{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,4]],"date-time":"2026-04-04T05:24:07Z","timestamp":1775280247595,"version":"3.50.1"},"reference-count":50,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2020,6,6]],"date-time":"2020-06-06T00:00:00Z","timestamp":1591401600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2020,6,6]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to clarify the uncertainty reflected in the current state of information security maturity evaluation where it has not enough matured and converged so that a generic approach or many specfics approaches become the go-to choice. In fact, in the past decade, many secruity maturity models are still being produced and remain unproven regardless of the existence of ISO 21827.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>The authors have used the systematic literature review to summarize existing research, help identify gaps in the existing literature and provide background for positioning new research studies.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The authors highlighted the prevalent influence of the ISO\/IEC 27001\/27002 standard but raised the necessity for an in-depth investigation of ISO 21827. The authors also made the implementation facet a central topic of our review. The authors found out that, compared to the number of proposed models, implementation experiments are lacking. This could be due to the arduous task of validation and it could also be the reason why specific models are dominant.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>While the research literature contains many experience reports and a few case studies on information security maturity evaluation, a systematic review and synthesis of this growing field of research is unavailable as far as the authors know. In fact, the authors only picked-up one bodywork [Maturity models in cyber security A systematic review (2017)] carrying out a literature review on security maturity models between 2012 and 2017, written in Spanish.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-03-2019-0039","type":"journal-article","created":{"date-parts":[[2020,6,8]],"date-time":"2020-06-08T07:44:58Z","timestamp":1591602298000},"page":"627-644","source":"Crossref","is-referenced-by-count":50,"title":["Information and cyber security maturity models: a systematic literature review"],"prefix":"10.1108","volume":"28","author":[{"given":"Anass","family":"Rabii","sequence":"first","affiliation":[]},{"given":"Saliha","family":"Assoul","sequence":"additional","affiliation":[]},{"given":"Khadija","family":"Ouazzani Touhami","sequence":"additional","affiliation":[]},{"given":"Ounsa","family":"Roudies","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"issue":"3","key":"key2020100112345462400_ref001","doi-asserted-by":"crossref","first-page":"265","DOI":"10.1108\/IMCS-04-2013-0025","article-title":"A cyclical evaluation model of information security maturity","volume":"22","year":"2014","journal-title":"Information Management and Computer Security"},{"key":"key2020100112345462400_ref002","doi-asserted-by":"publisher","first-page":"352","DOI":"10.1007\/978-3-030-03577-8_39","article-title":"A comparison of American and Moroccan governmental security approaches","volume-title":"Information Systems and Technologies to Support Learning","year":"2018"},{"key":"key2020100112345462400_ref003","unstructured":"ANSSI (2018a), \u201cPublication: guide relatif \u00e0 la maturit\u00e9 SSI\u201d, available at: www.ssi.gouv.fr\/guide\/guide-relatif-a-la-maturite-ssi\/ (accessed 30 December 2018)"},{"key":"key2020100112345462400_ref004","unstructured":"ANSSI (2018b), \u201cPublication: guide relatif \u00e0 la maturit\u00e9 SSI\u201d, available at: www.ssi.gouv.fr\/guide\/guide-relatif-a-la-maturite-ssi\/ (accessed 30 December 2018)"},{"key":"key2020100112345462400_ref04a","article-title":"Writing narrative literature reviews","year":"1997","journal-title":"Review of General Psychology"},{"key":"key2020100112345462400_ref005","article-title":"Sustainable security advantage in a changing environment: the Cybersecurity Capability Maturity Model (CM2)","volume-title":"Proceedings of the 2014 ITU kaleidoscope academic conference: Living in a converged world - Impossible without standards?","year":"2014"},{"issue":"2","key":"key2020100112345462400_ref06a","doi-asserted-by":"crossref","first-page":"172","DOI":"10.1037\/0033-2909.118.2.172","article-title":"Writing a review article for psychological bulletin","volume":"118","year":"1995","journal-title":"Psychological Bulletin"},{"key":"key2020100112345462400_ref006","doi-asserted-by":"publisher","first-page":"937","DOI":"10.4018\/978-1-4666-3990-4.ch049","article-title":"Maturity and metrics in health organizations information systems","volume-title":"Handbook of Research on ICTs and Management Systems for Improving Efficiency in Healthcare and Social Care","year":"2020"},{"key":"key2020100112345462400_ref007","article-title":"How to capture, model, and verify the knowledge of legal, security, and privacy experts","volume-title":"Proceedings of the 11th international conference on Artificial intelligence and law - ICAIL \u201807","year":"2007"},{"key":"key2020100112345462400_ref07a","volume-title":"Psychological bulletin","year":"2003"},{"key":"key2020100112345462400_ref008","first-page":"256","article-title":"Developing a maturity model for information system security management within small and medium size enterprises","year":"2006"},{"key":"key2020100112345462400_ref009","article-title":"Modelling cyber security governance maturity","volume-title":"2015 IEEE International Symposium on Technology and Society (ISTAS)","year":"2015"},{"key":"key2020100112345462400_ref010","unstructured":"Department of Homeland Security (2019), \u201cPresidential policy directive 8: national preparedness\u201d, available at: www.dhs.gov\/presidential-policy-directive-8-national-preparedness (accessed 9 July 2019)."