National capacity review

What is the aim?

The aim of a national cyber security capacity review is to help a country understand its current state of cybersecurity capacity at the national policy and capabilities level. A review is not a technical or operational study. It is also different from a comparative international survey, which typically results in a ranking table and not a report.

Why do it?

You can only plan effectively if you know your current strengths and weaknesses. Furthermore, repeating a review every few years –for example at the start and end of a strategy –will help measure progress.

What are typical outputs?

A report including maturity stages for various factors of cybersecurity capacity and recommendations for capacity-building activities and investment.

How is it delivered?

Typically, international experts work with the government to run a few days of focus group workshops with clusters of people who understand the national cybersecurity landscape (e.g. policy makers; companies; police and judiciary; academics; civil society etc.). The experts then work with government officials to write and/or edit a review report, using the findings from the focus groups and desk research.

How easily can a country do it themselves?

Some governments, especially more advanced ones, run the review process without international assistance using international models or their own design.

What good practice guidance is available?

The GFCE’s Cybil Portal has both a range of models that can be used, as well as links to published reviews.

  • A country can conduct a review at any time, but there are a few popular options: before or during the initiation phase of a strategy to build interest; during the stocktaking and analysis phase to improve understanding; or during the monitoring and evaluation phase to measure progress.
  • Many governments have chosen to publish their reports, because it helps to engage people in the national strategy process, it is an international confidence-building measure, and it helps to attract and coordinate international capacity building.
  • Repeat the assessment after 3-5 years to track progress and to assess areas for further capacity building.


The cost to a project is typically $65k -$130k USD depending upon the approach used. If funding is provided by a donor, the cost to the beneficiary country is almost zero: they often provide a venue for the workshops and handle invitations.


Once a government has formally agreed with the organization which conducts the review it takes about 6 months until the review is conducted and the report is submitted to the government.

In 2014, the Ministry for Economic Development of Kosovo, facilitated by the World Bank, asked the Global Cyber Security Capacity Centre (GCSCC) for assistance with a national capacity review based on the Centre’s Cybersecurity Capacity Maturity Model for Nations (CMM). Through funding from several donors, the GCSCC was able to respond to this request, and prepared the CMM review process.

During February 2015, the GCSCC experts conducted ten focus group discussions over three days focusing on the five CMM dimensions:

  1. Cybersecurity policy and strategy;
  2. Cyber culture and society;
  3. Cybersecurity education, training and skills;
  4. Legal and regulatory frameworks;
  5. Standards, organizations, and technologies.

Each workshop brought together cybersecurity experts, such as critical infrastructure owners, policy makers, academia, civil society, representatives of the justice sector, as well as experts from the private sector.

Based on the information collected during the focus groups and follow-up desktop research to look for supporting evidence, the GCSCC drafted a report including recommendations for next steps that was reviewed by the subject matter experts the GCSCC for quality control before it was sent to the Kosovo government for feedback.

After approval it was published on the ministry website.

Kosovo used the CMM review as part of their strategy planning process. Many of the recommendations in the review made it into official plans. Within a year of receiving the report the government had:

  • Appointed a coordinating ministry for cybersecurity: Ministry of Internal Affairs.
  • Run a multi-stakeholder strategy drafting process, using the capacity review as an input.
  • Adopted its National Cybersecurity Strategy and Action Plan 2016-2019.
  • Established a national CSIRT (KOS-CERT).
  • Developed a concept document for critical information infrastructure and draft standards regulation.

Read more about what followed the CMM review here.

Four years later, in July 2019, the GCSCC returned to Kosovo for a CMM re-assessment. This was again facilitated by the World Bank as part of its Global Cybersecurity Capacity Program II. The report provided insights on where the country had improved capacity since the first review but also identified areas for further capacity building and support in adapting current efforts to new developments.