idax Identity Security Capability Maturity Assessment

Take our 7-question assessment to see where your identity and access program stands today.

Assess the maturity of your identity and access processes, identify critical gaps to set strategic priorities for accelerating your identity transformation.

✅ Receive your personalised recommendation with next steps you can act on
✅ Get your maturity level score instantly
✅ Complete in just minutes – no prep needed

Welcome to the idax CMM Assessment

Q1. Is your IGA program supported by senior leadership and/or a governance board? Do they demonstrate this by completing their own reviews and encouraging others to do so?

We have not implemented an IGA program. There are no controls in place. We are not completing access reviews.

We do not have a formal IGA program in place. Access reviews are taking place but not to a particular timetable and are inconsistent across department.

We have a formal IGA program in place. Processes are repeatable but not standardised. There is a plan to do things consistently within and across departments. We use spreadsheets for access reviews, that are controlled centrally.

We have a formal IGA program in place, which is used to carry out access reviews and the majority of systems are reviewed completely. Control over data and quality, and activities is supported at a senior level.

We have a formal IGA program in place, that is measured, tracked, and controlled with KPI's. Access Risk KRI's are used as part of management reporting.

We have optimised our IGA program through continuous improvement, automation, and innovation. The use of measurement, analytics, and AI ensures the improvement of the environment all of the time.

None

Q2. Are your identities provisioned and deprovisioned automatically from authoritative sources (e.g., HR, CRM)? Are third-party and contractor identities governed under the same policies?

None of our identities are provisioned or deprovisioned from authoritative sources. We have no evidence of any controlled process.

Our process for the provisioning and deprovisioning of identities is inconsistent and reactive.

Our process for the provisioning and deprovisioning of identities is repeatable but not standardised, with some degree of centralised control.

We have centralised systems to manage the provisioning and deprovisioning of identities with good control over data quality, and activities supported at a senior level.

We have centralised systems and activities for the provisioning and deprovisioning of identities with measurements that can be used to improve performance. Our process is measured, tracked, and controlled with KPI’s.

We are continuously improving, automating and innovating our process for the provisioning and deprovisioning of identities. The use of measurement, analytics, and AI ensures the improvement of the environment all of the time.

None

Q3. Are your joiner/mover/leaver processes standardised and enforced across the organisation, and are these identity lifecycle events logged and auditable? Is there timely revocation of access after termination or job role change, and are access requests made through a standardised, automated workflow?

We have no JML processes or controls across the organisation.

Our JML processes are reactive and inconsistent across departments without any real control.

Our JML processes are repeatable but lack standardisation. Identity events are tracked in spreadsheets with limited central control, and while some applications require manager approval, it’s not consistently enforced.

Our JML processes are standardised, documented, and enforced, using software tools and centralised systems. Control over data quality, and activities are supported at a senior level.

Our JML processes are measured, tracked, and controlled with KPIs. We have centralised systems and activities with measurements that can be used to improve performance. Access risk KRI’s are used as part of our management reporting.

Our JML processes are optimised through continuous improvement, automation, and innovation. We use analytics, and AI to improve the environment, and ensure compliance all the time.

None

Q4. Is access granted based on roles or attributes, and is access automatically revoked when attributes change? Are access roles defined based on job functions or business units, and are roles maintained regularly to reflect organisational changes?

We have no process for managing access, there are no controls in place.

Our access management processes are handled differently across departments, often relying on manual spreadsheets without standardised procedures or control mechanisms.

Our access management processes are repeatable but not standardised. Access role definition is recorded using spreadsheets with a degree of centralized control.

We have standardised processes for managing access, using centralized systems. Control over data quality, and activities are supported at a senior level, & access to the majority of systems are reviewed completely.

We have centralized systems and activities to manage access based on clearly defined roles or attributes. Our process is measured, tracked, and controlled with KPI’s.

We use an integrated system to define roles and access. We continuously monitor compliance across the organisation. Analytics and AI drive automation, enhance governance, and foster continuous improvement and innovation.

None

Q5. Are periodic access reviews conducted across applications, platforms, and roles, and do business owners actively participate in access certification and approval decisions? Are certifications automated and policy-driven (e.g., for privileged users, critical systems)? Are access review results tracked, and are remediation steps enforced?

We have no process for conducting access reviews, they are never reviewed.

Our access review process is ad hoc and inconsistent across departments. Reviews are completed without a set schedule, typically tracked in uncontrolled spreadsheets. Results aren’t monitored, and remediation actions are rarely enforced.

Our access review process is repeatable but not yet standardised. While there are plans to align procedures across departments, reviews are tracked in spreadsheets with partial central oversight.

We have a centralised IGA system governing access reviews. Our processes are standardised, documented, and enforced, with strong control over data quality and senior management support. The majority of system access reviews are completed thoroughly and on schedule.

