Effective CISSP Questions

You started a software house two years ago that builds and implements custom software solutions for clients. As there existed no organizational project management standard and unified processes, your company relied on senior project managers capable of managing projects and delivering software to clients based on their own approaches and experience. Which of the following is the maturity level that best describes your company in terms of CMMI?
A. Initial
B. Repeatable
C. Managed
D. Defined

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Initial.

Your company still relied on senior project managers or hero. That’s a characteristic of level 1. If your company implements basic project management processes for project managers to follow, it’s a good indicator of level 2. Level 3 implements comprehensive standard processes that cover both management and engineering activities.

At Level 1, the initial level, the software process is characterized as ad hoc, and occasionally even chaotic. Few processes are defined, and success depends on individual effort and heroics. “Ad hoc” is sometimes used pejoratively, but ad hoc simply means “special.”

Source: A History of the Capability Maturity Model for Software

CMM and CMMI Maturity Levels Comparison
CMM and CMMI Maturity Levels Comparison

Software Engineering Institute (SEI), 1984

Software Engineering Institute (SEI) was established in 1984 at Carnegie Mellon University as a federally funded research and development center (FFRDC) dedicated to advancing the practice of software engineering and improving the quality of systems that depend on software. (JUNE 21, 2000 • SEI PRESS RELEASE)

Capability Maturity Model (CMM), 1986~1995

The Capability Maturity Model (CMM) is a development model created in 1986 after a study of data collected from organizations that contracted with the U.S. Department of Defense, who funded the research.

Active development of the model by the US Department of Defense Software Engineering Institute (SEI) began in 1986 when Humphrey joined the Software Engineering Institute located at Carnegie Mellon University in Pittsburgh, Pennsylvania after retiring from IBM. At the request of the U.S. Air Force he began formalizing his Process Maturity Framework to aid the U.S. Department of Defense in evaluating the capability of software contractors as part of awarding contracts.

Watts Humphrey’s Capability Maturity Model (CMM) was published in 1988 and as a book in 1989, in Managing the Software Process. The full representation of the Capability Maturity Model as a set of defined process areas and practices at each of the five maturity levels was initiated in 1991, with Version 1.1 being completed in January 1993. The CMM was published as a book in 1995 by its primary authors, Mark C. Paulk, Charles V. Weber, Bill Curtis, and Mary Beth Chrissis. United States of America New York, USA.

Source: CMM, Wikipedia

The Five Maturity Levels

The following summary is an excerpt from the article, A History of the Capability Maturity Model for Software:

  • At Level 1, the initial level, the software process is characterized as ad hoc, and occasionally even chaotic. Few processes are defined, and success depends on individual effort and heroics. “Ad hoc” is sometimes used pejoratively, but ad hoc simply means “special.”
  • At Level 2, the repeatable level, basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications.
  • At Level 3, the defined level, the software process for both management and engineering activities is documented, standardized, and integrated into a set of standard software processes for the organization.
  • At Level 4, the managed level, detailed measures of the software process and product quality are collected. Both the software process and products are quantitatively understood and controlled.
  • At Level 5, the optimizing level, continuous process improvement is enabled by feedback from the process and from piloting innovative ideas and technologies.

Capability Maturity Model Integration (CMMI)

Capability Maturity Model Integration (CMMI) is a process level improvement training and appraisal program. CMMI is the successor of the capability maturity model (CMM) or Software CMM. It was developed at Carnegie Mellon University (CMU) and administered by the CMMI Institute, acquired and made a subsidiary of ISACA on 1 March 2016.


  • 1988: Software CMM
  • 1991: CMM for Software Version 1.0
  • 1993: CMM for Software Version 1.1
  • 2002: CMMI Version 1.1
  • 2006: CMMI Version 1.2
  • 2010: CMMI Version 1.3
  • 2016: CMMI Institute was acquired by ISACA
  • 2018: CMMI Version 2.0
    CMMI Version 2.0 merged CMMI-DEV, CMMI-ACQ, and CMMI-SVC into a single model where each process area potentially has a specific reference to one or more of these three aspects.
CMMI History
CMMI History (Image credit: MTarnowski)

Originally CMMI addresses three areas of interest:

  • CMMI-DEV: CMMI for Development (Product and service development)
  • CMMI-SVC: CMMI for Services (Service establishment, management)
  • CMMI-ACQ: CMMI for Acquisition (Product and service acquisition)
CMMI Constellations
CMMI Constellations (Image credit: MTarnowski)


CMMI V1.3 Maturity Levels
How Is CMMI V2.0 Different From V1.3?



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您兩年前才剛成立一家軟體公司,該公司為客戶開發和實施客制軟解決方案。 由於沒有組織層級的專案管理標準和統一的流程,因此您依賴資深專案經理來管理專案,並根據他們自己的方法和經驗將軟體交付給客戶。 從CMMI的角度來看,以下哪項是描述您公司的成熟度級別?
A. 初始 (Initial)
B. 可重複 (Repeatable)
C. 受管理 (Managed)
D. 已定義 (Defined)


Leave a Reply