CRMM Specification
Version 1.0

The official evidence-based framework for assessing recoverability from destructive "Loss-of-Trust" cyber events.

Download Standard (PDF) View Matrix

// RISK_POSTURE

> LEVEL 1: HIGH SYSTEMIC RISK
> LEVEL 2: BELOW BASELINE
> LEVEL 3: MOSTLY COMPLIANT
> LEVEL 4: EXEMPLARY RESILIENCE

Assessment requires evidence artefacts, not just policy assertions.

The 4 Maturity Levels

Progression from ad-hoc recovery to automated resilience.

LEVEL 1: INITIAL / AD HOC

Recovery is unreliable. Processes are undocumented or dependent on specific individuals. No isolation from production.

  • Risk: High Systemic Risk
  • Characteristics: Production dependencies, manual rebuilds, no integrity checks.

LEVEL 2: DEFINED & BASIC

Capabilities exist but lack assurance. A basic vault may exist, but identity systems are shared with production.

  • Risk: Significant / Below Expectations
  • Characteristics: Documented but manual, partial immutability, weak air-gap.

LEVEL 3: ASSURED & REPEATABLE

Recovery is reliable and independent. Controls enforce "Three Planes of Separation" (Network, Data, Identity).

  • Risk: Controlled / Compliant
  • Characteristics: Isolated Identity, Pull-mode replication, Scenario testing.

LEVEL 4: RESILIENT & AUTOMATED

Recovery is predictable and automated. Zero-trust principles applied to all recovery artefacts.

  • Risk: Minimal / Exemplary
  • Characteristics: Automated forensics, Ephemeral compute, Continuous validation.

Assessment Domains

CRMM evaluates capability across six critical dimensions.

01. ARCHITECTURE

Structural separation of the Recovery Environment (RE) from production.

> CRITERIA: Isolation, Clean Zones, Platform Rebuild.

02. DATA INTEGRITY

Immutability controls and validation of all storage artefacts.

> CRITERIA: Air-gaps, Retention Locks, CDC Coverage.

03. IDENTITY

Independence from production Active Directory and IAM systems.

> CRITERIA: Break-glass, Separate Forests, Ephemeral Admin.

04. ORCHESTRATION

Automation of the recovery pipeline to reduce manual error.

> CRITERIA: Tooling Isolation, Signed Artefacts, Pipelines.

05. TESTING

Validation of capability against destructive cyber scenarios.

> CRITERIA: Full-scope Exercises, Evidence Capture.

06. GOVERNANCE

Ownership, oversight, and risk management structures.

> CRITERIA: Board Oversight, Separation of Duties.

>> ASSESSMENT METHOD

CRMM assessments are strict and evidence-based. Self-attestation is not accepted for Levels 3 and 4.

  • Stage 1: Scope Definition & Plan
  • Stage 2: Evidence Collection (Logs, Configs, Screenshots)
  • Stage 3: Domain Scoring (Lowest common denominator)
  • Stage 4: Validation & Reporting

Start Your Assessment

Download the CRMM v1.0 Scorecard Template (Annex C) or request an accredited assessor.

Request Assessment