Laying the groundwork: Building security foundations at the partial stage

Every mature security program starts somewhere. For many organizations—especially startups and early-stage companies—this is what the NIST Cybersecurity Framework (CSF) calls the partial stage.

‍

At this level, security is often reactive. Teams operate with minimal resources and ad-hoc processes, working hard to meet customer or compliance demands but without the structure or long-term strategy needed to scale. While this stage can feel daunting, it represents an important first step when building a security program: laying the foundation for trust.

‍

What does the partial stage look like?

Based on Vanta’s first-party data from more than 12,000 customers, Partial organizations share common characteristics:

• SOC 2 is the most common certification (71%), followed by ISO 27001 (38%), HIPAA (17%), and GDPR (16%)
• 43% have started risk assessments, though many are still basic or ad-hoc
• 56% have incident response plans, but most remain untested—and 12% have no plan at all
• The median company has 15 security policies, but common gaps include GDPR compliance, GDPR incident response, and operations security
• On average, companies at this stage pass 62 out of 104 Vanta tests, with a 60% median control test pass rate

‍

Together, these stats show that partial-stage companies are laying important groundwork, but often are working toward growing consistency and repeatability.

‍

The biggest challenge: Resources

Moving beyond the partial stage requires commitment, but the data is clear: 48% of organizations cite limited budget and resources as their primary barrier. For early-stage teams, every dollar and headcount decision counts—which means security can feel like something to “get by” on rather than invest in.

‍

How to progress from partial to risk-informed

Security maturity doesn’t happen all at once—but it does begin with intention. Even small, deliberate steps can create meaningful momentum, helping your program move from partial to risk-informed. Here’s where to start:

• Hire your first dedicated security professional: Headcount is tight, especially for early-stage teams—but advancing your program requires clear ownership. Whether it’s a full-time lead or a consultant, having someone accountable lays the groundwork for stronger governance and long-term maturity.
• Develop a formal risk register: Move beyond one-off assessments. A documented register helps you identify vulnerabilities, prioritize remediation, and track progress over time.
• Use automation to save time: Automating evidence collection, policy management, and control testing helps overstretched teams build consistency without adding manual lift.

‍

With Vanta, partially mature organizations can accelerate faster—without the manual lift: 

• Get started fast with Vanta’s Compliance Roadmap and out-of-the-box frameworks like SOC 2 and ISO 27001 
• Right-size your controls and policies using built-in templates, tests, and documents
• Save time with automation through 375+ integrations that auto-collect audit evidence 
• Showcase early trust signals with a public-facing
• Trust Center and AI-powered chatbot 
• Lean on Vanta AI Agent to auto-map imported policies and detect SLA gaps

‍

Reaching the next tier—risk-informed—means embedding risk management into strategy, not just compliance. The right tools and guidance make that transition faster and easier.

‍

Download our 2025 Trust Maturity Report to see what security programs look like across the maturity curve and how you can up-level your program. If you’re not sure where you stand on the maturity curve, use our Cybersecurity Maturity Assessment Template to start tracking your progress.