# Using BSIMM and SAMM Together — Assessments, Roadmaps, and Quarterly Reviews > **Best practical pattern:** Use **SAMM** to define the roadmap and target maturity. Use **BSIMM** to benchmark whether your chosen capabilities resemble what mature organizations actually do. ## Why combine them? Used together, the models cover each other’s blind spots. | Need | Best primary model | Why | | --------------------------------------- | --------------------------------------- | ---------------------------------------------------------------------- | | Benchmark against mature organizations | BSIMM | It reflects observed practice across real initiatives | | Define the target operating model | SAMM | It is purpose-built for staged improvement planning | | Build a quarterly roadmap | SAMM | It provides a cleaner maturity target structure | | Defend strategy to skeptical executives | BSIMM + SAMM | One gives outside-world realism, the other gives structured next steps | | Decide what capability to fund next | SAMM first, BSIMM as a confidence check | Roadmap first, benchmark second | ## A practical operating model ### 1. create a current-state view with SAMM For each relevant practice, answer: * what is our current maturity? * what evidence supports that score? * which weaknesses are creating the most delivery risk, response risk, or exposure? ### 2. use BSIMM to sense-check your priorities Ask: * are we missing capabilities that mature software security initiatives commonly have? * are we over-investing in one area while neglecting another? * do our plans cover architecture, training, environment, and operational feedback — not just testing? ### 3. build a roadmap by capability cluster Good clusters: * **governance and ownership**; * **design and architecture**; * **testing and release control**; * **deployment and runtime**; * **response and continuous improvement**. ### 4. review progress in quarterly leadership language Instead of presenting “we moved from 1.7 to 2.1,” present: * which capabilities became real; * what risk is now better controlled; * what delivery friction was removed; * what decision is needed next. ## Example 12-month model ### Quarter 1 — establish the truth * run a SAMM-based current-state assessment; * map existing controls and rituals to BSIMM practices; * identify the three most material gaps by business risk; * define owners and evidence expectations. ### Quarter 2 — implement foundation controls * fix the weakest high-risk practices first; * define secure design, build, and deployment standards; * start evidence-based leadership reporting. ### Quarter 3 — strengthen distributed execution * expand training and champion enablement; * operationalize release evidence and exception review; * improve telemetry and operational feedback into engineering. ### Quarter 4 — shift from project to program * move guardrails into defaults and templates; * use BSIMM framing in executive narratives; * reset target maturity for the next year based on actual progress. ## How to use this in quarterly reviews ### What to show | Slide | What to include | | -------------------- | ----------------------------------------------------------------------------------------------- | | Current state | Three to five capability gaps stated in plain English | | Target state | Which practices are being uplifted this year and why | | Evidence of progress | New defaults, new adoption, reduced manual review, better response, improved release confidence | | Risk translation | What this means for customer trust, resiliency, and engineering efficiency | | Decisions needed | Headcount, platform support, policy change, sequencing, or executive sponsorship | ### What to avoid * a maturity heat map with no narrative; * a benchmark score with no explanation of business meaning; * activity lists disconnected from risk, scale, or cost. ## Where each model helps the director most ### BSIMM helps directors with: * executive credibility; * peer framing; * explaining why Product Security needs to span engineering and operations; * showing that a broader operating model is normal in mature firms. ### SAMM helps directors with: * sequencing change; * assigning ownership; * making maturity measurable; * preventing one-dimensional growth. ## A strong recommendation for Product Security programs If your Product Security function is already beyond “just starting,” the most practical pattern is: * **SAMM for planning**; * **BSIMM for benchmarking**; * **your own metrics and incidents for prioritization**. That combination creates a program that is externally credible, internally actionable, and easier to govern. ## Cross-links * [BSIMM and OWASP SAMM — Overview, Value, and Comparison](/metrics-audit-risk-evidence-and-compliance/index-3/bsimm-and-owasp-samm-overview-value-and-comparison.md) * [BSIMM Deep Dive — Domains, Practices, and Manager Use](/metrics-audit-risk-evidence-and-compliance/index-3/bsimm-deep-dive-domains-practices-and-manager-use.md) * [OWASP SAMM Deep Dive — Business Functions, Practices, and Roadmapping](/metrics-audit-risk-evidence-and-compliance/index-3/owasp-samm-deep-dive-business-functions-practices-and-roadmapping.md) * [Director Packs, Scorecards, and Review Cadence](/metrics-audit-risk-evidence-and-compliance/index/director-packs-scorecards-and-review-cadence.md) * [Quarterly Product Security Review — Worked Example](/metrics-audit-risk-evidence-and-compliance/index-2/quarterly-product-security-review-worked-example.md) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/metrics-audit-risk-evidence-and-compliance/index-3/using-bsimm-and-samm-together-for-assessments-roadmaps-and-quarterly-reviews.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.