Business processes are supported by information technologies, although many processes and information systems were not designed to be secure. The lack of a security evaluation method might expose organizations to several risky situations. This work presents an information security maturity management process which uses a measurement method and a set of controls which treat information security on a comprehensive way. The results indicate that the method is efficient for evaluating the current state of information security, to support information security management, risks identification, the improvement of business processes and internal control processes.

segurança; maturidade; riscos