What It Is

Capability Maturity Model Integration (CMMI) is a performance improvement framework for process institutionalization. Primarily for software, services, and acquisition, it uses maturity and capability levels to enhance predictability and quality through structured practices.

Key Components

• 4 category areas (Doing, Managing, Enabling, Improving) with 12 capability areas and 25 practice areas in v2.0.
• Maturity levels 0-5; capability levels 0-3 per area.
• Generic goals/practices for institutionalization; specific practices per area.
• SCAMPI appraisals for certification.

Why Organizations Use It

• Improves delivery predictability, reduces rework, boosts ROI.
• Meets contractual requirements in defense, regulated sectors.
• Manages risks via measurement, governance.
• Builds competitive edge, stakeholder trust via benchmarks.

Implementation Overview

• Phased: assessment, piloting, rollout, appraisal, sustainment.
• Tailors to Agile/DevOps; pilots high-impact areas like requirements, configuration.
• Applies to mid-large orgs in IT, software, services globally.
• Requires authorized SCAMPI A for official ratings.

What It Is

APRA Prudential Standard CPS 234 (Information Security) is a binding regulation issued by the Australian Prudential Regulation Authority for regulated financial entities. Effective from 1 July 2019, it mandates maintaining information security capabilities commensurate with threats to ensure resilience against incidents impacting confidentiality, integrity, or availability of information assets, including those managed by third parties. It adopts a risk-based, assurance-driven approach focused on governance and outcomes.

Key Components

• **Governance and accountabilityBoard ultimate responsibility, defined roles.
• **Risk managementAsset classification by criticality/sensitivity, commensurate controls.
• **Third-party oversightCapability assessments, control evaluations.
• **Incident responseDetection mechanisms, annual testing of plans.
• **AssuranceSystematic testing, internal audit reviews. No fixed control count; 36 paragraphs outline requirements with APRA notifications (72 hours for incidents, 10 days for weaknesses).

Why Organizations Use It

Mandatory for APRA-regulated entities (banks, insurers, super funds) to avoid penalties, heightened supervision. Enhances cyber resilience, stakeholder trust, operational continuity; integrates with CPS 220/230 for holistic risk management.

Implementation Overview

Phased: gap analysis, policy framework, asset inventory, controls, testing program. Applies to all sizes proportionally; requires evidence-based audits, no formal certification but APRA scrutiny. (178 words)