IT Compliance Management Maturity Journey 2026

Who should read this?

This guide is designed for CISOs, Heads of IT Risk & Compliance, IT audit leaders, technology risk and control owners, and stakeholders evaluating compliance operating models and supporting tooling decisions.

What this guide helps readers do

This guide helps readers assess current compliance maturity, identify the operating model constraints that are holding progress back, and prioritise the next steps most likely to improve consistency, visibility, and decision usefulness.

Practical next step

Use this guide first to identify the maturity stage that best reflects the current operating model. Then use the capability indicators, practical actions, and self assessment prompts to define the next realistic step forward.

1.1 Why compliance maturity matters more now

IT compliance is becoming harder to manage because the environment around it has changed. According to PwC’s 2025 compliance survey, compliance functions are under growing pressure to improve visibility, reporting, and response. ⁴ NIST CSF 2.0 also reflects a broader shift away from isolated control activity and toward governance, profiles, and measurable improvement. ² NIST’s enterprise risk management quick start guide reinforces that direction by treating cybersecurity information as an input to wider enterprise risk decisions rather than a separate reporting stream. ³

1.2 The real challenge behind compliance pressure

For many organisations, the deeper challenge is not effort alone. It is the maturity of the operating model behind compliance. Controls may exist, policies may be documented, and reviews may happen on schedule, but fragmented evidence, manual workflows, and slow reporting still make compliance difficult to scale. ⁴ That is why passing an audit can still feel like success even when the wider model is under strain.

This guide treats IT compliance not as a checklist exercise, but as an organisational capability that sits across governance, risk, assurance, and operational execution. The stronger that capability becomes, the easier it is to absorb regulatory change, reduce evidence burden, and give leadership a more reliable view of risk. ³

1.3 What this maturity model is designed to do

This maturity model sets out four stages of development, defines the capabilities that distinguish them, and shows what progress looks like in practical terms. The aim is to help organisations understand where they are now, what is holding them back, and which next steps are most likely to strengthen compliance performance in a measurable way. ⁶

2.1 Regulatory and operating pressure are rising together

This conversation feels more urgent now because the regulatory landscape is broader and the pace of change is faster. NIS2 expanded cybersecurity risk management expectations across a wider range of organisations. ⁸ DORA raised the bar for ICT risk management and operational resilience in financial services. ⁹ The AI Act added another layer of governance and accountability pressure for organisations using AI systems. ¹⁰ The European Commission’s implementation timeline shows that the AI Act entered into force on 1 August 2024, is fully applicable from 2 August 2026, and includes an extended transition period for certain high risk systems until 2 August 2027. ²¹

Together, these developments reinforce a wider expectation that organisations should not only have controls in place, but also be able to show that governance is effective, responsibilities are clear, and evidence can stand up under scrutiny.

2.2 Manual and fragmented models are harder to sustain

That shift has practical consequences. Many organisations are still trying to manage modern compliance demands through fragmented processes, duplicated evidence requests, and disconnected reporting. According to PwC’s 2025 compliance survey, stronger use of technology and data improves visibility, response, and reporting in compliance functions. ⁴ That makes manual and fragmented approaches harder to justify as compliance demands continue to expand.

2.3 Compliance maturity is now part of enterprise risk capability

Compliance maturity also matters because cyber and compliance are no longer easy to separate. NIST’s enterprise risk management guidance makes clear that cybersecurity information should feed broader enterprise risk decisions rather than sit in a separate reporting stream. ³ Forrester’s 2024 reflections on European cybersecurity point to broader leadership expectations for security and risk functions, beyond technical delivery alone. ⁵

In practice, this means compliance maturity is no longer a back office concern. It is increasingly part of how organisations manage enterprise risk, absorb change, and maintain confidence in their control environment. ³

Standards Insight

NIST CSF 2.0, NIST’s enterprise risk guidance, and ISO 27005 all support a more structured, connected approach to capability development than a model built around isolated controls and periodic assurance alone. ² ³ ¹²

