Every security team faces the same question from the board: how mature are we? Until now, answering that question meant expensive consultants, proprietary tools, or spreadsheets that go stale the moment they are completed. Today we are changing that.
OSA now includes free, interactive security maturity assessments for every pattern in the library. Pick a pattern, rate your organisation against each control area on a 1-5 maturity scale, and get immediate visual feedback — radar charts, gap analysis, and industry benchmark comparisons. No registration required to try it. No data leaves your browser unless you choose to save.
How It Works
Each OSA pattern defines a set of key control areas derived from NIST 800-53 Rev 5 controls. The assessment walks you through each area and asks you to rate your organisation's maturity:
- 1 — Not Implemented: No controls in place for this area
- 2 — Initial/Ad-hoc: Some controls exist but are informal and inconsistent
- 3 — Defined/Documented: Controls are documented, repeatable, and consistently applied
- 4 — Managed/Measured: Controls are monitored, measured, and regularly reviewed
- 5 — Optimised/Continuous: Controls are continuously improved based on metrics and threat intelligence
This aligns with the NIST Cybersecurity Framework tier model, giving you a common language for maturity that maps directly to auditable controls.
What You Get
After completing an assessment you see:
- Radar chart showing your scores across all control areas, with industry average overlay
- Score breakdown with visual bars showing each area's maturity against the industry benchmark
- Gap analysis highlighting your weakest areas ranked by distance from target
- Industry benchmarks showing how your scores compare to anonymous peer data
All visualisation is rendered client-side as SVG — no external dependencies, no tracking pixels, no third-party scripts.
Privacy by Design
We built the assessment engine with a simple principle: your data is yours.
All scoring happens in your browser. When you save, your assessment data is encrypted with AES-256-GCM before it leaves your browser. The encryption key is generated and stored locally — it never reaches our servers. We literally cannot read your scores or notes. Our database stores only encrypted ciphertext.
Benchmark contributions are separate, opt-in, and fully anonymised — only numeric scores with no identity or notes. We enforce a minimum sample size before showing vertical benchmarks to prevent re-identification.
For the full technical details, read Client-Side Encryption: Protecting User Data You Never See. Read our full privacy policy.
Benchmark Comparisons
The real power of the assessment engine comes from benchmarking. When you save and optionally contribute your scores to the benchmark pool, you help build an anonymous, crowd-sourced dataset of security maturity across industries and patterns.
Over time, this gives every CISO something invaluable: a data-driven answer to "how do we compare?" — without hiring a Big 4 consultancy to tell them.
Getting Started
Browse the assessment catalogue to see all available patterns. We recommend starting with SP-029 Zero Trust Architecture or SP-034 Cyber Resilience — both are timely topics with comprehensive control sets.
Your completed assessments are tracked on your personal dashboard, showing scores, dates, and freshness indicators so you know when it is time to reassess.
Our Commitment
We are building the best free security maturity assessments available — period. Not "good enough for free". Not "a starting point". The best.
That means we iterate with the community until every control area description is precise, every maturity level is actionable, and every benchmark is meaningful. If an assessment question is vague, tell us. If a maturity level description does not match reality, flag it. We will fix it.
The assessments are open source and community-driven. Your feedback makes them better for everyone. Comment on any pattern page, or raise an issue on GitHub.
The core assessment — full maturity scoring, radar charts, gap analysis, and cross-industry benchmarks — will always be free. Future premium tiers will add vertical peer benchmarks, percentile bands, and board-ready PDF exports for teams that need deeper analytics. But the assessment engine itself is not a teaser for a paid product. It is the product.
What Is Next
This is the foundation for OSA's assessment platform. Coming soon:
- Threat exposure analysis: See which threats your gaps expose you to, mapped from pattern threat models
- Board-ready reports: PDF export with radar charts, gap analysis, and compliance impact
- Programme-level views: Assess across multiple patterns for an organisation-wide maturity picture
- Email reminders: Configurable nudges when assessments go stale
We are building the platform that makes security architecture measurable, comparable, and actionable. Start your first assessment today.
The OSA Core Team