CMM Review Process

The deployment of the CMM is a multi-faceted, multi-stepped and multi-stakeholder process. The goal of the deployment is to gather data about the country’s cybersecurity capacity landscape, which is used to produce an evidence-based report that is submitted to the government with recommendations to:

•    benchmark the maturity of a country’s cybersecurity capacity;
•    detail a pragmatic set of actions to contribute to the advancement of cybersecurity capacity maturity gaps; and
•    identify priorities for investment and future capacity-building.



Stage 1: Desk research and country-partner identification

Once a country has been identified for a CMM review or a government has requested a CMM review, the review team establishes a working relationship with a ‘local host’ – typically a government agency, like a ministry or a regulator – sharing relevant logistical information in preparation for the review. The review team conducts contextualising desk-research and arranges travel, while the host then stakeholders and schedules consultations in coordination with the review team. The following participants constitute several clusters of stakeholders, which are typically invited to the consultations:


cmm review process


Stage 2: The Review

In this second stage, the review team and the local host meet in country to conduct a 3three-day consultation process with the stakeholders identified from the list above. The organisation of the clusters  follows the chart below, and at least one representative from each stakeholder group attends each meeting in order to ensure successful data collection. During the review sessions each stakeholder cluster engages in open discussions and answers questions that relate to one or two Dimensions of the CMM. Any gaps that emerge during the in-country data-collection process are bridged by either subsequent desk research or remote follow-up sessions with the stakeholders.


clusters organised


Stage 3: Review Report

Once the review has been conducted, a report is produced by the researchers of the review team. This report describes the in-country cybersecurity context, summarises the findings for each factor and aspect, outlines the stages of cybersecurity capacity maturity and provides peer-reviewed recommendations that enable the country to enhance its cybersecurity capacity. The report is submitted to the government and it is at its discretion to publish it or not.



In its work, the Centre complies with the highest standards of research integrity, as set out in relevant University of Oxford policies and it also has regard to internationally recognised human rights. In its overarching research and engagement work, in particular CMM reviews, the Centre makes assessments of the potential impacts and risks of its work whenever appropriate. However, the nature of this work, e.g. information gathering, preparation of case studies and research dissemination, means that direct negative impacts on human rights are not anticipated.