This article proposes a practical methodology for performing information security maturity assessment for organisations which operate an Information Security Management System (ISMS) based on the ISO 27001:2013 standard. The methodology uses a COBIT 5-comparable method to evaluate the maturity level of the security controls and clauses in ISO 27001:2013 and leverages on the guidelines in ISO 27002:2013. It was successfully used in an undisclosed company. Information security professionals can benefit from applying the same methodology or a similar one in organisations of various size and nature. The final product of the assessment is metrics and recommendations for improvement of the ISMS, which can be used for tactical and strategic decision-making, as well as input for organisational information security risk management.