Determining the level of maturity of information security (IS) is a mandatory requirement and/or good practice for the modern Internet and Web-based ebusinesses. Product architecture and used tools. During the doctoral research, a Web application was developed to identify the level of maturity of the IS, the gaps of the IS controls and the automatic generation of the risk report, further used to plan the necessary actions to improve the IS. Utilized tools for the backend are PHP and MySQL, and for the front-end are HTML, CSS, JavaScript, without any frameworks or dependencies on external libraries, with multicriteria authentication (user + password + token). The application is based on a Flexible and Extendable Maturity Metamodel, which meets the best known IS practices at the moment (e.g. ISO 27k family, NIST-SP 800, PCI DSS), the most widely accepted vulnerability dictionaries, solutions and products recommended by IS, intended for the subsequent intelligent generation of particular models. Application domains. The application is made and approved for commercial banks, but it is possible to use it for any other institution. Application scenario. In the first stage, the supervisor, auditor or regulator (SAR) configures the assessment areas and their content. After that, the institution approves and completes the questionnaire divided by areas and selfevaluates its maturity level according to the descriptors, with the attachment of evidence. In the second stage, the SAR verifies the self-assessment report against reality, confirming / refuting the level of maturity on descriptors with commenting on the detected divergences / gaps and proposing the recommended and/or mandatory areas for improvement. In the third stage, the institution analyzes the proposals and draws-up an improvement plan in accordance with a scale (e.g. if the obtained maturity level is lower than required). In the fourth stage, the application automatically generates a ratio with the risk and maturity levels (by areas), presented also in the form of dynamic radar graphics, on levels of descriptors, risks, controls: e.g. 0-19%, is not effective or is missing = 1; 20-39%, needs improvement = 2; 40-59% in the environment is effective = 3; 60-79%, efficient = 4; 80-100%, strong/tall = 5. All this provides the necessary support for the continuous monitoring and improvement of information security.