3.1 Why maturity should be understood as progression

Most organisations do not move from reactive compliance to strategic compliance in one step. They progress in stages. ISACA’s capability and maturity guidance supports the idea that organisations move from less consistent and less repeatable activity toward more defined and managed practice. ⁷ NIST CSF 2.0 also supports a staged view of improvement through its emphasis on current state, target state, and governance driven progress. ² ISO 27005 reinforces the need for a structured approach to risk management rather than an improvised one. ¹²

In practical terms, that progression usually starts with structure. It then moves into greater consistency, lower manual effort, and better visibility. Only after that does compliance information begin to play a more strategic role in prioritisation and decision making. That matters because the goal is not to jump straight to optimisation. The goal is to identify the next credible stage of maturity and build toward it with the right operating model, the right level of standardisation, and the right degree of measurement.

3.2 At a glance: maturity summary

3.3 Maturity stages

Ad Hoc/Reactive

Description

At the first stage, compliance activity is largely shaped by immediate pressure. A request arrives, an audit approaches, an issue escalates, and teams respond. ISACA’s maturity guidance supports the view that this kind of inconsistent, person dependent activity reflects a low level of process capability. ⁷ NIST CSF 2.0 also makes clear that without a defined view of current and target state, improvement remains difficult to manage. ²

Work gets done, but it is difficult to do consistently and even harder to do efficiently. The organisation depends heavily on individuals, evidence is assembled manually, and there is limited confidence in how complete or current the underlying picture really is. From the outside, this can look like an organisation that is coping. From the inside, it often feels very different. The same evidence is requested multiple times, responsibilities are assumed rather than clearly defined, and reporting arrives late and says less than leadership needs.

Key capabilities

1. Basic obligation awareness
2. Local control activity
3. Informal coordination

Typical behaviours

1. Evidence chasing through email
2. Spreadsheet led tracking
3. Local workarounds
4. Late escalation

Main risk if stuck

Obligations can be missed, assurance becomes disruptive, and resilience depends too much on particular people knowing where things are and what needs to happen next.

Managed/Operational

Description

The second stage is where organisations begin to create order. Ownership becomes clearer, core processes are documented, review cycles are more predictable, and control activity is easier to explain and repeat. ISACA’s capability language is useful here because it distinguishes more repeatable and managed practice from purely reactive activity. ⁷ The IIA’s risk management guidance also points to clearer governance, more systematic assessment, and more consistent oversight as markers of stronger practice. ¹³

In practical terms, this is the point where compliance starts to feel less improvised and more manageable. That said, many organisations stay in this stage for a long time because it feels like progress, and in many ways it is. Audits are less chaotic, teams know more clearly what is expected, and standard templates and recurring forums create a greater sense of control. But much of the work remains manual, reporting often relies on coordination across disconnected sources, and evidence overhead can still be high.

Key capabilities

1. Documented processes
2. Named owners
3. Standard templates
4. Routine review cycles
5. Basic management reporting

Typical behaviours

1. Scheduled testing
2. Structured control reviews
3. Periodic forums
4. Recurring evidence requests managed in a more orderly way

Main risk if stuck

Operational discipline gets mistaken for scalability.

Integrated & Automated

Description

The third stage is where maturity becomes much more visible in day to day operations. Controls, evidence, issues, and risk data begin to connect. Repeat activities are supported by clearer workflow, evidence becomes more reusable, and reporting becomes more coherent. NIST’s enterprise risk guidance supports the need to connect control information more clearly to broader risk decisions. ³ ISACA’s automated compliance guidance supports a move toward more continuous and design led compliance activity. ¹⁴ PwC’s 2025 survey also suggests that stronger technology and data use can improve visibility, response, and reporting. ⁴

This is often the point where audits and assessments become less disruptive. The practical benefit is not just efficiency, although efficiency matters. It is also confidence. Leaders get a stronger view of control performance, teams spend less time chasing information, and issues can be tracked through to remediation more consistently. What this means in practice is that compliance starts to operate as a joined capability rather than a series of parallel tasks.

