top of page
  • Petr Pospíšil

Free cyber security maturity assessment in 30 minutes.

Cybersecurity is expensive and complicated, right? That's common answer, however not today. Recently I found a great a resource, from ENISA, The European Union Agency for Cybersecurity, which allows to start just so easily. With maturity assessment and remediation plan.

Give this tool a chance, check out this introduction article and trust me you and your business, no matter size, will benefit out of it.

Let's jump into it!

What is The European Union Agency for Cybersecurity?

As per official website, ENISA is the Union's agency dedicated to achieving a high common level of cybersecurity across Europe.

ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services, and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.

Long story short, ENISA is a great portal for any cybersecurity expert as a great resource point. It's effectively an European answer towards CISA of United States of America.


What is ENISA's Cybersecurity Maturity Assessment for Small and Medium Enterprises [CMASME]?

In simple words, it just a website application, which acts as questionnaire - it asks you approximately fifty questions, assesses your answers and then shares with you a simple remediation plan.

Easy right? Let's look at each of the steps before you start.


How does CMASME work?

  1. Register with your e-mail address to CMASME.

  2. Fill the questionnaire (15-30 minutes for common computer user).

  3. Receive and execute the remediation plan relevant to your level (1,2,3).

  4. Mark the remediation plan as finished within CMASME and receive new remediation plan for next-level maturity.

  5. Sleep a bit calmer, knowing your resilience towards cyber threats is at sufficient level!


Who should be filling CMASME?

The tool is written in such a language, it should be understandable to common computer user, therefore in small companies it can be owner itself. However, for better results a person with business IT overview should be utilized.


1. Register to CMASME.

Once you fill the email, you receive a login link into yours e-mail box. That's it.


2. Fill the questionnaire.

Business profile section

The first one is your business profile. It allows the application better decide on what is relevant for your business.

It contains seven questions, less than 1 minute to fill.

Maturity level section

In this section focus is shifted to questions trying to assess what your business currently does in terms of cybersecurity and how prepared are you to possible cyber threats.

Here you find approximately thirty-eight questions, and I will take between 10-20 minutes.

3. Receive and execute remediation plan.

Once the questionnaire is finished, you are presented with downloadable remediation plan. You can also track via web application.

This is the hard part. It will take time to write, distribute and act according to policies.

Remember, being secured is not something you can reach as a goal and stop. It's continuous effort towards being resilient in cyber wild, wild west.

4. Finished? More work to do! Fill next level of the questionnaire.

5. Enjoy victory! You almost made it.

Almost? Have you managed to reach full maturity and 100% score? I doubt.

Yes, rarely something in cybersecurity is perfect. Threat actors are always step ahead.

  • There is never enough budget to be fully covered.

  • There is always a legacy system, which blocks the most important control.

  • There is always a residual risk.


  • If you achieved at least 50% [but 80% better :) ] of implementation, you are already ahead of many other SMBs.

  • Threat actors always prefer easier target. Therefore, having something right is much better than having everything wrong.

  • The Pareto principle 80/20 works in cybersecurity as well.

    • 80% of vulnerabilities are not critical enough to be a business killer.

      • Remediate the 20% critical ones.

    • 80% of phishing might be blocked by spam filter.

      • Educate end users about spotting the tricky 20%

I authored this article small and medium businesses in mind - as they rarely have dedicated cybersecurity SME available, to start without extra budget and with some real outcomes. I hope you find the article and the tool useful.

Do you need any help with it? The assessment itself? Technical implementation of given remediation? Or just a brief advice?

Let me know. I will be happy to help.

Have a wonderful day! Petr.

bottom of page