Assessment methodology
See the content, not a sales pitch.
These are real, unedited samples from the Meridant library: complete capabilities, all five maturity levels, exactly as they appear in an assessment. Read them. The point of Meridant isn't access to this text, it's that we run the whole assessment for you: multi-respondent survey, scoring, synthesis, and a structured roadmap, in an afternoon rather than weeks. The content is here in the open. The engine is what you buy.
NIST CSF 2.0 · FinOps Foundation 2024 · MMTF v1.3
NIST Cybersecurity Framework 2.0
Risk appetite and risk tolerance statements
Risk Management StrategyRisk appetite and tolerance are undefined or inconsistently understood across the organization. Risk-related decisions are made reactively without clear guidance on acceptable risk levels. There is little to no documentation of organizational risk boundaries or preferences.
Basic risk appetite and tolerance statements have been developed and documented. These statements provide general guidance for risk decision-making but may lack specificity or comprehensive coverage of all risk types. Communication of these statements is limited and may not reach all relevant stakeholders.
Comprehensive risk appetite and tolerance statements are established, regularly communicated across the organization, and integrated into business processes. These statements are specific enough to guide consistent risk decision-making and are actively used by management in strategic and operational decisions. Regular review and maintenance processes ensure statements remain current.
Risk appetite and tolerance statements are dynamically informed by advanced analytics, threat intelligence, and business performance data. The organization uses sophisticated metrics and monitoring to track adherence to risk statements and automatically alerts management when risk levels approach tolerance thresholds. Risk statements are continuously optimized based on emerging risks and business strategy evolution.
Risk appetite and tolerance statements are continuously and automatically adapted based on real-time risk intelligence, predictive modeling, and changing business conditions. The organization maintains an adaptive risk management ecosystem that self-adjusts risk parameters while maintaining alignment with strategic objectives. Risk statements evolve proactively to address emerging threats and opportunities before they fully materialize.
Supplier risk management (ongoing)
Cybersecurity Supply Chain Risk ManagementThe organization has minimal or inconsistent understanding of supplier-related cybersecurity risks. Risk identification and management activities for critical suppliers occur sporadically, often in response to incidents or when specifically requested, with little to no formal documentation or systematic approach.
The organization has established basic processes and procedures for identifying and assessing cybersecurity risks from critical suppliers. Standard risk assessment templates and criteria are defined, though implementation may be inconsistent across different supplier relationships and business units.
Supplier cybersecurity risk management is systematically integrated across procurement, vendor management, and security functions. The organization consistently applies standardized risk assessment methodologies and maintains comprehensive tracking of supplier risks throughout the relationship lifecycle.
The organization leverages advanced analytics, threat intelligence, and automated monitoring to enhance supplier risk visibility and decision-making. Risk assessments incorporate real-time threat data and predictive capabilities to proactively identify and address emerging supplier-related cybersecurity risks.
The supplier cybersecurity risk management program continuously evolves and adapts based on emerging threats, lessons learned, and changing business requirements. The organization demonstrates industry leadership through innovative approaches and actively contributes to supplier risk management best practices.
Vulnerability identification
Risk AssessmentVulnerability identification occurs sporadically and reactively, typically only when security incidents arise or during crisis situations. There is no systematic approach to discovering, validating, or documenting vulnerabilities across organizational assets. Vulnerability management activities are largely dependent on individual initiative rather than established processes.
The organization has established basic vulnerability identification processes and procedures that are documented and followed. Regular vulnerability scanning is performed using standard tools, and discovered vulnerabilities are recorded in a centralized system. However, these activities may not cover all assets consistently and validation processes are still developing.
Vulnerability identification is comprehensively integrated across all organizational assets with coordinated processes between different teams and systems. Multiple detection methods are employed including automated scanning, manual testing, and threat intelligence feeds. Vulnerabilities are consistently validated, prioritized based on risk, and tracked through their entire lifecycle with clear accountability.
The organization employs advanced analytics, machine learning, and threat intelligence to enhance vulnerability identification capabilities. Predictive analytics help identify potential vulnerabilities before they become critical, and automated correlation with threat data provides intelligent prioritization. Performance metrics and continuous monitoring provide insights that drive ongoing optimization of vulnerability identification processes.
Vulnerability identification processes continuously evolve and adapt in real-time based on changing threat landscapes, business contexts, and emerging technologies. The system learns from new attack patterns, automatically adjusts scanning techniques and validation criteria, and dynamically optimizes resource allocation. The organization proactively contributes to and leverages collective intelligence from industry partnerships and threat sharing communities.
Analysis of potentially adverse events
Adverse Event AnalysisAnalysis of potentially adverse events occurs sporadically and reactively, typically only when incidents have already caused significant impact. Event analysis is performed manually by individual staff members using basic tools and informal methods, with limited documentation or standardisation.
Formal procedures and methodologies exist for analysing potentially adverse events, with designated roles and responsibilities clearly defined. Analysis is conducted using documented processes and basic analytical tools, though execution may still be inconsistent across the organisation.
Event analysis is fully integrated into security operations workflows with automated collection and correlation capabilities. Analysis processes consistently incorporate threat intelligence, historical data, and cross-functional expertise to provide comprehensive understanding of potentially adverse events.