},{"issue":"1","key":"key2020100112345462400_ref011","article-title":"Presenting a model for ranking organizations based on the level of the information security maturity","volume":"4","year":"2011","journal-title":"Computer and Information Science"},{"key":"key2020100112345462400_ref012","article-title":"Personal data protection maturity model for the micro financial sector in Peru","volume-title":"2018 4th International Conference on Computer and Technology Applications (ICCTA)","year":"2018"},{"issue":"2","key":"key2020100112345462400_ref013","doi-asserted-by":"crossref","first-page":"73","DOI":"10.1109\/52.2014","article-title":"Characterizing the software process: a maturity framework","volume":"5","year":"1988","journal-title":"IEEE Software"},{"key":"key2020100112345462400_ref014","unstructured":"International Organization for Standardization (2013), \u201cInformation technology \u2013 security techniques \u2013 code of practice for information security controls (ISO\/IEC Standard No. 27002)\u201d, available at: www.iso.org\/standard\/54533.html"},{"key":"key2020100112345462400_ref015","unstructured":"International Organization for Standardization (2018), \u201cInformation technology \u2013 security techniques \u2013 information Security Management Systems \u2013 overview and Vocabulary (ISO\/IEC Standard No. 27000)\u201d, available at: www.iso.org\/obp\/ui\/#iso:std:iso-iec:27000:ed-5:v1:en"},{"key":"key2020100112345462400_ref016","unstructured":"Itu.int (2019), \u201cCybersecurity\u201d, available at: www.itu.int\/en\/ITU-T\/studygroups\/com17\/Pages\/cybersecurity.aspx (accessed 5 November 2019)."},{"key":"key2020100112345462400_ref017","article-title":"Developing a cyber counterintelligence maturity model for developing countries","volume-title":"2017 IST-Africa Week Conference (IST-Africa)","year":"2017"},{"key":"key2020100112345462400_ref018","first-page":"81","volume-title":"Discussing E-Government Maturity Models for the Developing World - Security View","year":"2009"},{"key":"key2020100112345462400_ref019","article-title":"Secure e-government services: towards a framework for integrating it security services into e-government maturity models","volume-title":"2011 Information Security for South Africa","year":"2011"},{"key":"key2020100112345462400_ref020","first-page":"58","volume-title":"Towards an information security maturity model for secure e-Government services: A stakeholders view","year":"2011"},{"key":"key2020100112345462400_ref021","doi-asserted-by":"crossref","first-page":"47","DOI":"10.1016\/j.ijcip.2016.10.001","article-title":"A vulnerability-driven cyber security maturity model for measuring national critical infrastructure protection preparedness","volume":"15","year":"2016","journal-title":"International Journal of Critical Infrastructure Protection"},{"key":"key2020100112345462400_ref022","article-title":"SOASMM: a novel service oriented architecture security maturity model","volume-title":"2012 International Conference on Multimedia Computing and Systems","year":"2012"},{"key":"key2020100112345462400_ref023","article-title":"Cyber security quantification model","volume-title":"Proceedings of the 3rd international conference on Security of information and networks \u2013 SIN \u201810","year":"2010"},{"key":"key2020100112345462400_ref024","unstructured":"Kitchenham, A.B. (2007), Kitchenham, B.: Guidelines for performing systematic Literature Reviews in software engineering, EBSE Technical Report EBSE-2007-01"},{"key":"key2020100112345462400_ref025","article-title":"Can maturity models support cyber security?","volume-title":"2016 IEEE 35th International Performance Computing and Communications Conference (IPCCC)","year":"2016"},{"issue":"4","key":"key2020100112345462400_ref026","article-title":"Capability maturity model and metrics framework for cyber cloud security","volume":"18","year":"2017","journal-title":"Scalable Computing: Practice and Experience"},{"key":"key2020100112345462400_ref027","article-title":"A multi-perspective methodology for evaluating the security maturity of data centers","volume-title":"2017 IEEE International Conference on Systems, Man, and Cybernetics (SMC)","year":"2017"},{"key":"key2020100112345462400_ref028","article-title":"A model to assess the maturity level of the risk management process in information security","volume-title":"2009 IFIP\/IEEE International Symposium on Integrated Network Management-Workshops","year":"2009"},{"key":"key2020100112345462400_ref029","unstructured":"McKinsey and Company (2019), \u201cDeployment models: how mature are your operational practices?