ISO 27001 Control

1. I wanted to know how we can measure the maturity of an ISO control when trying to assess its maturity level with something like CMMI.

First is important for you to understand the criteria levels adopted, so you can define how you can evidence the control has achieved them. For example, using  the model defined by ISO/IEC 15504:

• Level 0 – Incomplete: No process implemented or little/no evidence of any systematic achievement of the process purpose (control not implemented/control does not deliver expected results most part of the time)
• Level 1 – Performed: The process achieves its expected purpose (control deliver expected results most part of the time)
• Level 3 – Established: The process is implemented using a defined (standard) process that is capable of achieving the expected outcomes (control deliver expected results most part of the time and is performed in a similar way in all places where it is applied )
• Level 4 – Predictable: The process operates within defined limits to achieve its expected outcomes (control deliver expected results with optimized resources)

This article will provide you a further explanation about maturity models and ISO 27001:

• Achieving continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/

2. How can we measure how effective is a control and how mature? Any resources that can help?

The effectiveness and maturity of control can be measured against business-related objectives and KPIs (e.g., reduced incidents, through incident management, increasing customer satisfaction) and the costs related to its operation (the lower the better).

This article will provide you a further explanation about ISO 27001 KPIs:

• Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/