Latest ISM3 version Published (18th of October)
The new and improved ISM3 v2.10 is now available in printed form
Improvements over v2.00:
- New risk assessment method, ISM3-RA based on ISM3 concepts;
- New Outsourcing and Service Level Agreement guidelines;
- Quarantine techniques have been added;
- New graphics;
- Updated Processes, References and Definitions.
ISM3 showcased at...
- ISACA Winnipeg November Security Management Conference 6th of November - Anthony B. Nelson, ESTEC.
- OWASP Security Summit 25th of October - Mahi Dontamsetti, M3-Security.
- Comtec, 22nd of May (Session BI – 210) - Mahi Dontamsetti, M3-Security.
- ISACA Winnipeg Security Conference, 6th of November - Anthony B. Nelson, ESTEC Security
Latest Articles and Links
- ENISA Quarterly July 2007 Metrics Article
- Hindu Business Online Article
- ISO27001.ES Podcast (in Spanish)
- ISSA Journal's October 2006 Article
Foundation Press Release
ESTEC Systems Corp. (Canada), First Legion Consulting (India), Seltika (Colombia), Global 4 Ingenieria (Spain) and M3 Security (USA); in a worldwide effort for encouraging Information Security practices, are proud to announce the creation of the ISM3 Consortium. The Consortium will work to improve information security management (ISM) system practices and standards, fostering the use and certification of ISM3 both standalone and in concert with ISO27001, ITIL and Cobit.
The publication of ISM3 v2.00 (Information Security Management Maturity Model, pronounced ISM cubed) provides an opportunity for organizations of all types and sizes to enhance their ISM systems and align them with their business needs. ISM3 can be used standalone or to enhance ISO27001 ISM systems. In organizations that already use ISO9001, ITIL or Cobit, it provides a way to extend existing management systems into information security.
ISM3 focuses on “Achievable Security” rather than “Absolute Security”. Achievable security is a trade-off between absolute security and business requirements. The traditional view that “Information Security should prevent all attacks” is not realistic for most organizations. ISM3 achieves its balance by mapping an organization’s business objectives (such as product delivery and profitability) directly against security objectives (such as ensuring data access only to authorized users).
The significant features of ISM3 are:
Metrics for Information Security – “What you can’t measure, you can’t manage, and what you can’t manage, you can’t improve” – ISM3 v2.00 is probably the first information security standard to make information security a “measurable” process by using metrics for every process. This allows continuous improvement, as the standard defines criteria to measure efficiency and performance.
Maturity Levels – ISM3 comes in five different sizes, or maturity levels. This makes it suitable for a wide range of organizations, from the very large to the very small. Each maturity level is tailored to the security objectives of the target organization. The appropriate maturity level depends on an organization’s size and business requirements.
Process Based – ISM3 v2.00 is process based, which makes it specially suited to organizations familiar with ISO9001 and those that use ITIL as the IT management model. It also works well for outsourced services as it provides a common language for collaboration between information security clients and providers.
Adopts best practices – implementation of ISM3 is assisted by extensive cross-references to other established standards. The IT governance model reflects best practice by clearly distributing responsibility for information security processes between strategic, tactical and operational levels of management.
Accreditation – ISM systems based on ISM3 are accreditable under ISO9001 or ISO27001 schemes, and ISM3 can be used as a tool to implement an ISO27001 ISM system. This should increase its attractiveness to organizations that are already quality certified or have experience with ISO9001.
Business Friendly – A key advantage of using ISM3 for Senior Managers and Stakeholders is that Information Security is seen plainly as a business investment that can be measured by ROSI (Return on Security Investment).
|