\u201d, available at: www.mckinsey.com\/business-functions\/operations\/our-insights\/deployment-models-how-mature-are-your-operational-practices (accessed 9 July 2019)."},{"issue":"1\/2","key":"key2020100112345462400_ref030","doi-asserted-by":"crossref","first-page":"81","DOI":"10.1504\/IJSSS.2011.038934","article-title":"Maturity assessment models: a design science research approach","volume":"3","year":"2011","journal-title":"International Journal of Society Systems Science"},{"key":"key2020100112345462400_ref031","article-title":"Security metrics maturity model for operational security","volume-title":"2016 IEEE Symposium on Computer Applications and Industrial Electronics (ISCAIE)","year":"2016"},{"key":"key2020100112345462400_ref032","article-title":"Chief information security officer at bank Al Maghrib","year":"2018"},{"key":"key2020100112345462400_ref033","first-page":"102","article-title":"Information security management systems \u2013 a maturity model based on ISO\/IEC 27001","volume-title":"Business Information Systems","year":"2018"},{"key":"key2020100112345462400_ref034","first-page":"100","article-title":"Comparative study of cybersecurity capability maturity models","volume-title":"Communications in Computer and Information Science","year":"2017"},{"key":"key2020100112345462400_ref035","article-title":"A Security engineering capability maturity model","volume-title":"2010 International Conference on Educational and Information Technology","year":"2010"},{"key":"key2020100112345462400_ref036","first-page":"1","article-title":"The assessment of information security management process capability using ISO\/IEC 33072:2016 (Case study in Statistics Indonesia)","volume-title":"2016 International Conference on Information Technology Systems and Innovation (ICITSI) (2016)","year":"2016"},{"key":"key2020100112345462400_ref037a","first-page":"233","volume-title":"MMISS-SME Practical Development: Maturity Model for Information Systems Security Management in SMEs","year":"2007"},{"key":"key2020100112345462400_ref037","volume-title":"Practical Application of a Security Management Maturity Model for SMEs based on Predefined Schemas","year":"2008"},{"key":"key2020100112345462400_ref038","unstructured":"Shively, H. (2018), \u201cCybercrime expected to hit $6 trillion in damage annually by 2021\u201d, Daytondailynews, Staff Writer, www.daytondailynews.com\/news\/cybercrime-expected-hit-trillion-damage-annually-2021\/kRqdC1cmlS1HKDXQKv8EzN\/ (accessed 31 August 2018)."},{"key":"key2020100112345462400_ref039","article-title":"e-government and security evaluation tools comparison for indonesian e-government system","volume-title":"Proceedings of the 4th International Conference on Information and Network Security - ICINS \u201816","year":"2016"},{"key":"key2020100112345462400_ref040","article-title":"Assessment of network security policy based on security capability","volume-title":"2008 International Conference on Computer Science and Software Engineering","year":"2008"},{"issue":"2","key":"key2020100112345462400_ref041","doi-asserted-by":"publisher","first-page":"17","DOI":"10.5815\/ijmecs.2019.02.03","article-title":"Meta-analysis of systematic literature review methods","volume":"11","year":"2019","journal-title":"International Journal of Modern Education and Computer Science"},{"key":"key2020100112345462400_ref042","article-title":"A maturity model for part of the African Union convention on cyber security","volume-title":"2015 Science and Information Conference (SAI)","year":"2015"},{"key":"key2020100112345462400_ref043","first-page":"45","article-title":"IT security incidents escalation in the Swedish financial sector: a maturity model study","volume-title":"Proceedings of the Tenth International Symposium on Human Aspects of Information Security and Assurance (HAISA 2016)","year":"2016"},{"key":"key2020100112345462400_ref044","article-title":"An ISMS (Im)-maturity capability model","volume-title":"2008 IEEE 8th International Conference on Computer and Information Technology Workshops","year":"2008"},{"key":"key2020100112345462400_ref045","article-title":"Information security maturity model: a best practice driven approach to PCI DSS compliance","volume-title":"2016 IEEE Region 10 Symposium (TENSYMP)","year":"2016"},{"key":"key2020100112345462400_ref046","first-page":"233","volume-title":"MMISS-SME Practical Development: Maturity Model for Information Systems Security Management in SMEs","year":"2007"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-03-2019-0039\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-03-2019-0039\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:47Z","timestamp":1753406567000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/4\/627-644\/112415"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,6,6]]},"references-count":50,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,6,6]]}},"alternative-id":["10.1108\/ICS-03-2019-0039"],"URL":"https:\/\/doi.org\/10.1108\/ics-03-2019-0039","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2020,6,6]]}}}