A method for assessing an information security policy and practice of an organization, including determining a risk associated with the information security policy and practice, collecting information about the information security policy and practice, generating a rating using a security maturity assessment matrix, the collected information, and the risk associated with the information security policy and practice, generating a list of corrective actions using the rating, executing the list of corrective actions to create a new security information policy and practice, and monitoring the new security information policy and practice.