Request a demo
Request a demo

How ARVANIS assesses IT maturity

The model combines assessment, appropriateness, and prioritization based on established framework logic for midmarket organisations.

7 dimensions with direct operational relevance4 maturity levels instead of a black-and-white auditA versioned model built for midmarket reality

Why a dedicated maturity model?

ARVANIS translates established framework logic into a model that stays steerable and decision-ready for midmarket companies.

Inspired by established frameworks – built for the mid-market

COBIT, ITIL, and CMMI provide valuable orientation. ARVANIS translates their core ideas into a model that stays steerable and practical for midmarket companies.

Appropriate, not maximal

The goal is not to push every dimension to Level 4, but to reach Level 3 as the appropriate target corridor and use Level 4 only where it makes sense.

Steerable, not just documented

The model is designed for prioritization, management readiness, and concrete next decisions instead of a slide deck that gets archived after the assessment.

The 7 dimensions

ARVANIS evaluates IT as one connected picture across seven dimensions with direct business relevance.

ITS

IT Strategy

Strategic alignment, prioritisation, and management readiness of IT.

Typical focus: target state, priorities, decision paths, roadmap steering.

SEC

Cybersecurity

Protection, response, crisis readiness, and security posture.

Typical focus: detection, incident response, backup, and recovery capability.

CLO

Cloud & Infrastructure

Technical foundation, cloud landscape, and operational stability.

Typical focus: standardization, lifecycle, platform operations, operational stability.

DAT

Data Management

Data flows, data ownership, and steerable data usage.

Typical focus: data ownership, transparency, quality level, usage in operations.

AI

Artificial Intelligence

Use of artificial intelligence with accountability and value.

Typical focus: use cases, guardrails, ownership, measurable value.

INN

Innovation Capability

Execution capability for digitalisation, change, and new initiatives.

Typical focus: roadmap execution, prioritisation, change readiness, scaling.

ORG

IT Organization

Roles, know-how, supplier dependencies, and person dependencies.

Typical focus: key-person risk, vendor dependency, operational ownership.

The 4 maturity levels

The levels describe a practical development path from reactive & person-dependent to highly automated - with Level 3 as the common target corridor and Level 4 only where it is useful.

Level 1

Reactive & person-dependent

Basic capabilities are missing or depend on individuals.

Example: access is removed manually and only reviewed after incidents.

Level 2

Partially structured

Approaches exist, but are not established consistently.

Example: backup, role model, or asset list exist, but are not maintained reliably.

Level 3

Common target corridor

Appropriate (target)

Formalized, documented, and reviewed regularly - aligned with company size, risk, and industry.

Example: critical decisions follow fixed criteria and are documented in a traceable way.

Level 4

Only where useful

Highly automated (advanced)

Can make sense when scope, pace, and automation depth justify it.

Example: high automation in security or cloud & infrastructure because scope and risk economically justify it.

Not every dimension needs Level 4. The goal is an appropriate maturity level (Level 3) that fits company size, risk profile, and pressure to change. Level 4 is advanced, not mandatory.

How the assessment works

The methodology follows a clear flow from structured questions through weighted scoring to a prioritized management view.

01

Questions

Structured questions capture the current state, process maturity, risks, and operational resilience.

02

Scoring

Answers are weighted by dimension and checked for consistency as well as steering relevance.

03

Dimension profile

Strengths, tensions, and gaps become visible across all seven dimensions as one connected picture.

04

Prioritization

Actions arise from risk, impact, dependencies, and the appropriate target corridor.

Example questions from the assessment

  • How are privileged accesses granted, reviewed, and withdrawn again?
  • Which systems or people are operationally critical and how visible are those dependencies?
  • Do core applications have documented data flows and clear ownership?
  • How are IT priorities decided between executive leadership, CIO, and IT management?
  • What recovery time is realistic and how often has it been tested?

Example dimension profile

The profile does not only show isolated scores. It also highlights tensions between governance, security, infrastructure, and execution capability.

Example of an ARVANIS dimension profile with maturity evaluation
View the platformStart the quick check

How prioritization is created

ARVANIS does not prioritize by pushing everything to Level 4. It prioritizes by appropriate steering need.

Do not drive everything to Level 4

A midmarket company does not need Level 4 in every dimension. Oversteering costs focus, budget, and buy-in.

Company size and risk matter

The target level is judged by how critical systems, data, regulation, and change pressure actually are.

Dependencies change the order

Weak data management or a fragile IT organization can slow down a roadmap more than an isolated tool issue.

Management readiness instead of an action dump

Prioritization creates a dependable order for decisions instead of just a long list of open topics.

What ARVANIS deliberately does NOT do

No audit

ARVANIS does not replace a formal audit or certification review by auditors and assurance bodies.

No certification promise

The model prepares maturity development and decision-making, but does not claim automatic ISO or compliance readiness.

No completeness guarantee

Even 140 questions do not replace every deep-dive analysis. Critical special topics may still require additional depth.

No framework compulsion

ARVANIS does not force companies into rigid reference models when those create more operational burden than value.

Interoperability with COBIT, ISO 27001, and ITIL

ARVANIS is not positioned against established frameworks. It translates their logic into an operating model that midmarket companies can actually steer.

Standards and frameworks remain reference points. ARVANIS condenses them into an assessment and prioritization logic that stays usable for management, IT leadership, and transformation teams.

Methodological orientation to:

COBITISO 27001ITILNIS2BSI-GrundschutzCIS Controls

The methodology keeps evolving

The model is versioned. New insights from projects, product usage, and regulatory requirements feed into the methodology in a controlled way without losing the traceability of earlier assessments.

Want to see how this methodology applies to your IT situation?

Request a demo