What is O-ISM3 good for?

There are several ways to use O-ISM3:

  • For someone who is using ISO9001: Build your ISMS using ISO9001 principles and infrastructure you already have and understand;
  • For someone who has no IS Management System: Build your ISMS in stages around your Business Goals, not some external or artificial goals;
  • For someone who wants to outsource security processes: Find out exactly what to outsource, who to link it to internal processes and how to create SLAs;
  • For someone who want to show commitment with security: Get a meaningful certificate that is not only compliant but useful (further business goals);
  • For someone who is already spending loads in IS: Use Security Targets and learn at least if the IS management system is working, or use Metrics and manage your IS management system with or without Auditors around you;
  • For someone who is experiencing pains using other approaches: Suit you processes to your needs in an environment by environment basis. Stop using Production Environment requirement for your Development Environment;
  • For a CISO: Get to tell Top Management, Middle Management and Administrators what are their responsibilities on security, in a more specific way than "Security is everyone's responsibility";
  • For businesses that are going out to tender for their services; For businesses that require a consistent approach by all service providers in a supply chain;
  • For  service providers to benchmark their IT service management; As the basis for an independent assessment;
  • For an organisation which needs to demonstrate the ability to provide services that meet customer requirements;
  • For  organizations which aims to improve service through the effective application of processes to monitor and improve service quality.

Standards, standards, standards, Are they any good?

In this video we take an overall view on the information security management process, linking Goals, Situational Awareness, Resources, Priotities and Plans, etc...

Conventional wisdom seems to assume that being intelligent is about having all the answers;  but I beg to disagree. An intelligent manager is he who makes the right questions, as these will make evident what he knows and what we has to learn about the complex landscape of his company. The right questions will place a manager in the right track for a well thought security strategy.

My favourite set of questions, seasoned with my own answers, follows.

  1. How do you know were you are? Perform assessments that compare your model of company with theoretical models, which can be standards or compliance requirements.
  2. Where are you? This is answered by the assessments results, ranging from the result of a PenTest to finding you current O-ISM3 maturity.
  3. How safe is the organisation? This depends on what are the security targets, how mature is the organisation's security management, and the context of the organisation. A risk assessment can give rough idea of where the organisation stands.
  4. How capable is the organisation to remain safe? The higher O-ISM3 capability level achieved, the more capable it is.
  5. Where would you like to be? An objective answer is to state explicitly your goals, among them: business goals, legal and standard compliance goals, and technical goals.
  6. How close to your goal can you afford to be? Unless you organisation has unlimited resources, you can express this using security targets.
  7. How much should be spent in security? The minimum to achieve security targets. There is normally no need to achieve invulnerability.
  8. How can you get there? Get management commitment, procure resources, project the implementation of the security processes you can afford starting with knowledge management.
  9. How do you stay there when you manage it? Take decisions to get closer to your security targets and use metrics to monitor your results.
  10. How do you stay there when you get someone to manage it for you? Agree on metrics based SLAs with your providers and use them to monitor their results.
  11. How do you improve you ISMS effectiveness and efficiency? Enhance the capability of your security processes using metrics, and control charts.
  12. How good are you at staying there? Make an assessment of the capability of your security processes.
  13. How do you prove to others were you are? Get your ISMS certified.

Pages