Optimizing ISO/IEC 27001 using O-ISM3


The Open Group published a guide entitled Optimizing ISO/IEC 27001:2013 using O-ISM3 that will be of interest to organizations interested in taking ISO27001:2013 ISMS to higher maturity levels.

O-ISM3 brings continuous improvement to information security management, and it provides a framework for security decision-making that is top down in nature, where security controls, security objectives, and spending decisions are driven by (and aligned with) business objectives. We have for some time now heard from information security managers that they would like a resource aimed at showing how the O-ISM3 standard could be used in managing information security alongside ISO27001/27002.

This new guide provides specific guidance on this topic. We view this as an important resource, for the following reasons:

  • O-ISM3 complements ISO27001/2 by adding the "how" dimension to information security management.
  • O-ISM3 uses a process-oriented approach, defining inputs and outputs, and allowing for evaluation by process-specific metrics.
  • O-ISM3 provides a framework for continuous improvement of information security processes Some of the specific guidance to be found in the guide include these items:
  • Maps O-ISM3 and ISO27001 security objectives.
  • Maps ISO27001/27002 controls and documents to O-ISM3 security processes, documents, and outputs.
  • Provides a critical linkage between the controls-based approach found in ISO27001, to the process-based approach found in O-ISM3.

If you have interest in information security management, we encourage you to have a look at Optimizing ISO/IEC 27001:2013 using O-ISM3.