LibraryDocumentsMaturity Model
DOCUMENT 04 · MODULE

Maturity Model

Adapted C2M2 v2.1 Maturity Indicator Levels (MIL 0–3) mapped to four qualitative criteria: coverage, specificity, operationalizability, adaptability. The bent instrument scores individual ISO 27002 controls, not enterprise-level capabilities.

C2M2 v2.1 adaptedMIL 0–34 criteria

Adapting C2M2 to a control-level instrument

The Cybersecurity Capability Maturity Model (C2M2) Version 2.1 is, in its native form, an organization-level framework: it evaluates capability domains such as Risk Management, Asset Management, or Threat & Vulnerability Management as integrated practices of the enterprise. This study adapts — or, more precisely, methodologically "bends" — the C2M2 Maturity Indicator Level (MIL) scale to evaluate the operational, architectural, and technical resilience of individual ISO 27002 controls against LLM risks.

The adaptation is justified by the study's deliberate isolation of control maturity from governance maturity: native C2M2 conflates the two; the bent C2M2 instrument separates them so that the analytical signal is the control itself, not the enterprise that wraps it.

The four-level MIL scale, adapted

MIL Level General description Approach characteristic Management characteristic
MIL 0
Non-existent for LLM context
The ISO 27002 control exists for legacy systems but offers no meaningful operational coverage, telemetry, or modification for LLM-specific parameters. N/A N/A
MIL 1
Ad hoc / implicit LLM coverage
The ISO 27002 control provides incidental or accidental protection against the LLM risk. The control functions against LLMs but relies on standard legacy configurations (e.g., a standard web application firewall incidentally catching a basic prompt injection script). None; success depends purely on individual operator intuition rather than specific LLM-focused operationalization.
MIL 2
Targeted / documented LLM control
The ISO 27002 control is intentionally engineered and resourced to handle LLM characteristics for high-priority assets. The technical control is customized for LLM data flows, token limits, and specific AI threat vectors. Documentation, operational telemetry, and technical resources (funding/tooling) are dedicated explicitly to maintaining this specific control's efficacy against LLMs.
MIL 3
Adaptive / comprehensive LLM control
The ISO 27002 control is dynamically adaptable and comprehensively covers all LLM deployments across the organization. The control utilizes continuous evaluation methods (e.g., automated drift monitoring, LLM-assisted red-teaming) to rapidly adapt to novel evasions and non-deterministic outputs. The operational effectiveness of the control is strictly evaluated through dynamic feedback loops, and personnel managing the control possess verified, LLM-specific technical skills and knowledge.

The four evaluation criteria

Each MIL assignment is guided by four qualitative criteria — two mapped to the C2M2 Approach progression and two mapped to the C2M2 Management progression:

Approach progression

Management progression

Adaptation rationale

The C2M2 criteria are methodologically "bent" to produce objective metrics on the localized engineering and operational resilience of the ISO 27002 control itself. This decision is the source of the framework's analytical leverage, but also of its largest methodological commitment — see the critical evaluation for an open question about whether Approach/Management is the cleanest mapping for these four criteria.

PreviousControl baseline