Key capabilities

1. A common compliance taxonomy
2. Connected records
3. More reusable evidence
4. Structured workflow
5. Clearer cross functional reporting

Typical behaviours

1. Fewer duplicate evidence requests
2. Stronger audit readiness
3. More consistent remediation tracking
4. Better visibility from control issues to business exposure

Main risk if stuck

Automation can reinforce weak process design if ownership, taxonomy, and workflow expectations are not clear enough. ¹⁴

Optimised & Strategic

Description

At the highest stage, compliance is no longer managed mainly as an assurance burden. It becomes part of how the organisation prioritises, decides, and adapts. Leadership reporting is shorter, clearer, and more decision relevant. Measures are used to assess progress, not just activity. Compliance teams are involved earlier in significant change, and target states are refreshed as conditions evolve. NIST SP 800 55 Volume 2 supports the need for a structured measurement programme. ⁶ McKinsey’s risk and resilience research also supports the broader move toward more strategic and decision relevant risk functions. ¹⁵

At this stage, maturity can begin to create more visible strategic value. Compliance effort is more closely aligned to business exposure, reporting helps leadership make choices, and improvement becomes more deliberate and less reactive. Strategic maturity still needs discipline. Without regular recalibration, even advanced programmes can drift into over confidence or produce polished reporting that is less useful than it appears.

Key capabilities

1. Risk aligned metrics
2. Stronger executive reporting
3. Earlier compliance involvement in change
4. More deliberate target state review

Typical behaviours

1. Concise leadership dashboards
2. More confident prioritisation
3. Stronger links to enterprise risk
4. Ongoing refinement of the model

Main risk if stuck

Polished reporting creates false confidence.

Leader Perspective

The strongest organisations do not simply automate more. They make compliance easier to run, easier to evidence, and easier to explain through a risk lens.

4.1 Why capability matters more than labels

The stage labels are useful, but they are not the most important part of the model. What matters more is the capability behind them. Two organisations can both describe themselves as operationally sound, yet one may still rely on fragmented evidence, disconnected reporting, and manual coordination, while the other operates with a more joined up model that makes compliance easier to manage and easier to trust.

NIST CSF 2.0, ISO 27005, The IIA’s risk guidance, and ICO accountability guidance all support a more capability based view of governance, risk, and compliance practice. ² ¹² ¹³ ¹⁶

4.2 Governance and leadership accountability

Governance is often where the difference between lower and higher maturity becomes most obvious. At earlier stages, responsibilities may exist on paper, but they are not always clear in day to day operation. Escalation happens late, decisions are pushed into informal conversations, and accountability depends too much on local judgement or individual effort.

NIST CSF 2.0 places governance at the front of the framework and makes clear that roles, responsibilities, and oversight are central to cybersecurity outcomes. ² ICO guidance on accountability reinforces the need to assign responsibility clearly and to be able to demonstrate governance in practice. ¹⁶ The IIA’s Three Lines Model supports stronger clarity between management action, oversight, and assurance responsibilities. ¹⁷

4.3 Process standardisation

Process standardisation is what turns compliance from a collection of local habits into a more reliable operating model. At lower maturity, similar activities are handled in different ways across teams. Reviews happen, but not always on the same cadence or with the same expectations. Evidence is requested differently depending on who asks, and issue handling may depend more on custom and local judgement than on a defined process.

ISO 27005 supports a structured approach to risk related activity rather than an improvised one. ¹² As maturity improves, core compliance processes become more repeatable, more predictable, and easier to improve at scale.

