Most programmes find out where they sit when an auditor names the gap. This model lets you find out first. A per-Pillar maturity assessment across the Five Pillars, reactive, defined, measured, and optimised, grounded in observable security outcomes, not process documentation. The weakest Pillar sets the effective maturity level for the whole programme.

The organisations that fail compliance audits for vulnerability management rarely have bad security intentions. They have compliance-designed programmes, built to satisfy a framework rather than to manage risk. Episode 10 walks through PCI-DSS v4.0.1, ISO 27001 A.8.8, DORA, NIS2, and the UK Cyber Security and Resilience Bill, showing how a Five Pillars programme produces the evidence each framework asks for as a natural by-product of operating well.