The report outlines major vulnerabilities as well as suggestions for remedying the situation.

Security overview

A quick way to get a comprehensive overview of your organisation’s security.

Change management

The report is an input for management to manage strategic changes.

Interview with the client

A 2-hour interview is conducted with the client and a report is delivered in 3 business days.


The methodology is based on generally accepted standards in the field.

Interview output

The output of the interview is a compact report that is visually easy to understand.

Comprehensive risk assessment

KPMG’s information security and cyber maturity assessment (CMA) is a quick, compact and comprehensive risk assessment of the level of protection of the client’s information assets and cyber threat response capabilities.

The CMA is a unique service on the market which, in addition to assessing technical cyber security capability, allows to provide, on the basis of a 2-hour interview, an information security assessment of the processes and physical security as well as aspects to do with the employees, in order to enable our client to understand the various security vulnerabilities that affect the company.

Visualisation of the current state and maturity level of information security and cyber security helps link the technical and business perspectives, enables the presentation of complex information in a simplified form, and provides management with good input for managing strategic changes.

Overview of major vulnerabilities

The main motivation behind creating KPMG’s CMA service was to develop a service that would help management map the overall state of information security and cyber security in the company in a short time and with limited resources, and provide an overview of major vulnerabilities. As a result of the CMA, management receives the necessary input which describes, in order of priority, how resources should be planned from the perspective of information security and cyber security. Based on this input, it is much easier for the company to decide whether additional IT checks should be carried out and in what order.

The quality of the service is ensured by the methodology used and the experience of the specialists providing the service:

  • The CMA methodology is based on generally accepted industry standards and best practices, for example ISO/IEC 27000 series standards, NIST Cybersecurity Framework, CCS CSC, COBIT 5.
  • The service is carried out by top specialists with long-term experience in cyber security. Our specialists have international engagement experience and internationally recognised professional certificates such as CISM, CISA, CRISC, CGEIT, ISO/IEC 27001 Lead Auditor, GSEC, GMOB, GCCC, GPEN, GWAPT, OSCP, CEH.

Pre-engagement communication - Forwarding interview questions to the client and discussing the client’s needs

We send the CMA questions in advance so that the client can prepare for the interview (about 140 questions). Based on these questions, the client can involve all persons with the necessary knowledge. We will then schedule a specific time for the interview.


Interview with the client (about 2 hours)

We conduct a fairly intense interview with the client and go through all the CMA interview questions.


Analysis and assessment of interview responses (about 3 business days)

KPMG specialists analyse the client’s responses and provide assessments of the relevant topics on the basis of the CMA methodology. The overall CMA score is calculated by combining the ratings for the topics.


Delivering a report and presenting the results to the client

The report outlines major vulnerabilities and, in order of priority, the actions to be taken to remedy the situation (together with an estimation of the resources needed). The results are formalised in a CMA report delivered to the client within 3 business days. The results of the report are presented to the client during a meeting.

Formation of the assessment

Each topic is rated on a percentage scale, where the highest possible rating is 100% and the lowest is 0%. In addition, the percentage scale is divided into four performance-based categories: excellent (90–100%), good (75–89%), satisfactory (60–74%), and deficient (0–59%).

Each topic is further subdivided into sub-topics (for example, the “Defence” topic uses sub-topics such as “Secure configuration of hardware and software”, “Malware prevention”, “Data protection”, and many others). In addition to the main topics, the client can also see the ratings of various sub-topics.

Further information

As a rule, the interview with the client takes place in the Microsoft Teams environment, but we are also ready to conduct the interview at the physical location chosen by the client.

Please note that the CMA is intended as the first step in mapping the information security and cyber security vulnerabilities of an organisation and it is not a substitute for a traditional IT audit, IT risk analysis or penetration testing.

CMA service output

CMA The output of the CMA service is a compact report in Estonian and in English which is visually easy to understand and includes:

  • CMA the overall CMA score (0–100%)
  • separate ratings (0–100%) for the CMA topics – planning, defence, detection, response, recovery
  • major vulnerabilities and their descriptions
  • suggested actions to improve the situation
  • estimation of the resources needed to improve the situation
  • benchmarking of the overall CMA score against industry peers

Provide a safe and sustainable business environment for your company. We help build a resilient and reliable digital landscape, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
Ahtri 4, 10151 Tallinn, Estonia
KPMG Baltics KPMG Global Privaatsuspoliitika
Email again:

HR assessment 

HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Email again: