A published, versioned, auditable scoring methodology.
Nothing affecting the score is hardcoded. Every factor, weight, gate, maturity descriptor, and calculation rule lives in a versioned database template. The scoring engine is a pure function that reads configuration — it has no opinions of its own.
Start with a free benchmarkFour properties that make scores defensible.
Auditability
When a GLC board or BNM examiner asks 'why did the score change?' the answer is always one of two things: the organisation's IT posture changed, evidenced by a specific signal, or the methodology template was updated with a published version number and effective date. There is no third answer.
Portability
Adding a new country requires creating one Country Template row in the database. No code changes. No deployment. The methodology is the same — only the jurisdictional context changes.
Credibility
Axceed publishes its methodology as a versioned document. This is what rating agencies do. It transforms the score from a consultant's opinion into a published, versioned, auditable methodology.
Legal defensibility
If a client disputes their score or uses it in a regulatory context, the template version that produced the score is recorded alongside it. The score is the output of a published methodology applied to documented evidence — not Axceed's subjective opinion.
Exactly four maturity levels. Always.
Aligned to COBIT 2019 and CMMI equivalents. No template can add a Level 5 or remove a level. The scale is permanent.
Unplanned, reactive. No documented process. Outcomes unpredictable.
Basic process exists. Outcomes somewhat predictable within projects.
Documented, standardised processes. Consistent outcomes across the organisation.
Continuous improvement. Quantitative management. Evidence-driven decisions.
Every weight traces to a published standard.
Axceed does not invent scoring criteria. Every dimension maps precisely to an internationally recognised framework.
| Standard | Scope | Layer(s) |
|---|---|---|
| COBIT 2019 | IT governance & management | L1 |
| NIST CSF 2.0 | Cybersecurity framework | L3 |
| ISO 27001:2022 | Information security management | L3 |
| ITIL 4 | IT service management | L5 |
| CIS Controls v8 | Security best practices | L3 |
| NACSA CSA 2024 | Malaysian cybersecurity | L3 |
| Bursa ESRF | ESG reporting framework | ESG |
| PDPA 2024 | Personal data protection | ESG-G |
| BNM RMiT | Risk management in technology | L1–L4 |
| ISO 38500 | IT governance for organisations | L1 |
| TOGAF | Enterprise architecture | L1, L4 |
| Prosci ADKAR | Change management | L0 |
Who can change what.
Template governance is commensurate with the responsibility of scores used by boards, regulators, and banks.
The methodology owner approves. No automated system can activate changes.
The methodology owner approves each change individually. Policy Ingestion may propose.
The methodology owner approves. SI partners with relevant expertise may propose.
Client-configurable on Professional+. No approval required.
30-day notice required for changes affecting 10%+ of clients or 5+ composite points.
Immutable. Cannot be deleted or retroactively changed.
See the methodology in action.
Run a free benchmark and get an indicative BOS score across all six layers in 15 minutes.