4.4 Evidence automation

Evidence handling is one of the clearest practical tests of compliance maturity. At lower maturity, evidence is collected manually, stored in multiple places, and repeatedly requested under time pressure. ISACA’s guidance on automated compliance supports the move away from reactive evidence collection toward more continuous and design led approaches. ¹⁴

As maturity improves, recurring evidence becomes easier to reuse, collection points become clearer, and the organisation starts to reduce manual chasing for information that should already be available. PwC’s 2025 survey suggests that stronger use of technology and data improves visibility, response, and reporting across compliance functions. ⁴

4.5 Risk integration

One of the clearest signs of weaker maturity is that compliance and risk still live in separate conversations. Control failures, audit findings, issue status, and business exposure may all be discussed, but not in a way that creates one coherent picture.

NIST’s enterprise risk management quick start guide makes clear that cybersecurity information should inform wider enterprise risk decisions rather than sit in a separate reporting stream. ³ The IIA’s risk management guidance supports stronger linkage between governance, risk appetite, and the use of risk information in oversight. ¹³

4.6 Metrics and reporting

Reporting is another area where maturity reveals itself quickly. At lower maturity, reporting is often narrow, operational, and assembled late. It may contain a great deal of detail, but still leave leadership unsure about what is improving, what is deteriorating, and where attention is most needed.

NIST SP 800 55 Volume 2 supports a structured approach to measurement rather than reliance on isolated indicators or status updates. ⁶ At stronger maturity, reporting becomes shorter, clearer, and more decision relevant.

4.7 Tool enablement and workflow orchestration

Tooling only improves maturity when it supports a clearer operating model. At lower maturity, workflow is often held together by email, spreadsheets, local trackers, and manual follow up. That makes repeat activity harder to manage and assurance more disruptive than it needs to be.

ISACA’s automated compliance guidance reinforces that workflow and automation create more value when they sit on top of clear process design and ownership. ¹⁴

4.8 Assurance and audit readiness

Assurance readiness is one of the most visible outcomes of maturity. At lower maturity, audits and assessments create disruption because evidence is hard to find, responsibilities are unclear, and teams have to rebuild the same picture each time.

The IIA’s risk management guidance supports the value of more systematic and disciplined approaches to assessment and assurance. ¹³ ISACA’s guidance on cyber assurance supports stronger readiness through better structure, reporting, and coordination. ¹⁸

Standards Insight

Stronger maturity depends less on isolated control activity and more on repeatable governance, reliable evidence, and clearer linkage between risk, assurance, and decision making. ² ¹² ¹³

5.1 Why practical next steps matter

A maturity model is only useful if it helps organisations decide what to do next. That is why the actions in this guide are framed around stage transitions rather than long lists of generic good practice.

5.2 Transition 1: Ad Hoc/Reactive to Managed/Operational

At this stage, the organisation usually does not need a large transformation programme. It needs structure. The first priority is to make accountability visible. Major obligations and controls need clear ownership, escalation routes need to be defined, and core compliance activity needs to be repeatable rather than dependent on local memory or individual workarounds.

NIST CSF 2.0 supports the importance of defined governance, roles, and current state understanding as foundations for improvement. ² ISO 27005 supports structured risk related processes. ¹² The IIA’s risk management guidance supports more systematic oversight and clearer governance responsibilities. ¹³

5.3 Transition 2: Managed/Operational to Integrated & Automated

Once the basics are in place, the main constraint is usually not a lack of discipline. It is the friction created by duplication, disconnected records, and manual coordination.

A common compliance taxonomy helps teams speak the same language. Rationalising duplicate records improves trust. Better workflow reduces the effort required to manage repeat activity. According to PwC’s 2025 compliance survey, stronger use of technology and data can improve visibility, response, and reporting in compliance functions. ⁴ ISACA’s automated compliance guidance supports the move toward more continuous and design led compliance activity rather than periodic manual effort. ¹⁴

5.4 Transition 3: Integrated & Automated to Optimised & Strategic

At the more advanced stages, the challenge is no longer just to reduce manual work. It is to make compliance more useful to the business. That means building a more deliberate measurement model, aligning priorities more clearly to business exposure, and improving the decision value of executive reporting.