Advanced analytics, machine learning, and artificial intelligence capabilities enhance event analysis to identify subtle patterns and predict potential threats. The organisation leverages behavioural analytics and advanced correlation techniques to proactively identify and analyse events before they escalate.
Event analysis capabilities continuously evolve and adapt based on emerging threats, lessons learned, and changing business context. The system self-optimises analysis techniques and automatically adjusts detection parameters based on effectiveness metrics and environmental changes.
FinOps Foundation Framework
Cloud cost forecasting
Quantify Business ValueForecasting is based on prior-year spend with a flat percentage uplift. No statistical modelling or trend analysis is performed. Engineering roadmap changes are not reflected in forecasts. Forecast accuracy is not measured.
Forecasts use trend analysis and known planned changes from engineering roadmaps. Multiple scenarios are modelled. Forecast accuracy is tracked monthly and reviewed with finance and engineering teams. Variance explanations are documented.
Automated forecasting uses ML models incorporating usage trends, seasonal patterns, and committed usage. Forecasts are refreshed continuously and served to stakeholders via self-service. Accuracy is a tracked KPI with continuous model improvement. Forecast data feeds directly into budget and commitment decisions.
Cloud efficiency and rightsizing
Optimize Usage & CostNo systematic rightsizing or waste reduction occurs. Resources are provisioned at peak capacity and left running regardless of demand. Idle and underutilised resources accumulate. Optimisation is reactive and driven by cost spike incidents.
Rightsizing recommendations are generated and reviewed regularly. Idle resource policies are defined and enforced for key environments. Dev and test environments are scheduled to shut down out of hours. Engineering teams action recommendations within defined SLAs.
Workload optimisation is continuous and largely automated. Auto-scaling and dynamic rightsizing are standard across the estate. Utilisation targets are defined at team level and tracked. Zero-waste engineering practices are embedded in deployment pipelines. Sustainability is a co-equal optimisation goal.
Cost allocation and tagging
Understand Usage & CostCost allocation is limited to broad account-level groupings. Tagging is inconsistent and largely unenforced. Shared costs are not distributed and significant spending is unallocated.
A tagging policy is defined and enforced for primary workloads. Shared costs are distributed using documented allocation rules. Most spending is attributable to a cost centre or team. Compliance is monitored and reported.
Near-complete cost allocation is achieved across all technology sources. Tagging compliance is automated and enforced at provisioning. Shared cost allocation is granular, fair, and agreed by all stakeholders. Allocation enables product-level unit economics reporting.
Meridant Matrix Transformation Framework
Generative AI and LLM operations
GenAI tools used ad hoc by individuals without governance. No enterprise LLM deployment. No prompt standards or output validation. Data privacy in LLM interactions uncontrolled.
Enterprise LLM platform selected and piloted. Prompt engineering guidelines published. Basic PII filtering and output review process defined. Token cost monitoring initiated.
GenAI platform operational for approved use cases. RAG pipelines integrated with enterprise knowledge sources. Hallucination monitoring and output quality scoring active. Prompt versioning and A/B testing in place. Cost per use case tracked.
Continuous evaluation of model performance, retrieval quality, and output accuracy. Automated model switching based on performance and cost signals. Fine-tuned models operational for domain-specific use cases. GenAI ROI measured and reported.
GenAI capabilities are embedded across the enterprise value chain and continuously evolve with model advances. Organisation contributes to responsible GenAI standards. Full alignment to EU AI Act and NIST AI RMF for GenAI-specific obligations.
Organizational change strategy and planning
Key stakeholders understand current changes and plan activities supporting the change when required. They focus on the most important aspects, considering only the people directly involved. Change tasks are assigned on an ad-hoc basis and are taken on by people on top of their day jobs.
The organization builds an understanding of the nature and extent of the change. It establishes a sense of urgency and actively identifies potential resistance and risks. A basic OCM strategy is created and a plan is put in place, resulting in OCM communications to relevant audiences. Core change roles are identified and dedicated people are selected to take care of change activities. Change agents are implemented and recognized within silos.
The organization fully understands current changes and extensively assesses their impact. Based on that assessment it builds a comprehensive OCM strategy and puts a detailed action plan in place. A communications and change management program is established addressing all target audiences. Alignment is ensured between key stakeholders and executive leadership regarding the scope and scale of the transformation. Key roles driving and supporting the change are identified and implemented, with change role owners fully committed and change agents recognized across the entire organization.
The organization fully understands current changes and proactively anticipates future ones. Multiple changes in a variety of stages are managed in parallel, with leadership fully aware of dependencies and potential interferences between different change initiatives. A well-established OCM strategy and plan is in place, regularly reviewed and updated. Comprehensive communication and change management programs are deployed with a constant feedback loop across all employees.
Change is treated as an ongoing phenomenon with directions taking different turns continuously. Multiple change programs are in place, fully anticipated by leadership and change program owners. All change programs are frequently reviewed for alignment and adjusted swiftly when needed. Every employee is always fully aware of the role they play in the transformation and proactively supports and drives the changes.
The AI Threat Readiness Assessment applies this methodology across 24 capabilities — survey, scoring, synthesis, and a structured roadmap delivered in days.