SOC-CMM scores a security operations function across five domains: Business, People, Process, Technology and Services. Each is scored 0-5, where 0 is "not performed" and 5 is "optimized and continuously improving".
Business asks whether the SOC's mandate, budget and reporting lines are formally defined. People covers staffing levels, skills and shift coverage. Process covers documented, repeatable procedures for triage, escalation and reporting. Technology covers tooling — SIEM, SOAR, threat intelligence — and how well it is tuned rather than simply purchased. Services covers what the SOC actually delivers day to day: monitoring, threat hunting, vulnerability management, incident response.
A board does not need the full questionnaire. It needs five numbers, a trend line, and one paragraph on what the lowest-scoring domain will cost to move up a level.