Personnel Security Maturity Model

Maturity models are used in a number of industries to allow an organisation to assess their methods and processes according to best practice.

The CPNI PerSec maturity model has been designed to specifically assess an organisation’s personnel security maturity. This is a key factor, in addition to physical and cyber security measures, in strengthening an organisation’s resilience to insider and wider external security threats. The model is based on comprehensive and robust research into insider acts, and extensive CPNI experience in personnel security mitigations (research and development programmes and close working with the CNI and overseas partners to test, refine and embed personnel security initiatives).

The benefits of using the CPNI model are:

  • A starting point for developing a measurable personnel security improvement programme using the CPNI tools and guidance which are appropriate to the organisation's current level of PerSec maturity.
  • A common and consistent benchmark for personnel security performance across the critical national infrastructure (CNI), which will enable individual organisations to compare themselves with the rest of their sector.

The maturity model is based on seven core elements of effective personnel security processes, as identified through our insider data study and research and development programme. These are:

A. Governance and Leadership

B. Insider Risk Assessment

C. Pre-Employment Screening

D. Ongoing Personnel Security

E. Monitoring and Assessment of Employees

F. Investigation and Disciplinary Practices (Response)

G. Security Culture and Behaviour Change.

These seven core elements are evaluated against the six levels of the CPNI PerSec maturity model:

0. Innocent

1. Aware

2. Developing

3. Competent

4. Effective

5. Excellent

The maturity questionnaire seeks evidence across four key areas:

1. The EXISTENCE of PerSec policies, processes and procedures?

2. The IMPLEMENTATION of the PerSec programme?

3. How CONSISTENT is PerSec?

4. How EFFECTIVE are the PerSec policies etc that are in place?


Critical national infrastructure organisations should contact their CPNI adviser for more information on how to assess their current level of personnel security maturity.