Download ISM3 here




1. What is ISM3?
ISM3 is a framework for Information Security Management systems. ISM3 has a strong conceptual background, has a gentle learning curve and helps private and public organizations to improve their governance and information assurance processes.

2. Who developed ISM3?
A team of experts leaded by Vicente Aceituno

3. Why was ISM3 developed? Are you reinventing the wheel?
We felt there was room for improvement over current ISM standards. The result presents a series of advantages that can be used on its own or for enhancing other approaches.

4. Why does ISM3 have maturity levels? Won't it make everything be more complicated and confusing?
All organizations have different mission, context and resources. Different levels let them choose a baseline for their initial ISM, and the rest of the levels serve as milestones to higher (and more resource-consuming) ISM3 Levels as the organization evolves. Avoiding a binary posture on compliance makes the model more useful.

5. Do I have to drop my current ISM system to adopt ISM3?
No. The existing investment in ISM systems is protected by ISM3. ISM3 describes processes in such a way that current practices can be easily adapted to ISM3 requirements.

6. Under what license is ISM3 released?
The Creative-Commons NonDerivs License. This means you can use the method and distribute the method freely without modifications and preserving the copyright notice.

7. Will future ISM3 versions be backwards compatible?

8. Do you plan to push ISM3 as a formal national of international


9. What do ISM3 metrics measure? Security? Risk?
ISM3 metrics don't measure risk or security directly. Metrics in ISM3
are process metrics that measure:

  • Activity: The number of work products produced in a time period;
  • Scope: The proportion of the environment or system that is protected by the process. For example, AV could be installed in only 50% of user PCs;
  • Update: The time since the last update or refresh of process work products and related information system. It refers as well to how updated are the information systems that perform or support the process;
  • Availability: The time since a process has performed as expected upon demand (uptime), the frequency and duration of interruptions.

Every process in ISM3 contributes to the goals of the ISM, which are
defined as:

  • Prevent and mitigate incidents that could jeopardize the organization's property and the output of products and services that rely on information systems;
  • Optimise the use of information, money, people, time and infrastructure.

10. Can I use Risk Analysis to choose my ISM processes and design my ISM system?
Yes, you can use your own methodology or one of the referenced ones
like OCTAVE, MAGERIT o MEHARI for example.

11. Are there any advantages of using ISM3 instead of other ISMS
method and a Risk Analysis?

There are several advantages of the ISM3 approach:

  • Management friendly - Everyone knows incidents are a fact of life. Upon an incident it should be possible to determine if ISMS has been successful or not, what failed, and improve the ISMS accordingly. ISM3 is process based, which enables this kind of management.
  • Process Based – ISM3 is especially attractive for organizations familiar with ISO9001 or those that use ITIL for as the IT management model. The PDCA model is used in a process by process manner, not ISMS wide. Every process is planned, performed, checked and acted upon, not the whole ISMS.
  • Outsourcing support - Using ISM3 fosters the collaboration between information security clients and providers, as the outsourcing of security processes is enabled by explicit mechanisms for outsourcing. For example, work products and metrics help to define the scope of the outsourced service and the definition of SLA.
  • Maturity Levels - This helps organizations with limited resources to prioritise their investment getting the maximum reduction of investment at every step. An ISMS project can be long, so maturity levels help to show progress too.
  • References –There is a extensive reference to established standards for every process.
  • Distribution of responsibilities – There is a clear division of responsibilities between leaders, managers and technical personnel using the concepts of Strategic, Tactical and Operational Management.
  • Accreditation - ISMS based in ISM3 are Accreditable under ISO9001 or ISO27001 schemes, which means that you can use ISM3 to implement an ISO 27001 based ISMS. This will be attractive as well to organizations that are already quality certified and have experience and infrastructure for ISO9001.
  • Business Friendly –Business Objectives and Security Objectives help Senior Managers and Stake Holders to clearly see and understand the linkage between business and information Security.

12. It looks like if you just propose a new list of controls. Are a
control and a process the same thing?

Processes and controls are different. Both controls and processes can be audited testing them. For example a control like "No information or information systems should be removed from the premises without authorization" can be audited by trying to remove an information system from the premises without authorization. Processes results are defined (Work Products), so it is very clear what to do to implement the process and the process can be improved using the process metrics. On the other hand, controls don't have a defined result, which makes them less management friendly.

13 Does ISM3 use confidentiality, integrity, availability, authentication, non repudiation, etc?
ISM3 uses the following list of security objectives:

  • Use of services and access to repositories is restricted to
    authorized users;
    • Intellectual property is accessible to authorized users only;
    • Personal information of clients and employees is accessible for a valid purpose to authorized users only and is held for no longer than required;
    • Secrets are accessible to authorized users only;
    • Third party services and repositories are appropriately licensed and accessible only to authorized users;
    • Information repositories and systems are physically accessible only to authorized users.
    • Availability of repositories, services and channels exceeds client
  • Reliability and performance of services and channels exceeds client
  • Existence of repositories and services is assured for exactly as
    long as client requirements;
  • Expired or end of life-cycle repositories are permanently destroyed;
  • Precision, relevance and consistency of repositories is assured;
  • Accurate time and date is reflected in all records;
  • Users are accountable for the repositories and messages they create or modify;
  • Users are accountable for their use of services and acceptance of
    contracts and agreements.

So the answer is yes and no. The concepts are there, but ISM3 expresses them in a unambiguous way.

14. Does ISM3 compete with ISO27001 and Cobit?
No, ISM3 can be use standalone or to enhance ISO27001, ITIL and Cobit based systems.

15. I can ISM3 doesn't follow ISO27001. Can a ISM system be ISM3 and ISO27001 compliant?
ISM3 is a specification for creating ISM systems, so ISM3 itself doesn't need to be ISO27001 compliant. Certification is performed on specific ISM systems, so ISM3 can be used to create ISO27001 compliant ISM systems, that will have to use risk analysis and implement all applicable ISO27001 controls.