Privacy Maturity Model PMM, by AICPA/CICA

The AICPA/CICA has produced Privacy Maturity Model (PMM).

CICA: The Canadian Institute of Chartered Accountants (CICA) represents Canada’s CA profession both nationally and internationally. The CICA is a founding member of the International Federation of Accountants (IFAC) and the Global Accounting Alliance (GAA).

AICPA: The American Institute of Certified Public Accountants, founded in 1887, is the world’s largest association representing the accounting profession, with nearly 377,000 members in 128 countries. The AICPA sets ethical standards for the profession and U.S. auditing standards for audits of private companies, non-profit organizations and federal, state and local governments.

The PMM uses five maturity levels as follows:

  • Ad hoc – procedures or processes are generally informal, incomplete, and inconsistently applied.
  • Repeatable – procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects.
  • Defined – procedures and processes are fully documented and implemented, and cover all relevant aspects.
  • Managed – reviews are conducted to assess the effectiveness of the controls in place.
  • Optimized – regular review and feedback are used to ensure continuous improvement towards optimization of the given process.

The figure below is from a presentation given at a symposium.


PMM is based on Generally Accepted Privacy Principles (GAPP) and the Capability Maturity Model (CMM).



  • CMMI: Capability Maturity Model Integration (CMMI) is a process improvement approach whose goal is to help organizations improve their performance. CMMI can be used to guide process improvement across a project, a division, or an entire organization.
  • CICA Privacy pages:
This entry was posted in Privacy, Security Standardization and Practises, Security Training, Awareness and Reports. Bookmark the permalink.

Comments are closed.