This paper aims to study maturity models and how they can benefit organisations by developing a maturity model framework for IT security. The first part of the paper includes a discussion of maturity models and how they are applicable to the IT Security process and sets out the benefits of a maturity model approach to an organisation. The second part discusses examples of different maturity levels for different processes involved in the IT Security process. The paper concludes by comparing different maturity models in IT Security/Governance.