According to the ISACA’s Information Security Governance Guidance for Boards of Directors and Executive Management, the highest level of maturity of an information security program is Level 5: Optimized, which means that the program is aligned with the business objectives and strategy, and continuously monitors and improves its performance and effectiveness. A framework is in place to measure risks and track effectiveness, and the program is proactive, adaptive, and innovative.
The other options represent lower levels of maturity:
A training program is in place to promote information security awareness. This is Level 2: Repeatable, which means that the program has some basic policies and procedures, and provides awareness training to employees.
Information security policies and procedures are established. This is Level 3: Defined, which means that the program has formalized policies and procedures, and assigns roles and responsibilities for information security.
The program meets regulatory and compliance requirements. This is Level 4: Managed, which means that the program has established metrics and reporting mechanisms, and complies with relevant laws and regulations.
[References: : ISACA. (2001). Information Security Governance Guidance for B, , , , , ]
Submit