Home

About

ISM3 Deliverables

References
ISM3 Consortium
standards that work
Home

ISM3 is a a framework for Information Security Management Systems. ISM3 looks at defining levels of security that are appropriate to the business mission and render a high return on investment. 

Latest ISM3 version Published April 2009

The ISM3 Consortium has published the print version of Information Security Management Maturity Model (ISM3) v2.3. The method has been updated with security management metrics proven in the field, and a new approach that defines security maturity objectively as a direct result of the metrics used to manage information security processes.

The main novelties are:

  • Capability is not subjective any more. It depends on what types of metrics are used to manage every process. ISM3 is the first method that defines capability this way.
  • Metric types are now 7 instead of 4. Activity, Unavailability,Scope, Load, Quality, Efficacy and Efficiency.
  • GP-1 Document Management is updated to GP-1 Knowledge Management.
  • TSP-6 Define environments and lifecycles is updated to TSP-6 Security Architecture
  • OSP-23 Events Detection and Analysis is updated to OSP-23 Internal Events Detection and Analysis.
  • New process OSP-28 External Events Detection and Analysis takes care of reputation, copyright violations and phishing.
  • New process TSP-14 Information Operations includes intelligence andmisinformation.
  • Maturity levels have been renamed as follows: Basic Level, SME Level, eCommerce Level, Enterprise Level and Military Level.
  • Enhanced metric management guidance (Measurement-Interpretation-Investigation-Representation-Diagnosis)

 Get ISM3 v2.3 here.

ISM3 showcased at... 

  • Miguel Ángel Navarrete , Cajamadrid 's CISO, recommended ISM3 during Securmática 2009 .
  • II Encuentro Nacional de la Industria de la Seguridad en España 22-24 October 2008 Antonio Gordo, CajaMadrid .
  • VIII Jornada Nacional de Seguridad Informática 18-20 June 2008 -  Juan Carlos Reyes, Seltika.
  • ISACA Winnipeg November Security Management Conference 6th of November 2007 -  Anthony B. Nelson, ESTEC.
  • OWASP Security Summit 25th of October 2007 -  Mahi Dontamsetti, M3-Security.
  • Comtec, 22nd of May 2007 (Session BI – 210) - Mahi Dontamsetti, M3-Security.

Latest Articles and Links

  • Usefulness of an Information Security Management Maturity Model March 2008 Article
  • Steven McElwee's article on ISM3 Maturity Levels, July, 2007
  • ENISA Quarterly July 2007 Metrics Article
  • Hindu Business Online Article
  • ISO27001.ES Podcast (in Spanish)
  • ISSA Journal's October 2006 Article
 

Learn more:

 
Home About ISM3 Deliverables References
2009(c) ISM3 Consortium