When you've done A LOT – but it doesn't quite add up
Not everything exists. A lot exists – but nothing feels really good (yet).
Policies are there. Strategies, news on the intranet, support documentation. The technology is there. Maybe even a short nano-training. Still, it's messy. In reality, not everyone uses Microsoft 365 for storage, materials are scattered and many "think right" in theory but are unsure of the tools. We don't dare turn on features - because it's unclear how the business would use or receive them. Do you recognize yourself?
It is difficult to pinpoint where you are – and even more difficult to agree on the next step. If you lift a rock, you will find that there is too much that needs to be fixed. And it apparently has to happen all at once. It is too much. The issue is important and risky, but the path forward feels murky.
Pancom – when reality catches up
Pancom, a fictional company, had some things in place but was too far from a comfortable place.
The IT manager saw few reported incidents but suspected a hidden number. Sales felt safe – “we have a way of working where we know things”, but in practice they were most careful about who they emailed. HR was worried and stored sensitive files in personal OneDrive. Cleanup took place – but it was extremely person-dependent. Legal and IT concluded: this is not enough. Everyone ducked responsibility, because it is too big for one person to run. And that is true.
Pancom gathered the right people from the business, even those who were “hardworking” and didn’t work with IT or security. They conducted a Quick Assessment with a focus on regulatory compliance and IT security from the outside The Microsoft 365 maturity model.
From fog to consensus
After the workshop there was a common picture.
- Current status: just over 100.
- The goal: 200 for operations, 300 for IT, HR and VIP sales.
- The setting: no prestige – just consensus and three clear first steps.
No one went home completely satisfied. But everyone went home in agreement. And it's the difference that makes the difference.
Compliance & IT security – current status and goals
| Level | What it means | Marking |
|---|---|---|
| 100 | Ad hoc. Unclear roles and manual routines. Weak traceability. | Current status |
| 200 | Basic policies are followed on a daily basis. MFA, labels and standardized access. | Objectives (activities) |
| 300 | Established and measurable. Role-based access, training requirements per role, regular follow-up. | Target (IT/HR/VIP sales) |
| 400 | Continuous improvements and auditing. Automated controls, eDiscovery, KPIs in scorecards. | |
| 500 | Predictive and data-driven governance. Advanced protection, integrated risk management (GRC). |
What is the Microsoft 365 Maturity Model?
The maturity model is a common language to translate messy discussions into clear steps. It shows current status, goals and gaps per competency area – so everyone prioritizes the same next steps.
- The scale goes from 100–500.
- Used internationally, as a de facto standard.
- Independent of specific products.
- Business-related: the skills apply even when technology changes.
- An organization can be at different levels in different parts – and that's okay.
The point is not perfection. The point is a sober picture and one reasonable roadmap.
Levels explained (100–500)
The levels are indications on maturity – not grades. No business will reach 500 everywhere; that would be like being the best at everything, all the time. Reserve 500 ambitions for what is unique and business-critical to you. Guest Wi-Fi doesn’t need the same perfection as smoke alarms – that’s just how it is. The point is to know where What level should you be at, and in what order do you get there?.
100 – Ad hoc
Working methods are person-dependent. Files are scattered. Policies exist but are used unevenly. Risks are difficult to see and follow up on. This is pretty much just “on” – default settings that have been in place since the start. You barely know about incidents.
200 – Basic order
There is a minimum common level: base policy, MFA, labels and “this is where it belongs” rules. You start doing the right thing – not always, but often. Much is manual and frameworks are followed unevenly in the organization. We work with firefighting here.
300 – Established and measurable
Roles and responsibilities are clear. Training per role is available. Follow-up shows that working methods are actually used and work. We have systematized and there is order. This is a good place.
400 – Improvement as a routine
Metrics, audits and automated controls provide a steady pace of improvement. Deviations are caught and corrected without disrupting operations. Most things are automated and the business uses security features and processes as intended.
500 – Foresight and integrated
Optimized mode. Decisions are driven by data. Risks are managed proactively. Work methods are scalable, automated and provide a clear advantage. We have clear dashboards and incidents are handled automatically with AI and self-healing.
Competencies explained
The maturity model doesn't just measure IT. It reflects operational capabilities – how you collaborate, communicate, manage content, and learn. When one skill improves, it is often reflected in several others.
- Business process expertise
How well your most important flows – from customer needs to delivery – are described, standardized and supported by Microsoft 365. This is where you can see if the work is flowing and the quality is maintained. - Cognitive business process (AI)
To what extent does AI actually help the processes: summarize, suggest next steps, analyze and relieve – in a way that is secure and traceable. - Collaboration skills
The ability to work in shared spaces, documents and channels with clear rules for where things belong and how work moves forward. - Communication skills
Reaching the right target group, in the right channel, with the right message – with clarity and timing so that everyone understands and can act. - Adaptation and development skills
The capacity to incorporate new functionality, test, learn and improve without losing pace in delivery. - Employee experience
How easy it is to get the job done: find, navigate, understand what matters and see the next step. Here you can see the whole picture – every day. - Governance and compliance
Policies, roles and controls that ensure internal requirements and regulations are followed – with traceability, accountability and predictability. - Infrastructure expertise
Stable, secure and up-to-date foundation: identities, devices, networks, storage and performance on which everything else rests. - Content management
Structures for the information lifecycle – ownership, metadata, versions, retention and archives – so that content lasts over time. - People and communities
The ability to enable knowledge sharing and social learning through communities and dialogue that binds together silos and roles. - Search competence
Making information discoverable and using search tools effectively – from good metadata and naming standards to user habits. - Personnel and training competence
Clear skill requirements per role and a plan for developing them – so everyone knows what they should be able to do and how to get there.
- Business process expertise
Learn more – The Maturity Model & Quick Assessment
Are you curious about how you can take a team from “we think differently” to consensus in under two hours? Watch the film How to run a maturity model workshop – it shows how to concretely assess the current situation, set goals and find a realistic path forward.
FAQ – frequently asked questions about the Maturity Model
Do we have to aim for level 500 everywhere?
No. Level 500 is like Formula 1 – it is only needed where it is business critical. Most organizations are fine with being in the 200–300 range in most areas and 400 in a select few.
How long does it take to raise our maturity?
It depends on the current situation and the level of ambition. The most important thing is not the pace, but that the journey is sustainable and anchored.
Is this just for IT?
No. The model spans the entire Microsoft 365 experience: collaboration, communication, HR, security and compliance. IT cannot do it alone – it requires a common vision.
How do we measure our level?
Through a Quick Assessment or self-assessment that shows the current status, goals and gaps within each competency.
What do we do if different departments are at different levels?
That's normal. The point is not that everyone should be the same – but that you know why the difference exists and decide which areas are most important to raise first.
Can we use the model even if we don't run all Microsoft 365 apps?
Yes. It is business-oriented and independent of specific apps. The focus is on working methods and competencies, not technology lists.
