ISM3 Logo
Home arrow About the Consortium
Tuesday, 24 March 2009
About the Consortium

Current Member Companies

ESTEC Security First Legion Global 4 M3 Security Valiant TechnologiesSeltika

Current Executive Council

ISM3 Consortium Chief Executive

Vicente Aceituno, ISM3 Consortium Chief ExecutiveVicente Aceituno Canal

ISM3 Consortium President

Anthony Nelson, ISM3 Consortium PresidentA. B. Nelson

ISM3 Editor

Edward Stanfeld, ISM3 EditorEdward Stansfeld

Other members

  • Mahi Dontamsetti, M3-Security
  • Juan Carlos Reyes, Seltika
  • Jose Luis Tallón, Global4
  • Anup Narayanan, First Legion Consulting
  • Daniel Cabrera, Global4


The ISM3 Consortium has been formed to represent the ISM3 business community.

The consortium mission is:

  • Conduct all activities that will make ISM3 a successful ISMS standard.
  • Promote and protect the ISM3 brand
  • Make ISM3 so successful it becomes a national and international standard.
  • Reward ISM3 developers and supporters for their efforts.
  • Help members to win more business.

 The consortium will be dissolved when ISM3 is handed over to ISO by the Consortium, and published by ISO.


The activities of the consortium will be directed to fulfilling its mission.

  • Edit and publish ISM3 and related material.
  • Creation of the "ISM3 approved" logo.
  • Protection of the "ISM3 approved" brand and ISM3 trademark.

Promotional activities will be undertaken by members and by the Consortium. The founding members will act as coordinators in each country, with the backend support of the Consortium, which will give the credibility for those efforts, for example:

  • Articles.
  • Comparisons with other standards.
  • Presentations.
  • Podcasts.
  • Speaking in conferences and events.
  • Contacts with professional associations and official certification and accreditation bodies.
  • Contact with IT analyst companies.
  • Carry the registry of ISM3 certified companies.
  • Carry the registry of ISM3 consultants, auditors, managers and trainers.

Members benefits

  • Members will gain an image of being a company that innovates.
  • Members will have a say on the future development of ISM3.
  • Members will have a say on the accreditation policies of the consortium.
  • The Consortium will provide accreditation services with a strong discount for members.

About the consortium Members

ESTEC Systems Corp

ESTec Systems Corp is an Information Security Consulting firm headquartered in Edmonton, Alberta, Canada. ESTec provides ISM3 and ISO 27001 audit services and Information Security Management System implementation guidance, as well as general Information Security consulting and training services. For further information on our services please visit ESTec is a public listed company on the TSX Venture exchange.

First Legion Consulting

First Legion Consulting is an Indo-European Information Security Management headquartered in Bangalore, India. First Legion focuses on two principal areas in information security, HIM-IS (Human Impact Management – Information Security) & Aligning information security to business processes using metrics (using ISM3). First Legion also provides training in these before-mentioned domains.

Global 4

Global4 focuses on technology from a professional, engineering point of view. With a high quality and a “no-nonsense” approach to IT, we effectively adopt our customer’s interests and goals as our own during each project’s lifetime. Systems Architecture, Engineering and Administration, Storage, Networking and Internet/Communication Services are our main work fields, with a “Do It Right” philosophy which encompasses Security as an integral part. For further information  please visit

M3 Security

M3 Security bridges security gaps. Using a Defense-in-Breadth philosophy, we help companies take a holistic approach to their security posture with our A.I.M (assessment, implementation and monitoring) suite of services. A.I.M provides lifecycle security management solutions and has been specifically developed as a response to today’s increasingly complex security challenges. M3 Security is based in the US and for further information, please visit


Colombian Consulting company focused in Information Security Services. Seltika have been helping its clients in the adoption of ISMS standards, Information Security Governance, Risk Analisys, Cyber-crime Prevention, Incident Response and Computer Forensics among other services. For further reference, please visit

Valiant Technologies

 Valiant Technologies is in the business of information security consulting and education across South Asia, Middle East and Far East.  The primary focus areas are information security management, technology, assurance, cyber crime investigation and digital forensics.  Valiant is a pure-play consulting organization that has helped clients in eleven countries to assess, interpret, position, learn, implement and sustain information security solutions during the past six years.  Built on a carefully developed and validated methodology combining best of breed technology, processes and people, Valiant solutions are designed to meet specific client requirements.


ISM3 Consortium Foundation Press Release 

ESTEC Systems Corp. (Canada), First Legion Consulting (India), Seltika (Colombia), Global 4 Ingenieria (Spain) and M3 Security (USA); in a worldwide effort for encouraging Information Security practices, are proud to announce the creation of the ISM3 Consortium. The Consortium will work to improve information security management (ISM) system practices and standards, fostering the use and certification of ISM3 both standalone and in concert with ISO27001, ITIL and Cobit.

The publication of ISM3 v2.00 (Information Security Management Maturity Model, pronounced ISM cubed) provides an opportunity for organizations of all types and sizes to enhance their ISM systems and align them with their business needs. ISM3 can be used standalone or to enhance ISO27001 ISM systems. In organizations that already use ISO9001, ITIL or Cobit, it provides a way to extend existing management systems into information security.

ISM3 focuses on “Achievable Security” rather than “Absolute Security”. Achievable security is a trade-off between absolute security and business requirements. The traditional view that “Information Security should prevent all attacks” is not realistic for most organizations. ISM3 achieves its balance by mapping an organization’s business objectives (such as product delivery and profitability) directly against security objectives (such as ensuring data access only to authorized users).

The significant features of ISM3 are:

Metrics for Information Security – “What you can’t measure, you can’t manage, and what you can’t manage, you can’t improve” – ISM3 v2.00 is probably the first information security standard to make information security a “measurable” process by using metrics for every process. This allows continuous improvement, as the standard defines criteria to measure efficiency and performance.

Maturity LevelsISM3 comes in five different sizes, or maturity levels. This makes it suitable for a wide range of organizations, from the very large to the very small. Each maturity level is tailored to the security objectives of the target organization. The appropriate maturity level depends on an organization’s size and business requirements.

Process BasedISM3 v2.00 is process based, which makes it specially suited to organizations familiar with ISO9001 and those that use ITIL as the IT management model. It also works well for outsourced services as it provides a common language for collaboration between information security clients and providers.

Adopts best practices – implementation of ISM3 is assisted by extensive cross-references to other established standards. The IT governance model reflects best practice by clearly distributing responsibility for information security processes between strategic, tactical and operational levels of management.

AccreditationISM systems based on ISM3 are accreditable under ISO9001 or ISO27001 schemes, and ISM3 can be used as a tool to implement an ISO27001 ISM system. This should increase its attractiveness to organizations that are already quality certified or have experience with ISO9001.

Business Friendly – A key advantage of using ISM3 for Senior Managers and Stakeholders is that Information Security is seen plainly as a business investment that can be measured by ROSI (Return on Security Investment).