR) both disruptive and system or service causes of
may impact more than disruption, it is vulnerabilities
© 2022 ISACA.
65

Practice
Area
initially anticipated. critical that an are not
Those outcomes which appropriate analysis addressed
should never be be performed to • New product or
repeated should be avoid recurrence service
analyzed using • Other security development
traditional root cause outcomes like data will not have
analysis to avoid their breaches and opportunity for
reoccurrence. Likewise, physical theft may good estimating
if a security outcome is also warrant further and planning
particularly effective, it analysis before without insights
should be analyzed to ensuring that the from previous
promote further use. occurrence will not initiatives
recur • Without
Configuration Work products
• Work products like alternative
Management associated with security
security event root solutions, a
(CM) (e.g., requirements,
cause analysis, determination
objectives, approaches)
security training, of the right
should be identified for
security strategies, solution is
configuration
security approaches hampered. If
management. The
for products and there are issues
same rigor associated
services, and with the
with development and
security plans solution, it
service work products
should be included would be
should be applied.
in the organization difficult and
Decision As the security configuration often costly to
Analysis & requirements are management data restart with an
Resolution finalized and the • When determining evaluation of
(DAR) lifecycle progresses to a security solution alternatives.
determining a viable for functional
security approach and solutions,
system, alternative alternatives like
solutions may be multi-factor
identified. These authentication,
alternative solutions are varying levels of
prioritized and security for data,
categorized to make the and system
best selection. In privileges should be
product or service considered
system development,
security considerations
should be a high
© 2022 ISACA.
66

Practice
Area
priority in the
determination of the
appropriate technical
solution.
Capability Area: Managing Security & Safety (MSS)
Enabling This Capability Area is • The security • If security and
Security (ESEC) dedicated to Safety and strategy and safety safety are put
Security. For security strategy determine at an auxiliary
Enabling Safety
this establishes the the momentum and or support level
(ESAF) commitment of the versus a
organizational security
Managing strategy, security organization to the primary
Security approach, and security importance of initiative, this
Threats & objectives. It is security and safety, can cause the
Vulnerabilities important to note that both internally and impacts of
(MST) this security approach externally security threats
incorporates any • The security and safety
security framework or approach and hazards to be
security regulations that likewise the safety more impacting
may be required for the approach determine and recovery
organization. This area roles and less structured.
also ensures that responsibilities, how It can take
security threats and the organization longer for the
vulnerabilities are given implements the organization to
additional focus beyond security strategy, recover and
risks or incidents. It and safety strategy proceed
specifically looks at respectively operationally.
security risks and • Managing the
security incidents as security threats and
threats and vulnerabilities
vulnerabilities. It raises enhances the
the importance to organization's
ensure that the existing risk
attention to threats and management
vulnerabilities are system with
managed. The establishing threats
organization also and vulnerabilities
determines their with the critical
tolerance for accepting visibility they need
the possible disruptions. • Managing threats
For safety, similarly to that are in a
© 2022 ISACA.
67

Practice
Area
security, this area constant evolution
establishes the is a challenge and
organization's safety clearly goes beyond
strategy, safety the constraints of a
approach, and safety risk
objectives.
Category: IMPROVING
Capability Area: Improving Performance (IMP)
Managing The organizational • When documenting • Central focus on
Performance & security strategy should policies and security is
Measurement be integrated into all procedures, missing
(MPM) operations of the concepts associated • Repeating
organization. The with defense in security
Process Asset
process assets should depth, defining approaches
Development
include security specific multiple layers of independently
(PAD)
policies, procedures, security controls, for every
Process work instructions, while should be product and
Management existing operational understood service is
(PCM) process assets should • Policies and ineffective
include security procedures with • Risk of missing
considerations and common a threat or
requirements. approaches for vulnerability
Improvement activities security should be that is already
should include those established known
specific to security, and • Tailoring guidance
for any improvement should be available
identified, security on those aspects
needs and that may be
requirements must also security dependent
be addressed. Security for customers and
metrics should be contracts
incorporated within the • Security metrics
organizational should include
measurement security threat and
repository. The metrics vulnerabilities, e.g.,
should be at the metrics on time to
organization as well as resolve, compliance
the product and service metrics associated
levels. These metrics with audits,
disruption metrics -
© 2022 ISACA.
68

