CRA Maturity Model v1.0

A practical framework for assessing and improving cyber recovery readiness against CRA Architecture and the CRA Body of Knowledge (CRABoK), with clear levels, domains, and evidence.

View maturity levels Explore assessment domains

What it’s for

The CRA Maturity Model is designed for institutions, regulators, and independent assessors who need a shared language for how recovery-ready an organisation really is, beyond traditional DR metrics.

1. Purpose and scope

CRA Architecture defines the target state for a cyber recovery ready environment. The CRA Maturity Model v1.0 defines how to measure progress towards that state, using clear levels, domains, and evidence drawn from CRABoK.

1.1 Objectives

Provide a common reference for recovery readiness between firms, regulators, and vendors.
Help institutions prioritise investment by identifying high-impact gaps.
Link day-to-day practices (CRABoK) back to the structural requirements of CRA Architecture.

1.2 Intended use

Internal self-assessment and roadmap planning.
Independent assessment and benchmarking.
Supporting evidence for regulatory dialogue and, in time, CRA-aligned certification.

2. Maturity levels

The CRA Maturity Model defines four levels. Each level describes how consistently CRA principles are applied, exercised, and evidenced across the organisation.

Level 1 – Initial

Ad hoc recovery activities
Traditional DR only
No CRA-aligned design

Level 2 – Developing

Early CRA-aligned designs
Pilots or limited scope
Some runbooks and exercises

Level 3 – Established

CRA Architecture applied to critical services
Regular exercises into a clean site
Evidence routinely captured and reviewed

Level 4 – Exemplar

CRA principles embedded across the enterprise
Continuous improvement based on exercises and incidents
Contributes to sector-wide good practice

            Narrative descriptions
            
                Initial: Recovery planning is largely
                traditional DR-focused. There may be some awareness of systemic
                cyber threats, but no coherent design for a sterile recovery
                environment or forensic airlock. Exercises, if any, assume a
                trusted DR site.
              

                Developing: The organisation has acknowledged
                the need for cyber recovery ready capabilities and has produced
                early CRA-aligned designs or pilots (often for a subset of
                critical services). Some CRABoK patterns and runbooks exist, but
                coverage is patchy and evidence is inconsistent.
              

                Established: CRA Architecture is applied across
                all critical services, with a defined sterile recovery site,
                vaulting, and forensic airlock processes. CRABoK practices are
                embedded into BAU, and structured exercises produce evidence
                that is reviewed at risk / governance forums.
              

                Exemplar: CRA principles are part of the
                organisation’s broader resilience culture. Recovery design and
                operation are continuously improved, informed by exercises,
                threat intelligence, and sector developments. The organisation
                can demonstrate repeatable, evidence-backed recovery capabilities
                to stakeholders and may help shape emerging standards.
              

          

3. Assessment domains

Maturity is assessed across a set of domains that mirror CRA Architecture and CRABoK: governance, design, identity and platforms, data and applications, and operations and assurance.

3.1 Governance & risk

Board and senior management oversight of recovery posture
Clear ownership for recovery readiness
Integration with operational resilience, risk, and crisis management frameworks

3.2 Architecture & design

Application of CRA Architecture (three-plane separation, sterile site, vaulting, airlock)
Coverage of critical services and key dependencies
Use of reference patterns and design standards (from CRABoK)

3.3 Identity & platforms

Ability to rebuild core identity platforms in a clean environment
Segregation of administration for production vs. recovery
Minimum viable platform patterns to support critical services

3.4 Data & applications

Immutable backup and vaulting for critical data and workloads
Forensic airlock processes and tooling to promote “known-good” data
Application-level recovery patterns and reconciliation approaches

3.5 Operations & exercises

Existence and quality of runbooks and playbooks (CRABoK-aligned)
Frequency, realism, and scope of recovery exercises
Evidence capture, lessons learned, and follow-through on improvements

3.6 Third parties & ecosystem

Treatment of critical third parties in recovery plans (cloud, telecoms, market infrastructures)
Alignment of contracts and SLAs with CRA principles
Participation in sector-wide exercises or simulations

4. Using the maturity model

The model is designed to be usable in different contexts: internal self-assessment, independent review, and supervisory dialogue.

4.1 Self-assessment

Start with a high-level assessment across all domains to identify obvious gaps.
Use CRABoK patterns and artefacts as concrete evidence for claimed levels.
Prioritise improvements that unlock multiple domains (e.g. establishing a sterile recovery site).

4.2 Independent or supervisory assessment

Apply the same level definitions and domains, but require independent evidence for each rating.
Use CRA Architecture and CRABoK references to structure requests for information and walkthroughs.
Focus on the ability to demonstrate repeatable recovery, not just the existence of documentation.

Evidence, not claims

A CRA maturity level is only meaningful if it is backed by evidence: designs, configurations, runbooks, exercise results, and lessons learned. The model assumes that evidence, not self-declared labels, is what matters.

5. Relationship to Architecture, CRABoK, and certification

The CRA Maturity Model sits between the structural requirements of CRA Architecture, the practical patterns in CRABoK, and (in time) CRA-aligned certification schemes.

Architecture

Levels reflect how comprehensively CRA Architecture has been applied to critical services.
Each domain can be traced back to specific architectural elements (planes, zones, trust boundaries).

CRABoK

Evidence for maturity levels is drawn from CRABoK patterns, playbooks, and artefacts.
As CRABoK evolves, maturity criteria will be refined to reference new or updated patterns.

Certification (future)

CRA-aligned certification schemes will use maturity levels and domains as a core reference.
Individual curricula can be mapped to domains; organisational certification can use target maturity profiles.
This ensures that certification reflects real recovery readiness, not just completion of training.

6. Versioning and evolution

CRA Maturity Model v1.0 is intended as a stable starting point, with a clear link to CRA Architecture v1.0. It will evolve as practice, regulation, and CRABoK develop.

Planned evolution

Sector profiles to reflect different regulatory regimes and criticality (e.g. FMIs vs. retail banking).
Additional guidance on scoring, aggregation, and visualisation of maturity across large portfolios.
Alignment with CRA certification schemes once they are defined.