CGAP

"Governance maturity" is usually a slide deck, not a measurement. Self-assessment questionnaires drift toward whatever the organization wants its board to see. Different frameworks reuse the same controls under different names, so nobody has a consolidated picture. Boards want a single number; auditors want full lineage; most tools deliver one or the other. CGAP is built to deliver both, from evidence, not from opinion.

CGAP is a governance-maturity scoring engine. It draws from the security telemetry an organization already produces, scanner output, SIEM data, the real operational record, and computes a compliance posture from what is actually true, not from a questionnaire someone filled in the way they wished things looked. Self-assessment is the input of last resort, and it's flagged as such wherever it's used.

It maps that evidence against four current-revision governance frameworks at once, NIST CSF 2.0, ISO 27001:2022, CMMC 2.0, and PCI DSS v4, with a cross-framework crosswalk so a single piece of evidence is cited everywhere it applies. One control, four citations, no duplicate data entry, no auditor confusion when one policy answers requirements in three regimes.

The output is a single executive-facing score with full drill-down to the control-level evidence underneath it. Analysts get the detail; executives get the number and the delta. And every score is a versioned snapshot, timestamped, evidence-linked, reproducible, so the question "what did we look like last quarter, and can you prove it" takes one click instead of a reconstruction project.