Security Body of Knowledge

O-ISM3 SECBOK is a knowledge repository based on the O-ISM3 standard. To obtain the maximum benefit from O-ISM3 SECBOK, the organisation uses O-ISM3 SECBOK's documents, templates, examples and data schemas to formalise the organisation's day-to-day management system and activity in the area of ​​information security in a model that follows a methodology of continuous improvement.

Benefits of using O-ISM3 SECBOK

  1. Reduce time spent on process maintenance.
  2. Enable continuous improvement of processes.
  3. Reduce dependence on people or providers.
  4. Optimize the delegation capacity of the GISS in companies that support them.
  5. Increases the ability to more frequently review security procedures.
  6. Obtain a more uniform level of quality in the execution of security processes.

Formalizing the management system and daily activity following the scheme marked by O-ISM3 SECBOK has the following effects on the performance of the organization:

  1. When undocumented knowledge decreases, dependence on specific individuals or companies is lower.
  2. When knowledge is documented, different people or companies can perform activities with an equivalent level of quality. This increases competition and improves the negotiating position of the organization when contracting services. It is simpler, and therefore increases the flexibility to temporarily replace people for vacations, courses or events, which improves the working environment.
  3. By documenting knowledge, external audits do not entail additional effort for the organization, and can become almost transparent.
  4. When a change or improvement is introduced in an activity, this improvement reaches the whole team, even when it is large or distributed in time or space, immediately. This facilitates continuous improvement.
  5. Between 30 and 40 percent of the working time is used in determining what activity to do or how to do it. Documenting knowledge reduces this time in half, releasing time to perform useful activity and therefore improving the performance of work teams.
  6. The management of tasks by deliverables makes the distribution of responsibilities objective, not subjective, which improves coordination and relationship with the rest of the organization.
  7. Using O-ISM3 SECBOK, an equivalence between what is reported and the activity performed is obtained. In this way, the managers have all the information necessary to identify if the changes introduced give the expected results and what changes are necessary to improve the achievement of objectives or performance.

Three roles are defined for the use of O-ISM3 SECBOK:

  1. Process Designers maintain coordination between the knowledge repository (O-ISM3 SECBOK), the Deliverables Repository, the Workflow, and the Metrics Report and File. They also generate reports for Process Managers, and control the quality of knowledge.
  2. The Process Operators, following the Task Planning, use the knowledge repository for the performance of their functions, performing in compliance with the usual activities of execution of the processes and generating and archiving the deliverables either in the Deliverables Repository, Or in the Workflow. Operators can directly edit procedures as long as this does not make changes to the archiving of deliverables. This facilitates the rapid introduction of improvements in procedures.
  3. Process Managers use the reports to evaluate process performance and suggest improvements or changes to Process Designers according to the needs of the Treasury.

Four flows are defined:

  1. Management: Process Managers, based on the Reports generated by the Process Designers, make requests for change to the Designers which, in collaboration with the Operators, implement them in O-ISM3 SECBOK. Process Managers can also modify the Planning directly.
  2. Knowledge: Process Designers in collaboration with Managers and Operators, incorporate improvements in Knowledge (Procedures, templates, etc.)
  3. Results: Process Operators based on Planning and Workflow generate and archive Results.
  4. Requests: Users make requests that are satisfied by Process Operators.

This is the management report template, that includes Compliance, Performance, Governance, Risk and Maturity aspects :


The continuous improvement cycle works as follows:

  1. Managers update the schedule.
  2. The Operators execute the planning and the tasks on demand that arrive through the Workflow (or electronic mail), and generate the deliverables according to the procedures.
  3. Designers generate reports using metrics defined for each deliverable.
  4. Managers review reports and make management or improvement decisions. Some decisions can modify the planning, other decisions can imply changes in the processes.
  5. The Designers, with the collaboration of the Operators, modify the knowledge management of the processes, as well as their metrics and coordinate with the structure of the Task Planning, with the Deliverables Repository, with the Reports and the metrics file.

Please contact com@ism3.com to start using O-ISM3 SECBOK