Criticality Analysis
Asset prioritization and business impact assessment.
3 Practice Areas
Business-Impact and Dependency Mapping
Asset Classification and Ownership
Risk Prioritization and Validation
Toolkit documentation
Understanding the CR-CMM toolkit.
Helping organizations enhance their ability to anticipate, withstand, recover from, and adapt to adverse cyber events. Its primary goal is to provide a structured approach for assessing an organization's current cyber resilience maturity and identifying priority areas for improvement.
What is CR-CMM?
The Cyber Resilience Capability Maturity Model (CR-CMM) was developed through comprehensive research in cybersecurity maturity assessment methodologies. Our research team analyzed existing maturity models, industry best practices, and real-world implementation challenges to create a practical, evidence-based framework for cybersecurity capability assessment.
Unlike traditional compliance-focused approaches, CR-CMM emphasizes research-backed, sustainable processes that evolve with organizational needs and the changing threat landscape.
CR-CMM is the community-driven cyber resilience capability maturity model, guided by an Advisory Board for technical integrity and strategic input. CR-CMM is sponsored and owned by High Value Target, a boutique cyber resilience firm.
Toolkit architecture
10 Practices
CR-CMM is structured into ten practices, each containing three focus areas. This structure helps accelerate the completion of the assessment questionnaire and supports the effective identification and prioritization of improvement opportunities.
Situational Awareness
Threat landscape monitoring and intelligence.
3 Practice Areas
External Threat Intelligence and Sharing
Internal Telemetry and Detection Engineering
Regulatory and Business Horizon Scanning
Threat Informed Defense
Intelligence-driven security controls.
3 Practice Areas
Adversary Mapping and Threat Modelling
Detection and Response Engineering
Validation (Purple Team / BAS)
Defensible Architecture
Security-by-design system architecture.
3 Practice Areas
Network Segmentation and Zero Trust
Secure Configuration and Hardening
Resilience-by-Design
Crisis Management
Incident response and crisis coordination.
3 Practice Areas
Governance and Decision Framework
Communications and Stakeholder Engagement
Resource Coordination and Resumption Operations
Scenario Simulation
Realistic cyber attack simulations.
3 Practice Areas
Table-Top Exercises (TTX)
Technical Attack Simulations
Business Continuity and Executive Simulations
Contingency Testing
Backup and recovery validation.
3 Practice Areas
Backup Integrity and Immutability
Fail-over / Resumption Drills
Third-Party Continuity Assurance
System Testing
Security control validation.
3 Practice Areas
Security Regression and CI/CD
Vulnerability Discovery and Remediation
Performance and Chaos Engineering
Offensive Testing
Red team and penetration testing.
3 Practice Areas
Penetration-Testing Programme
Continuous Attack-Surface Management
Social Engineering and Human Factors
Cyber Recovery
Post-incident recovery operations.
3 Practice Areas
Recovery Plan Engineering
Recovery Validation and Data Vault
Post-Incident Improvement
What is CR-CMM
A note from
Francesco Chiarini
Founder, High Value Target
The Challenge
Achieving true cyber resilience requires a structured, measurable approach and accountable leadership to continuously driving the awareness and improvement of a cyber resilient posture. Like Zero Trust, cyber resilience is an overused term that means different things to different players - whether in industry or among regulators. This lack of clarity makes it harder to define what true cyber resilience capabilities are, and to choose the right set and scale of capabilities for an organization.
The Mission
An organization's cyber resilience efforts primarily aim to implement strategies and tactics that ensure the survivability of mission-critical functions before, during, or after a coordinated, destructive cyber-attack. Such cyber resilience strategies and tactics require capabilities to address the continuously evolving risks from advanced and unpredictable adversaries.
The Solution
The Cyber Resilience Capability Maturity Model (CR-CMM) helps organizations measure, benchmark, and enhance their resilience across ten key domains. The CR-CMM is a community-driven practical tool inspired by the famous SOC-CMM and aligned with NIST SP 800-160, the MITRE Cyber Resiliency Engineering Framework, and other best-in-class frameworks (such as ORF, Sheltered Harbor, CTI-CMM). While being sector- and size-agnostic, the CR-CMM aligns with industry best practices and draws from widely recognized frameworks maintained by organizations such as NIST and MITRE.
The Approach
The maturity levels range from initial (where resilience practices are reactive and uncoordinated) to optimized (where resilience is proactive, integrated into all aspects of system design, and supported by continuous improvement). It's important to note that the CR-CMM is not yet another "standard" or "framework". It's a toolkit. It consolidates that spectrum by leveraging world-class best practice and shows how to achieve cyber resilience with 150+ evidence-based questions and their related maturity scoring. The model is structured around four key enabling domains that mirror those used in the SOC-CMM: Technology, Process, People, and Business, but adapted to emphasize cyber resilience Services. There are ten core Practices that are leveraged to build capabilities, which are visible in the slide below. These sit at the heart of the CR-CMM.
Executive Insights
CR-CMM Executive FAQ
Essential insights for leadership teams evaluating cyber resilience capabilities.
01
What strategic problem does CR-CMM solve?
02
Why introduce CR-CMM when NIST CSF 2.0, ISO 27001, ISO 22301 and similar frameworks already exist?
03
What validates the model's credibility?
04
What does “community-driven” mean?
Essential insights for leadership teams evaluating cyber resilience capabilities.