Domain-by-domain completion

CAMP is organized into 12 domains, and the assessment is built to be completed one domain at a time. That structure is not just tidy. It matches how security work is actually owned and evidenced.

The 12 domains

The domains span the full program: Identity & Access Management, Endpoint & Device Security, Network Security, Cloud Security, Application Security, Data Protection, Compliance & Risk, Security Operations, Asset & Configuration Management, AI/ML Security, Third-Party & Supply Chain Security, and Physical & Environmental Security.

Each domain holds its own set of capabilities. Each capability is assessed for maturity and criticality the same way, so scoring is consistent across the program.

Why complete one domain at a time

Different domains have different owners. The person who can answer Cloud Security questions is rarely the same person who knows Physical & Environmental Security. Tackling one domain at a time lets you route each section to the right people and gather real evidence instead of guessing.

• You get an accurate domain score sooner, since a domain score applies the Org Score formula within that single domain.

• Partial progress is still useful. A fully assessed domain gives you a trustworthy view of that area even while others are open.

What a domain score tells you

A domain score is criticality-weighted maturity across the in-scope capabilities in that domain, on a 0 to 100 scale. It shows where one area of your program is strong or thin, independent of the others.

Finish the domains tied to your most pressing risks first. You do not need the whole assessment complete to act on a domain that is done.

Assessing a domain is rarely a solo effort. See Collaborative assessment workflow for sharing the load.