In an era of accelerated digitalization and the evolution of cyber threats, ensuring the maturity of information technology (IT) and information security (IS) processes is becoming strategically important for organizations of all sizes. Maturity assessment methodologies such as CMMI or COBIT have long served as benchmarks for analyzing and improving practices in these areas. In 2017, Baker Tilly introduced a methodology focused primarily on IS processes into its IT audit practice, which enabled the systematic assessment of organizations’ readiness for threats, risk management, and compliance during IT audits. This model, based on international standards, has helped raise risk awareness and develop improvement plans, proving its effectiveness in various sectors of the economy.
However, by 2025, with the rapid development of technologies — including artificial intelligence, cloud computing, and quantum threats — as well as stricter regulatory requirements (e.g., within the framework of the State Agency for Personal Data Protection of the Kyrgyz Republic, national banks in the region, GDPR, NIS2 and similar regulations), the previous methodology needed to be transformed. The updated version of the methodology expands the scope to comprehensive IT management, integrating strategic, financial, and operational aspects, and emphasizes proactive measures such as DevSecOps and knowledge management. The transition to the new methodology does not imply a reset of accumulated experience, but rather seeks to preserve the continuity of historical data for trend analysis and improvement planning.
The file is primarily intended for Baker Tilly clients in Central Asia, IT and information security professionals—security managers, auditors, consultants, and executives of organizations that have received a maturity assessment from Baker Tilly specialists in previous periods. It will be useful for those who have already conducted assessments using the old methodology and are now adapting them to the new one, as well as for analysts developing progress reports on governance. In addition, the document can serve as a reference for educational purposes or as part of certification programs, helping to understand the evolution of maturity models.
The information in the file should be viewed as a reference tool for maintaining continuity, rather than as an absolute standard. The formulas and transfer rules have been developed based on conservative principles (using penalty coefficients and restrictions) to avoid overestimation and to account for potential gaps in process comparison. It is recommended to use the information as a starting point for calculations, followed by verification based on the organization’s current data. In case of discrepancies or the need for clarification, it is advisable to consult with methodology experts or conduct additional audits. This approach will allow historical assessments to be integrated into the new paradigm as effectively as possible, contributing to the systematic improvement of IT and IS processes.
You can read the White Paper on the 2025 maturity assessment methodology by downloading the White Paper (RU).