Back to Journal Security Maturity

BSIMM Assessment - Benchmarking Your Software Security Initiative Against Industry Peers

A complete guide to BSIMM (Building Security In Maturity Model) — how it works, the 121 activities across 12 practices, how a BSIMM assessment is conducted, and how to use BSIMM data to prioritise your software security programme.

Savadub GRC Team ·
BSIMM Assessment - Benchmarking Your Software Security Initiative Against Industry Peers

BSIMM: Benchmarking Your Software Security Initiative Against Real-World Peers

While OWASP SAMM provides a prescriptive model of what good software security looks like, BSIMM (Building Security In Maturity Model) takes a different approach: it describes what organisations actually do. Based on data collected from over 130 real software security initiatives at leading organisations across financial services, technology, healthcare, and other sectors, BSIMM provides an empirical benchmark of real-world software security practice — allowing organisations to compare their programme against actual peer practice rather than an ideal model.

How BSIMM is Different from OWASP SAMM

BSIMM and OWASP SAMM are complementary but distinct:

Descriptive vs. Prescriptive: BSIMM describes what organisations are actually doing. SAMM prescribes what organisations should do. BSIMM tells you where you stand relative to peers; SAMM tells you where you should aim.

Data-driven: BSIMM activities are derived from and validated against real programme data from assessed organisations. Activities that few organisations actually perform are noted as such.

Industry benchmarking: BSIMM data is segmented by industry, enabling comparison against financial services peers, healthcare peers, or technology company peers rather than a generic benchmark.

Frequency data: BSIMM reports what percentage of assessed organisations perform each activity, making it easy to identify whether an activity is a common practice (>50% of organisations) or an advanced practice (<25%).

Using both SAMM and BSIMM together gives a complete picture: SAMM shows where you should be going, and BSIMM shows where you stand relative to what others are actually doing today.

The 121 BSIMM Activities Across 12 Practices

BSIMM organises 121 activities into 12 practices grouped into four domains:

Governance domain:

  • Strategy and Metrics (SM): Defining and measuring the SSI
  • Compliance and Policy (CP): Managing compliance obligations and security policy
  • Training (T): Security education and awareness

Intelligence domain:

  • Attack Models (AM): Building and using threat models and attack patterns
  • Security Features and Design (SFD): Developing reusable security features and standards
  • Standards and Requirements (SR): Defining security standards and requirements

SSDL Touchpoints domain:

  • Architecture Analysis (AA): Reviewing designs for security issues
  • Code Review (CR): Identifying security defects in code
  • Security Testing (ST): Finding defects through security testing

Deployment domain:

  • Penetration Testing (PT): Simulating attacks to find vulnerabilities
  • Software Environment (SE): Securing the software deployment environment
  • Configuration Management and Vulnerability Management (CMVM): Managing defects and vulnerabilities in production

Using BSIMM Results to Build Your SSI Roadmap

BSIMM assessment results show which of the 121 activities your organisation currently performs — and how that compares to the BSIMM benchmark pool. Using this data to build your programme roadmap:

Quick wins: Activities performed by most BSIMM organisations that you don't currently do represent high-value, proven practices to adopt. If 80% of peer organisations conduct architecture risk analysis and you don't, that's a clear gap to close.

Advanced practices: Activities performed by only a small percentage of BSIMM organisations may represent aspirational targets for a maturing programme, not immediate priorities.

Industry alignment: Comparing against your industry's BSIMM data identifies gaps that matter most in your sector — financial services BSIMM data emphasises compliance and policy activities; technology sector data emphasises automation and tooling.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

  • Gap Assessment Report — prioritised findings with effort estimates and risk ratings
  • Compliance Roadmap — milestone-based plan from current state to certification or attestation
  • Risk Register — organisational risk register with treatment plans
  • Policy Pack — all required policies authored, reviewed, and approved
  • Technical Control Implementation Evidence — configurations, screenshots, and audit trails
  • Internal Audit Report — independent assessment of control effectiveness
  • Audit Evidence Repository — organised, auditor-ready evidence collection
  • Executive Summary Presentation — board and leadership-ready compliance status
  • Remediation Tracker — structured tracking of open findings and closure evidence
  • Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

  • Email: grc@savadub.com
  • Phone: +234 816 734 2201
  • WhatsApp: +234 903 234 8435
  • Website: www.savadub.com

Share this story
Keep Reading

You Might Also Like