There are several ways to use O-ISM3:

• For someone who is using ISO9001: Build your ISMS using ISO9001 principles and infrastructure you already have and understand;
• For someone who has no IS Management System: Build your ISMS in stages around your Business Goals, not some external or artificial goals;
• For someone who wants to outsource security processes: Find out exactly what to outsource, who to link it to internal processes and how to create SLAs;
• For someone who want to show commitment with security: Get a meaningful certificate that is not only compliant but useful (further business goals);
• For someone who is already spending loads in IS: Use Security Targets and learn at least if the IS management system is working, or use Metrics and manage your IS management system with or without Auditors around you;
• For someone who is experiencing pains using other approaches: Suit you processes to your needs in an environment by environment basis. Stop using Production Environment requirement for your Development Environment;
• For a CISO: Get to tell Top Management, Middle Management and Administrators what are their responsibilities on security, in a more specific way than "Security is everyone's responsibility";
• For businesses that are going out to tender for their services; For businesses that require a consistent approach by all service providers in a supply chain;
• For  service providers to benchmark their IT service management; As the basis for an independent assessment;
• For an organisation which needs to demonstrate the ability to provide services that meet customer requirements;
• For  organizations which aims to improve service through the effective application of processes to monitor and improve service quality.