Practice
Area
should be collected, time to return to
reviewed, analyzed, full operability,
and stored. continuity plan dry
run metrics.
Capability Area: Sustaining Habit & Persistence (SHP)
Governance Any process strategy • Business objectives • Lack of a
(GOV) needs top-down including focused
support and an management approach to
Implementation
organizational structure commitment to security, which
Infrastructure
to enable and support security are includes the
(II) important necessary
its deployment. Senior
management must • Goals associated resources and
ensure that the overall with security budget and is
business objectives specific and driven by senior
include the security measurable security management,
strategy and approach. initiatives must be can be
Business objectives included detrimental to
may enable derived • Security training is the longevity of
security objectives to critical the
align the organization • Universal organization,
with its regulations and knowledge of through a
security frameworks. security and its role negative
Also, the organization in the organization reputation or
must provide the time, is key for everyone the inability to
budget, education, • Top-down approach keep systems
tools, and people to security, e.g., and services
needed to accomplish policies driven and available
security requirements, reinforced by senior
approaches, and meet management, are
security expectations. instrumental to
laying the
foundation for
security within the
organization
© 2022 ISACA.
69

CMMI Adoption Transition Guidance

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CMMI Adoption Transition Guidance

Uploaded by

Copyright:

Available Formats

r

Copyright © 2022 ISACA

Document Change History

Version Date Description

Intended Audience ..................................................................................................... 6

How to use this Guidance ................................................................................................9

Step 1: Learn how CMMI will benefit the organization ........................................... 13

ESTABLISH OBJECTIVES ..............................................................................................18

Step 2: Establish performance improvement objectives aligned to your

Step 3: Map current organizational processes to CMMI ........................................ 24

DEVELOP ACTION PLAN ................................................................................................27

DEPLOY IMPROVEMENTS .............................................................................................30

Step 5: Deploy improvements and measure results............................................... 30

ASSESS CAPABILITY .....................................................................................................34

Step 6: Assess capability and performance ........................................................... 34

Appendix A: Additional Resources ...............................................................................38

Additional References .............................................................................................. 39

Appendix B: CMMI Categories, Capability Areas, and Practice Areas .....................40

Appendix C: Problem Identification and Resolution Using the CMMI .....................41

Appendix D: Typical CMMI Adoption Roles .................................................................46

Working with a CMMI Partner-Sponsored Individual .............................................. 52

Appendix E: Building Goals, Risks, and KPIs .............................................................56

Appendix F: Define Your Current Processes ...............................................................57

Appendix G: CMMI Practice Area Security Adoption Examples ...............................58

Introduction to this Guidance

What is Capability Maturity Model Integration (CMMI)?

Why Use the CMMI?

o Project and organizational tailoring of processes to meet unique customer

Why Use this Guidance?

This Guidance Is… This Guidance Is NOT…

How to use this Guidance

Figure 1. CMMI Product Suite

Figure 2. Categories and Capability Areas

Figure 3. Steps for Applying CMMI for Continuous Improvement

In this step, the organization:

Figure 4. Step 1 Activities and Considerations Table

Figure 5. Critical Elements for Successful Change

At the beginning of implementing any change, an organization must communicate:

In this step, the Sponsor works with the

Figure 6. Step 2 Activities and Considerations Table

In this step, the organization, on their own,

This step corresponds to and can be supported by the Transition Tip:

Figure 7. Step 3 Activities and Considerations Table

DEVELOP ACTION PLAN

In this step, the organization:

The Sponsor, on behalf of the organization, may

benefits of capability and performance improvement and the impact to organizational

Figure 8. Step 4 Activities and Considerations Table

In this step, the organization:

concurrent improvements, and deployments in an organization. Coordinate the

Figure 9. Step 5 Activities and Considerations Table

Monitoring implementation ensures that the improvements are effectively deployed. It

In this step, the Sponsor works with the

Organizations typically conduct a combination

Figure 10. Step 6 Activities and Considerations Table

Figure 11. Adoption and Transition Guidance Cycle

Appendix A: Additional Resources

Figure 12. CMMI Adoption and Transition Resources

Appendix B: CMMI Categories, Capability

Figure 13. Categories, Capability Areas, and Practice Areas

Appendix C: Problem Identification and

Figure 14. Problem Identification and Resolution Using the CMMI

Common Potential CMMI