• Home
• References
• Team
• FAQ
• Press Release

F.A.Q.

1. What is ISM3?

   ISM3 is a framework for Information Security Management systems. ISM3 looks at defining levels of security that are appropriate to the business mission and render a high return on investment.

2. Who developed ISM3?

   A team of experts leaded by Vicente Aceituno.

3. Why was ISM3 developed? Are you reinventing the wheel?

   The team felt there was room for improvement over current ISM standards. The result presents a series of advantages that can be used on its own or for enhancing other approaches.

4. Why does ISM3 have maturity levels? Won't it make everything be more complicated and confusing?

   Security and invulnerability shouldn’t be mistaken. One-size-fits all approaches don’t always suit organizations with different missions, contexts and resources. Different levels of maturity let them choose a baseline for their initial ISM, and the rest of the levels serve as milestones to higher (and more resource-consuming) ISM3 Levels as the organization evolves. Organization that can only afford investing 20% (achieving 80% of results), can show that they are doing everything reasonable, the first step to doing everything possible.

5. Do I have to drop my current ISM system to adopt ISM3?

   No. The existing investment in ISM systems is protected by ISM3. ISM3 describes processes in such a way that current practices can be easily adapted to ISM3 requirements.

6. Under what license is ISM3 released?

   The Creative-Commons NonDerivs License. This means you can use the method and distribute the method freely without modifications and preserving the copyright notice.

7. Will future ISM3 versions be backwards compatible?

   Yes.

8. Do you plan to push ISM3 as a formal national of international standard?

   Yes. That is the mission of the ISM3 Consortium.

9. What do ISM3 metrics measure? Security? Risk?

   ISM3 metrics don't measure risk or security directly. Metrics in ISM3 are process metrics that measure:

   • Activity: The number of work products produced in a time period;
   • Scope: The proportion of the environment or system that is protected by the process. For example, AV could be installed in only 50% of user PCs;
   • Update: The time since the last update or refresh of process work products and related information system. It refers as well to how updated are the information systems that perform or support the process;
   • Availability: The time since a process has performed as expected upon demand (uptime), the frequency and duration of interruptions.

   Every process in ISM3 contributes to the goals of the ISM, which are defined as:

   • Prevent and mitigate incidents that could jeopardize the organization's property and the output of products and services that rely on information systems;
   • Optimise the use of information, money, people, time and infrastructure.

10. Can I use Risk Analysis to choose my ISM processes and design my ISM system?

    Yes, you can use your own methodology or one of the referenced ones like OCTAVE, MAGERIT o MEHARI for example.

11. Are there any advantages of using ISM3 instead of other ISMS method and a Risk Analysis?

    There are several advantages of the ISM3 approach:

    • Management friendly - Everyone knows incidents are a fact of life. Upon an incident it should be possible to determine if ISMS has been successful or not, what failed, and improve the ISMS accordingly. ISM3 is process based, which enables this kind of management.
    • Process Based – ISM3 is especially attractive for organizations familiar with ISO9001 or those that use ITIL for as the IT management model. The PDCA model is used in a process by process manner, not ISMS wide. Every process is planned, performed, checked and acted upon, not the whole ISMS.
    • Outsourcing support - Using ISM3 fosters the collaboration between information security clients and providers, as the outsourcing of security processes is enabled by explicit mechanisms for outsourcing. For example, work products and metrics help to define the scope of the outsourced service and the definition of SLA.
    • Maturity Levels - This helps organizations with limited resources to prioritise their investment getting the maximum reduction of investment at every step. An ISMS project can be long, so maturity levels help to show progress too.
    • References – There is a extensive reference to established standards for every process.
    • Distribution of responsibilities – There is a clear division of responsibilities between leaders, managers and technical personnel using the concepts of Strategic, Tactical and Operational Management.
    • Accreditation - ISMS based in ISM3 are Accreditable under ISO9001 or ISO27001 schemes, which means that you can use ISM3 to implement an ISO 27001 based ISMS. This will be attractive as well to organizations that are already quality certified and have experience and infrastructure for ISO9001. ISM3 certification enables trust relationships among Clients, Providers, Partners and Vendors.
    • Business Friendly – Business Objectives and Security Objectives help Senior Managers and Stake Holders to clearly see how Security is not related to business objectives, security is all about achieving business objectives. The success of ISMS systems is formulated in business terms.

12. It looks like if you just propose a new list of controls. Are a control and a process the same thing?

    Processes and controls are different. Both controls and processes can be audited testing them. For example a control like "No information or information systems should be removed from the premises without authorization" can be audited by trying to remove an information system from the premises without authorization.

    Processes results are defined (Work Products), so it is very clear what to do to implement the process and the process can be improved using the process metrics. On the other hand, controls don't have a defined result, which makes them less management friendly, as a malfunctioning control doesn’t produce information (result) necessary to learn what went wrong and take a management decision to fix it.

13. Does ISM3 use confidentiality, integrity, availability, authentication, non repudiation, etc?

    ISM3 uses the following list of security objectives:

    • Use of services and access to repositories is restricted to authorized users;
      • Intellectual property is accessible to authorized users only;
      • Personal information of clients and employees is accessible for a valid purpose to authorized users only and is held for no longer than required;
      • Secrets are accessible to authorized users only;
      • Third party services and repositories are appropriately licensed and accessible only to authorized users;
      • Information repositories and systems are physically accessible only to authorized users;
      • Availability of repositories, services and channels exceeds client needs;
    • Reliability and performance of services and channels exceeds client needs;
    • Existence of repositories and services is assured for exactly as long as client requirements;
    • Expired or end of life-cycle repositories are permanently destroyed;
    • Precision, relevance and consistency of repositories is assured;
    • Accurate time and date is reflected in all records;
    • Users are accountable for the repositories and messages they create or modify;
    • Users are accountable for their use of services and acceptance of contracts and agreements;

    So the answer is yes and no. The concepts are there, but ISM3 expresses them in a unambiguous way.

14. Does ISM3 compete with ISO27001 and Cobit?

    No, ISM3 can be use standalone or to enhance ISO27001, ITIL and Cobit based systems.

15. I can ISM3 doesn't follow ISO27001. Can a ISM system be ISM3 and ISO27001 compliant?

    ISM3 is a specification for creating ISM systems, so ISM3 itself doesn't need to be ISO27001 compliant. Certification is performed on specific ISM systems, so ISM3 can be used to create ISO27001 compliant ISM systems, that will have to use risk analysis/assessment and implement all applicable ISO27001 controls.

16. Why can’t I choose what processes to implement to get my ISM3 based ISMS system certified?

    Choice is generally speaking good, but too much choice leads to very different ISMS getting the same certification. As non-equivalent ISMS shouldn’t get the same certificate, choice is restricted for certification, but not, obviously, for implementation.