NIST SP 800 55 Volume 2 supports the need for a structured measurement programme that links measures to organisational objectives. ⁶ McKinsey’s risk and resilience research supports the broader shift toward more strategic and decision relevant risk functions. ¹⁵

6.1 What a stronger measurement model should show

A stronger compliance model should produce visible operating benefits. It should reduce the effort needed to produce evidence, shorten the path to audit readiness, give leadership a clearer view of what matters, and make it easier to connect compliance activity to business exposure and follow through to action.

NIST SP 800 55 Volume 2 is especially useful here because it treats measurement as a structured programme rather than a loose collection of metrics. ⁶

6.2 Four groups of useful indicators

The most useful indicators usually fall into four groups:

1. Efficiency, such as reduction in manual evidence production and time needed to assemble evidence for a defined audit scope
2. Execution quality, such as remediation timeliness, control review completion, and overdue actions
3. Visibility and integration, such as quality of integrated risk reporting and the ability to view issues, controls, and exposure together
4. Decision value, such as the clarity and usefulness of executive reporting

6.3 Benchmark context and measurement discipline

Public cross industry benchmarks remain uneven in this area. That makes internal baselines and trend measurement more reliable for most organisations than trying to force universal target numbers.

PwC’s 2025 compliance survey is useful for directional context because it shows where organisations are seeing value from stronger technology and data use in compliance, including visibility, response, and reporting improvements. ⁴ Deloitte’s 2024 Future of Controls benchmarking survey, drawing on more than 500 organisations, identifies common governance, operating model, technology, and monitoring patterns associated with stronger controls maturity. ²²

Standards Insight

A stronger measurement model does not start with dashboards. It starts with clarity on which indicators show whether the operating model is becoming easier to run, easier to assure, and more useful to leadership.

7.1 Why composite scenarios are useful

Composite scenarios are useful because they show how maturity works in practice without turning the whitepaper into a product story. The examples below combine common patterns seen in compliance functions that are trying to move from reactive effort to a more structured and strategic operating model.

7.2 Case Scenario 1: Moving from Managed/Operational to Integrated & Automated

A global manufacturing group has grown through acquisition. It has named control owners, standard policies, and a routine review cycle. On paper, it looks reasonably mature. In practice, evidence still sits in different places, audit requests trigger repeated manual effort, and reporting takes too long to assemble.

PwC’s 2025 compliance survey helps explain why that matters. It suggests that stronger use of technology and data improves visibility, response, and reporting in compliance functions. ⁴ The group responds by simplifying before scaling. It defines a common taxonomy, reduces duplicate records, focuses first on automating repeat evidence in the control areas that create the most recurring effort, and introduces clearer workflow for remediation and attestation. ISACA’s automated compliance guidance supports this kind of move toward more continuous and design led compliance activity. ¹⁴

7.3 Case Scenario 2: Moving from Integrated & Automated to Optimised & Strategic

A financial services firm has already done much of the hard work of operational improvement. Workflow is more structured, evidence is easier to locate, and most reviews can be supported without major disruption. Even so, leadership remains dissatisfied with reporting.

The firm responds by reshaping reporting around business exposure, resilience priorities, and executive decision needs. It also brings compliance into important supplier and technology decisions earlier. DORA reinforces the need for stronger linkage between ICT risk management, resilience, and oversight in financial services. ⁹ NIST SP 800 55 Volume 2 supports the need for structured measurement that links indicators to organisational objectives and decision making. ⁶ McKinsey’s risk and resilience research supports the broader move toward more strategic and decision relevant risk functions. ¹⁵

7.4 What these scenarios show

Both scenarios point to the same underlying lesson. Maturity is not defined by how much activity exists. It is defined by how well the operating model supports control, evidence, visibility, and decision making.

8.1 Why maturity progress often stalls

Every maturity stage has its own traps. Many organisations stay longer than they need to because visible activity can look like progress even when the underlying operating model remains weak.

