Adapting C2M2 to a control-level instrument
The Cybersecurity Capability Maturity Model (C2M2) Version 2.1 is, in its native form, an organization-level framework: it evaluates capability domains such as Risk Management, Asset Management, or Threat & Vulnerability Management as integrated practices of the enterprise. This study adapts — or, more precisely, methodologically "bends" — the C2M2 Maturity Indicator Level (MIL) scale to evaluate the operational, architectural, and technical resilience of individual ISO 27002 controls against LLM risks.
The adaptation is justified by the study's deliberate isolation of control maturity from governance maturity: native C2M2 conflates the two; the bent C2M2 instrument separates them so that the analytical signal is the control itself, not the enterprise that wraps it.
The four-level MIL scale, adapted
| MIL Level | General description | Approach characteristic | Management characteristic |
|---|---|---|---|
| MIL 0 Non-existent for LLM context |
The ISO 27002 control exists for legacy systems but offers no meaningful operational coverage, telemetry, or modification for LLM-specific parameters. | N/A | N/A |
| MIL 1 Ad hoc / implicit LLM coverage |
The ISO 27002 control provides incidental or accidental protection against the LLM risk. | The control functions against LLMs but relies on standard legacy configurations (e.g., a standard web application firewall incidentally catching a basic prompt injection script). | None; success depends purely on individual operator intuition rather than specific LLM-focused operationalization. |
| MIL 2 Targeted / documented LLM control |
The ISO 27002 control is intentionally engineered and resourced to handle LLM characteristics for high-priority assets. | The technical control is customized for LLM data flows, token limits, and specific AI threat vectors. | Documentation, operational telemetry, and technical resources (funding/tooling) are dedicated explicitly to maintaining this specific control's efficacy against LLMs. |
| MIL 3 Adaptive / comprehensive LLM control |
The ISO 27002 control is dynamically adaptable and comprehensively covers all LLM deployments across the organization. | The control utilizes continuous evaluation methods (e.g., automated drift monitoring, LLM-assisted red-teaming) to rapidly adapt to novel evasions and non-deterministic outputs. | The operational effectiveness of the control is strictly evaluated through dynamic feedback loops, and personnel managing the control possess verified, LLM-specific technical skills and knowledge. |
The four evaluation criteria
Each MIL assignment is guided by four qualitative criteria — two mapped to the C2M2 Approach progression and two mapped to the C2M2 Management progression:
Approach progression
- Coverage — does the control address the actual pathway of harm? Does it cover the real source of exposure, the pathway by which harm occurs, and the organizational effect that follows?
- Specificity — is the control explicit enough for an LLM context rather than remaining so generic that implementation depends on ad hoc interpretation?
Management progression
- Operationalizability — can the control be turned into concrete responsibilities, workflow steps, evidence artifacts, review triggers, and technical settings?
- Adaptability — can the control remain effective despite model updates, changing prompts, new use cases, shifting supplier conditions, and rapid product releases?
The C2M2 criteria are methodologically "bent" to produce objective metrics on the localized engineering and operational resilience of the ISO 27002 control itself. This decision is the source of the framework's analytical leverage, but also of its largest methodological commitment — see the critical evaluation for an open question about whether Approach/Management is the cleanest mapping for these four criteria.