Most programmes find out where they sit when an auditor names the gap. This model lets you find out first. A per-Pillar maturity assessment across the Five Pillars, reactive, defined, measured, and optimised, grounded in observable security outcomes, not process documentation. The weakest Pillar sets the effective maturity level for the whole programme.