Our access reviews are monitored via KPI’s within a centralised IGA framework, supported by defined roles and access risk KRI’s for management oversight.

We use an integrated system to manage access reviews across applications, platforms, and roles, with business owners actively participating in certification and approval. Reviews are optimised through continuous improvement, automation, and innovation. Certifications are automated and policy-driven, with review results tracked and remediation enforced to ensure compliance.

None

Q6. Are your IGA metrics and KRI’s tracked? Are these KRI’s based on risk or do they just track process efficiency? Do they reflect all aspects of IGA from risk measurement to review effectiveness?

We have not defined any IGA metrics and KRI’s.

We have defined some IGA metrics and KRI’s but they differ across departments and exclude aspects of IGA, eg risk measurement to review effectiveness.

We have defined some IGA metrics and KRI’s but they are not standardised. They largely reflect process efficiency against SLAs and not risk.

We have standardised, documented, and enforced IGA metrics and KRI’s, supported at a senior level. They reflect all aspects of IGA including risk measurement, review effectiveness, and role based access use and effectiveness.

Our IGA program uses KPI’s to measure, track, and control all aspects, including risk measurement, review effectiveness, and role based access use and effectiveness. These metrics drive performance improvements, while access risk KRI’s are integrated into management reporting for enhanced oversight and governance. They are also mapped back to controls and standards.

We optimise our IGA metrics and KRI’s through continuous improvement, automation, and innovation. They include risk measurement, review effectiveness, and role based access use and effectiveness.

None

Q7. Are insights from analytics and Artificial Intelligence used to improve risk management, policies or trigger automated workflows? Is access risk scoring used to prioritise actions? Is role mining, modelling, or simulation used to design and optimise roles?

Our processes do not include any analytics-driven risk review or automation, nor role mining and simulation for designing efficient roles.

While we have some risk analytics and automation in place, our processes are reactive and inconsistent across teams. Role optimisation efforts, such as mining and modelling, are conducted sporadically or not at all.

Our risk management processes are repeatable but not standardised. We plan to implement access risk scoring to prioritise actions within and across departments. Role optimisation activities, including mining and modelling, are conducted under a degree of centralised control.

Our IGA system uses analytics and AI to improve risk management, policies, and automate workflows. Risk scoring prioritises actions, and role mining and modelling optimise roles. Data quality and governance are supported at a senior level.

We have a centralised IGA system that uses KPI’s to measure, track, and improve performance. Role mining, modelling, and simulation are applied to design and optimise roles. Access risk KRI’s are integrated into management reporting to support informed decision-making.

We continuously drive improvement, automation, and innovation. Analytics and AI provide actionable insights to enhance risk management. Access risk scores from our IGA system prioritise actions and support ongoing role and compliance monitoring across the organisation.

None

Full Name

Business Email

Company Name

Phone

Time's up

MATRIX:

Average Score	CMM Maturity Level	Interpretation for IGA
0 – 6	Level 0 – Not Implemented	No formal IGA processes exist. Access is unmanaged, high risk of orphaned accounts, audit failures likely.
7 – 12	Level 1 – Initial	Ad-hoc and inconsistent processes. Access handled manually, approvals informal, very reactive security posture. Lots of disconnected spreadsheets.
13 – 18	Level 2 – Managed	Repeatable processes exist. Centralised IGA tool may be in place, lifecycle events partly automated, but not standardised across organisation.
19 – 24	Level 3 – Defined	Standardised, documented IGA policies and procedures. RBAC/SoD defined, integrated with HR & ITSM. Compliance requirements systematically addressed.
25 – 30	Level 4 – Quantitatively Managed	Metrics-driven IGA. KPI’s (orphan accounts, SLA, SoD violations) measured, analytics detect anomalies, audit trails automated. IGA is predictable and measurable.
31 – 35	Level 5 – Optimising	IGA is continuously improved with AI/ML recommendations, Zero Trust, just-in-time access. Strong governance supports business agility and compliance innovation.

idax Identity Security Capability Maturity Assessment

Take our 7-question assessment to see where your identity and access program stands today.

Assess the maturity of your identity and access processes, identify critical gaps to set strategic priorities for accelerating your identity transformation.

Welcome to the idax CMM Assessment

Trusted by

Live Demo

Risk Discovery

Talk To Us

Want to understand more?
Contact us at: enquiries@idaxsoftware.com

Contact Us

Follow Us

Join Us

idax Identity Security Capability Maturity Assessment

Take our 7-question assessment to see where your identity and access program stands today.

Assess the maturity of your identity and access processes, identify critical gaps to set strategic priorities for accelerating your identity transformation.

Welcome to the idax CMM Assessment

Trusted by

Live Demo

Risk Discovery

Talk To Us

Want to understand more? Contact us at: enquiries@idaxsoftware.com

Contact Us

Follow Us

Join Us

Want to understand more?
Contact us at: enquiries@idaxsoftware.com