Skip to main content
Komplyo

Methodology

Last updated: June 11, 2026

Komplyo measures cybersecurity maturity on the NIST CSF 2.0 Implementation Tier scale: T1 Partial (informal, reactive practices), T2 Risk-informed (management-approved but unevenly applied practices), T3 Repeatable (formalized, applied, and reviewed practices), and T4 Adaptive (anticipatory, continuously improving practices). Each subcategory receives a current tier from your answers; the target profile sets the tier to reach — T2 by default on the best-practices track, T3 on the certification track, raised for critical items or items required by an active certification, and adjustable per function by the account owner. A gap is a current tier below the target tier: it feeds the roadmap and the generated policies. Tiers are not a compliance grade — they describe the rigor and integration of practices, per NIST CSF 2.0.

The Tier scale (NIST CSF 2.0)

T1 Partial: practices exist but remain informal and reactive. T2 Risk-informed: practices are management-approved but unevenly applied. T3 Repeatable: practices are formalized, applied, and regularly reviewed. T4 Adaptive: practices continuously improve and anticipate threats.

Each questionnaire answer corresponds to a tier; scores roll up by subcategory, category, then CSF function (average over answered items). A critical item below Tier 3 caps its function at Tier 2.

Current vs target profile

The current profile is the measured state; the target profile is the intended state, following NIST CSF 2.0's Organizational Profile concept. The default target is T2 (best practices) or T3 (certification), raised for critical items or items covered by an active certification lens (ISO 27001, SOC 2). The owner can adjust the target per CSF function within T2–T4 bounds, never lowering a critical floor.

Any item below its target is a gap: it is prioritized in the roadmap (Risk ×0.4 + Urgency ×0.3 + Ease ×0.3) and carried into generated policies as a remediation commitment.

Framework projections

Answers are captured once in CSF 2.0 language, then projected onto ISO 27001, SOC 2 (TSC), and GDPR Article 32 through a versioned mapping table. The framework version is pinned per assessment so scores stay reproducible.

GDPR is shown as compliance (compliant / partial / missing), never as maturity: data protection is an obligation, not a progression scale.