Reifegrad (SPICE Maturity) Decision Criteria¶
Use this reference to assess the correct reifegrad for each control. Be conservative — overestimating maturity is worse than underestimating.
Maturity Levels¶
| Level | Name | Key Question | VisiTrans Indicators |
|---|---|---|---|
| 0 | Unvollstaendig | Is there anything in place? | No process, no documentation, no awareness |
| 1 | Durchgefuehrt | Is someone doing this informally? | Informal process exists, people follow it but it's not documented |
| 2 | Gesteuert | Is it documented and evidenced? | Written policy/procedure exists, evidence of execution (logs, records) |
| 3 | Etabliert | Is it a standard process used over time? | Integrated into daily work, reviewed at least once, team follows it consistently |
| 4 | Vorhersagbar | Is it measured with KPIs? | KPI monitoring in place, thresholds defined, management informed regularly |
| 5 | Optimierend | Is there dedicated continuous improvement? | Dedicated resources for improvement, process adapts to organizational changes |
| na | Nicht anwendbar | Does this control apply to VisiTrans? | Control genuinely doesn't apply (must justify with Abwahlgrund) |
VisiTrans-Specific Guidance¶
Given VisiTrans is a ~15-person SaaS company:
Typical Reifegrad Distribution¶
- Most controls: Reifegrad 1-2
- Well-established areas (with policies): Reifegrad 2-3
- Reifegrad 4+: Unlikely unless specific KPI monitoring exists
- Reifegrad na: Only for controls truly not applicable (e.g., physical server room for a pure-cloud company)
Evidence Sources for Reifegrad Assessment¶
| Reifegrad | Required Evidence |
|---|---|
| 1 | Someone can describe the informal process |
| 2 | Written policy OR documented procedure OR audit trail (Git history) |
| 3 | Policy reviewed at least once (review_date history), process used >6 months |
| 4 | KPI defined AND measured AND thresholds set AND management review includes it |
| 5 | Dedicated person/time for continuous improvement of this specific area |
Common Mistakes¶
- Claiming Reifegrad 3 without annual review evidence
- Claiming Reifegrad 2 without pointing to a specific document as Nachweis
- Using Reifegrad na without justification (Abwahlgrund)
- Applying different reifegrad for same topic across norms (ISO 27001 and VDA ISA should be consistent)