ARMOR
The Levels/G5
Governance & IntegrationTechnical Practice
G5

Level 5 of 5

Institutionalized

G1 AbsentG2 ResponsiveG3 StrategicG4 IntegratedG5 Institutionalized

Offensive security is a managed business discipline. Board-level oversight includes offensive security as a standard input to enterprise risk governance. PDCA cycles are formalized and operating. Crisis simulations involve executive and board participation. Investment decisions are explicitly informed by resilience metrics, and the organization can demonstrate this with evidence, not assertion. The distance between G4 and G5 is measured in organizational culture as much as process.

Outcomes

  • ·Board-level oversight of offensive security is a standing governance function, not a periodic briefing
  • ·A formalized PDCA cycle operates with outcomes reviewed at board level and investment demonstrably adjusted
  • ·Enterprise crisis simulations involve executive and board participation testing governance and strategic decision-making
  • ·Investment and resource allocation decisions are explicitly informed by resilience metrics with documented evidence
  • ·Governance structures are adaptive, evolving in response to technology, business, and threat landscape changes

Actions

  1. 01Establish board-level reporting as a standing governance function with documented cadence and metrics
  2. 02Formalize the PDCA cycle at enterprise level with documented evidence of complete loops
  3. 03Design and conduct enterprise crisis simulations with executive and board participation
  4. 04Build explicit documented linkages between resilience metrics and investment decisions
  5. 05Define enterprise resilience targets and report performance against them to the board on a defined cadence

Sustainment Criteria

All criteria must be met to hold this level. If any criterion is unmet at reassessment, consider yourself at the previous level.

Board-level oversight is a standing governance function with evidence that board feedback influences program direction

PDCA cycle evidence is current and complete: objectives defined, validation executed, board review conducted, adjustments documented

Enterprise crisis simulations with board participation are conducted at least semi-annually with verified improvement actions

Documented evidence exists that investment decisions have been explicitly informed by offensive security outcomes

Enterprise resilience targets are defined, tracked, and reported to the board on a defined cadence

Cross-functional teams including legal, HR, and communications participate in crisis simulations regularly

Practitioner note

G5 is intentionally aspirational. The evidentiary bar is deliberately higher here because G5 makes the strongest organizational claims. Organizations that claim G5 should be able to point to specific decisions that changed based on offensive security evidence. The PDCA cycle requirement demands documentation of the complete loop, not just that objectives were set and validation occurred.

Corresponding Technical Practice level

T5 Resilient

Organizations often develop these axes at different rates. Compare your position on both.

View T5 Resilient

Previous

G4, Integrated

Take AssessmentView Matrix