A Maturity Model Proposal for Mapping Türkiye’s Information and Communication Security Guide Maturity Landscape

Year 2025, Volume: 1 Issue: 2, 102 - 110, 16.12.2025

Tolga Mataracıoğlu , Duygu Fidancıoğlu

Abstract

This study proposes a maturity model based on the Information and Communication Security Guide (ICSG), which is mandatory for public institutions and critical infrastructure businesses in Türkiye. The study developed a model consisting of 16 parameters to assess institutions' cybersecurity capacities, make their current status visible, and identify areas for improvement. The model considers criteria such as the scope of the guide's implementation, compliance with the Information Security Management System (ISMS), the correlation between asset inventories and countermeasures, the status of compensating controls, and maturity roadmaps. The scores obtained from the parameters are converted into a five-level maturity scale, which can be used to map the institutions' cybersecurity maturity. The proposed model provides a framework that can be used not only for internal institutional assessments but also for shaping nationwide cybersecurity strategies and the effective allocation of resources. This aims to strengthen national cybersecurity resilience by translating abstract security objectives into concrete and measurable steps.

Keywords

Information and Communication Security Guide (ICSG) , Maturity Model , Information Security Management System (ISMS) , Cyber Security Measurement

Ethical Statement

This article does not contain any studies involving human or animal subjects. Scientific and ethical principles were adhered to during the preparation of this study, and all referenced studies are listed in the references.

Thanks

The authors would like to thank Mr. Yusuf Tancan (Vice President), Mr. Osman Turan (Expert), and Dr. Tolga Ozbilge (Expert) from abolished Digital Transformation Office of Türkiye for their valuable comments and implementation efforts on the maturity model proposal. The authors would also like to thank Dr. Ahmet Albayrak from Düzce University for his valuable comments and editorial effort.

References

• Brezavscek, A., & Baggia, A. (2025). Recent trends in information and cyber security maturity assessment: A systematic literature review. Systems, 13(1), Article 52. https://doi.org/10.3390/systems13010052
• Caralli, R. A., Stevens, J. F., Young, L. R., & Wilson, W. R. (2010). Introducing OCTAVE Allegro: Improving the information security risk assessment process. Carnegie Mellon University, Software Engineering Institute.
• Chrissis, M. B., Konrad, M., & Shrum, S. (2011). CMMI for development: Guidelines for process integration and product improvement (3rd ed.). Addison-Wesley.
• Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The ISO/IEC 27001 information security management standard: Literature review and theory-based research agenda. Computers & Security, 106, Article 102289.
• Dutton, W. H., Creese, S., & Shillair, R. (2018). The cybersecurity capacity maturity model for nations (CMM). Global Cyber Security Capacity Centre, University of Oxford.
• Holloway, D. (2022). ISO 27002:2022 — Security controls: Complete overview. IT Governance Publishing.
• ISACA. (2019). COBIT 2019 framework: Governance and management objectives. ISACA.
• Mataracioglu, T., (2022). Understanding the importance of the Turkish Information and Communication Security Guide on cybersecurity. ISACA Journal Online, 2.
• National Institute of Standards and Technology (NIST). (2018). Framework for improving critical infrastructure cybersecurity (Version 1.1). NIST.
• U.S. Department of Energy. (2014). Cybersecurity Capability Maturity Model (C2M2). Washington, U.S. Department of Energy.