8.2 Ad Hoc/Reactive

At the earliest stage, the main pitfall is normalising fire fighting. Teams become very good at responding under pressure. Requests get answered, audits are survived, and issues are handled as they arise. But that responsiveness can hide the fact that the underlying model is still fragile.

ISACA’s maturity guidance helps explain this problem because it distinguishes reactive effort from more consistent and repeatable capability. ⁷ NIST CSF 2.0 reinforces the need for defined governance, clear roles, and a clearer view of current state. ²

8.3 Managed/Operational

At the managed stage, the most common pitfall is assuming that documentation equals maturity. Processes are clearer, templates exist, and review cycles are more predictable. That is real progress. But it does not automatically solve duplication, fragmentation, or weak visibility.

The IIA’s risk management guidance supports the idea that stronger practice depends not only on formal structure, but also on how consistently risk information is used and acted on. ¹³ PwC’s 2025 survey also suggests that stronger use of technology and data improves visibility and reporting, which implies that manually coordinated models still carry significant limits. ⁴

8.4 Integrated & Automated

At the integrated stage, the biggest risk is over relying on tooling before the operating model is fully aligned. Automation, workflow, and shared systems are all valuable. But they only improve maturity when ownership, process, and data logic are already clear enough to support them.

ISACA’s automated compliance guidance makes a similar point. Technology does not solve weak process design on its own. ¹⁴

8.5 Optimised & Strategic

At the most advanced stage, the danger shifts again. Reporting can become polished without becoming more useful. Dashboards can look mature while still doing too little to support prioritisation or resource allocation.

NIST SP 800 55 Volume 2 is a useful guardrail here because it emphasises measurement discipline, relevance, and alignment to organisational objectives. ⁶

8.6 Cross stage pitfalls

Some blockers show up at every stage. One is leadership sponsorship. McKinsey’s risk and resilience research supports the broader point that risk related functions become more effective when leadership engagement is stronger and more strategic. ¹⁵

Another is fragmented records and inconsistent data. Gartner’s public material on data quality reinforces the importance of shared responsibility, trusted datasets, and disciplined data management. ¹¹

Tool sprawl is another recurring problem. ISACA’s 2025 guidance on tool sprawl highlights how too many disconnected tools can make security and compliance environments harder to manage rather than easier. ¹⁹

9.1 Why maturity matters

The case for stronger compliance maturity in 2026 is clear. Regulatory expectations are broader, cyber and operational risks are more closely connected, and assurance pressure continues to rise. NIS2, DORA, and the AI Act all reinforce the need for stronger governance, clearer accountability, and more reliable evidence. ⁸ ⁹ ¹⁰

What matters now is whether the organisation can respond with an operating model that is structured, repeatable, and decision useful. That is why maturity matters. It helps organisations move the conversation away from pressure, backlog, and fragmented activity. It shifts the focus toward capability, progression, and measurable improvement.

9.2 How to self assess

A practical self assessment does not need to be complicated. It should begin with a small number of questions that reveal whether the operating model is strong enough to support compliance at scale.

1. Can the organisation describe its current compliance state in a way that is consistent across teams
2. Are ownership, evidence, and review responsibilities clear enough to hold up under pressure
3. Can audits and assessments be supported without repeated disruption
4. Is reporting good enough to support prioritisation rather than just status tracking
5. Are compliance activities linked clearly enough to business exposure and enterprise risk

9.3 What to do next

The most useful next step is to identify the stage the organisation is in today and focus on the next realistic move forward. For some, that means creating clearer ownership and more repeatable processes. For others, it means reducing evidence friction, improving workflow, and connecting compliance activity more clearly to risk. For more advanced organisations, it means strengthening measurement and making reporting more useful to leadership.

The point is not to make compliance look more mature. The point is to make it work better.

9.4 Neutral next steps

Download our self assessment template. 

Contact SureCloud for a maturity workshop