- Ten ways ISMS fail
- How can you Measure how Secret a Secret is?
- What is the Maturity of your ISMS?
- Risk, Investment and Maturity
- Compliance vs Continuous Improvement
- A primer in Metrics driven Process Management
- Process Management with Security Metrics
- Measuring Security
- Beyond Authentication, Authorization and Accounting
- Return On Security Investment
- Standards, standards, standards, Are they any good?
by Vicente Aceituno Canal
- Youtube (Spanish)
- Ask Smart Questions to Set Security Service Levels
- Can you pass the O-ISM3 Test?
- The CIA triad is not helping you as much as you think
- Advanced Classification of Information
- Security Foundations Series: Secrecy
- Security Foundations Series: Privacy
- Security Foundations Series: Availability
- Security Foundations Series: Expiration
- Security Foundations Series: Retention
- Security Foundations Series: Quality
- Security Foundations Series: Compliance
- Security Foundations Series: Technical Objectives
- Security Foundations Series: Intellectual Property you Own
- Security Foundations Series: Intellectual Property you Use
- What is an Operational, Positive Definition of Security
- Operational Definitions for Security
- Information Assurance Markup Language
- Security Quarks help communicate with non IT people
- Security Quarks and the Cookie Monster
- Information Security Paradigms
Optimizing ISO/IEC 27001 using O-ISM3
The Open Group published a guide entitled Optimizing ISO/IEC 27001:2013 using O-ISM3 that will be of interest to organizations interested in taking ISO27001:2013 ISMS to higher maturity levels.
O-ISM3 brings continuous improvement to information security management, and it provides a framework for security decision-making that is top down in nature, where security controls, security objectives, and spending decisions are driven by (and aligned with) business objectives. We have for some time now heard from information security managers that they would like a resource aimed at showing how the O-ISM3 standard could be used in managing information security alongside ISO27001/27002.
This new guide provides specific guidance on this topic. We view this as an important resource, for the following reasons:
- O-ISM3 complements ISO27001/2 by adding the "how" dimension to information security management.
- O-ISM3 uses a process-oriented approach, defining inputs and outputs, and allowing for evaluation by process-specific metrics.
- O-ISM3 provides a framework for continuous improvement of information security processes Some of the specific guidance to be found in the guide include these items:
- Maps O-ISM3 and ISO27001 security objectives.
- Maps ISO27001/27002 controls and documents to O-ISM3 security processes, documents, and outputs.
- Provides a critical linkage between the controls-based approach found in ISO27001, to the process-based approach found in O-ISM3.
If you have interest in information security management, we encourage you to have a look at Optimizing ISO/IEC 27001:2013 using O-ISM3.