1.- What is ISM3?
The Information Security Management Maturity Model (ISM3, or ISM-cubed) extends ISO9001 quality management principles to information security management (ISM) systems. Rather than focussing on controls, it focusses on the common processes of information security, which are shared to some extent by all organisations.
Under ISM3, the common processes of information security are formally described, given performance targets and metrics, and used to build a quality assured process framework. Performance targets are unique to each implementation and depend upon business requirements and resources available. Altogether, the performance targets for security become the Information Security Policy. The emphasis on the practical and the measurable is what makes ISM3 unusual, and the approach ensures that ISM systems adapt without re-engineering in the face of changes to technology and risk.
Implementations of ISM3 are compatible with ISO27001 (Information Security Management Systems – Requirements), which establishes control objectives for each process. Implementations use management responsibilities framework akin to the IT Governance Institute's CobIT framework model, which describes best practice in the parent field of IT service management. ITIL users can employ ISM3 process orientation to strengthen ITIL security process seamlessly. Using ISM3 style metrics, objectives and targets it is possible to create measurable Service Level Agreements for outsourced security processes.
ISM3 describes five basic ISM system configurations, equivalent to maturity levels, and these are used to help organisations choose the scale of ISM system most appropriate to their needs. The maturity spectrum relates cost, risk and threat reduction and enables incremental improvement, benchmarking and long term targets.
ISM3 systems and products are accreditable through the ISM3 Consortium, and it is the intention of the ISM3 Consortium to strengthen linkages and compatibility with existing ISO standards, so that existing investment in ISM systems is protected as ISM systems are improved.
In summary, ISM3 aims to:
- Enable the creation of ISM systems that are fully aligned with the business mission and compliance needs.
- Be applicable to any organization regardless of size, context and resources.
- Enable organisations to prioritize and optimize their investment in information security.
- Enable continuous improvement of ISM systems using metrics.
- Support the outsourcing of security processes.
2.- Who developed ISM3?
A team of experts led by Vicente Aceituno.
3.- Why was ISM3 developed? Are you reinventing the wheel?
The team felt there was room for improvement over current ISM standards. The result presents a series of advantages that can be used on its own or for enhancing other approaches.
4.- SSE-CMM (ISO21287) is a maturity standard for security. What need there is for another one?
Using SSE-CMM own words, SSE-CMM is "A tool for engineering organizations to evaluate their security engineering practices, a method by which security engineering evaluation organizations can establish confidence in the organizational capability; A standard mechanism for customers to evaluate a provider's security engineering capability", while ISM3 is a standard for security management (how to achieve the organizations mission despite of errors, attacks and accidents with a given budget). They have not the same subject matter.
5.- Why does ISM3 have maturity levels? Won't it make everything be more complicated and confusing?
Security and invulnerability shouldn’t be mistaken. One-size-fits all approaches don’t always suit organizations with different missions, contexts and resources. Different levels of maturity let them choose a baseline for their initial ISM, and the rest of the levels serve as milestones to higher (and more resource-consuming) ISM3 Levels as the organization evolves. Organization that can only afford investing 20% (achieving 80% of results), can show that they are doing everything reasonable, the first step to doing everything possible.
6.- Do I have to drop my current ISM system to adopt ISM3?
No. The existing investment in ISM systems is protected by ISM3. ISM3 describes processes in such a way that current practices can be easily adapted to ISM3 requirements.
7.- Under what license is ISM3 released?
The Creative-Commons Attribs-NonDerivs License. This means you can use the method and distribute the method freely without modifications and preserving the copyright notice.
8.- Will future ISM3 versions be backwards compatible?
Yes.
9.- Do you plan to push ISM3 as a formal national or international standard?
Yes. That is the mission of the ISM3 Consortium.
10.- What do ISM3 metrics measure? Security? Risk?
ISM3 metrics do not measure risk or security directly. Metrics in ISM3 are process metrics that measure:
- Activity: The number of outputs produced, their mean age, the mean time between outputs submissions, mean time to produce an output, following input, and worst case time to produce an output, following input.
- Scope: The proportion of the environment or system that is protected by the process and the percentage of the scope sampled.
- Unavailability: The time since a process has performed as expected upon demand (uptime), the frequency and duration of interruptions.
- Effectiveness: Number of inputs, mean time between inputs, and percentage of inputs that produce an output.
- Efficiency: Ratio between the number of outputs submitted and the available resources for this process in actual use.
- Load: Percentage of resources in actual use.
- Quality: Accuracy, precision, or other measurements of fitness for purpose of the output, when applicable.
Every process in ISM3 contributes to the goals of the ISM, which are defined as:
- Prevent and mitigate incidents that could jeopardize the organization's property and the output of products and services that rely on information systems.
- Optimise the use of information, money, people, time and infrastructure.
11.- Can I use Risk Analysis to choose my ISM processes and design my ISM system?
Yes, you can use ISM3-RA (a risk assessment method based on ISM3 concepts), one of the referenced ones like OCTAVE, MAGERIT o MEHARI for example, or your own methodology.
12.- Are there any advantages of using ISM3 instead of other ISMS method and a Risk Analysis?
There are several advantages of the ISM3 approach:
Management friendly - Everyone knows incidents are a fact of life. Upon an incident it should be possible to determine if ISMS has been successful or not, what failed, and improve the ISMS accordingly. ISM3 is process based, which enables this kind of management.
Process Based – ISM3 is especially attractive for organizations familiar with ISO9001 or those that use ITIL for as the IT management model. The PDCA model is used in a process by process manner, not ISMS wide. Every process is planned, performed, checked and acted upon, not the whole ISMS.
Outsourcing support - Using ISM3 fosters the collaboration between information security clients and providers, as the outsourcing of security processes is enabled by explicit mechanisms for outsourcing. For example, work products and metrics help to define the scope of the outsourced service and the definition of SLA.
Maturity Levels - This helps organizations with limited resources to prioritise their investment getting the maximum reduction of investment at every step. An ISMS project can be long, so maturity levels help to show progress too.
References – There is a extensive reference to established standards for every process.
Distribution of responsibilities – There is a clear division of responsibilities between leaders, managers and technical personnel using the concepts of Strategic, Tactical and Operational Management.
Accreditation - ISMS based in ISM3 are Accreditable under ISO9001 or ISO27001 schemes, which means that you can use ISM3 to implement an ISO 27001 based ISMS. This will be attractive as well to organizations that are already quality certified and have experience and infrastructure for ISO9001. ISM3 certification enables trust relationships among Clients, Providers, Partners and Vendors.
Business Friendly – Business Objectives and Security Objectives help Senior Managers and Stake Holders to clearly see that Security is not just related to business objectives; it is all about achieving business objectives. The success of ISMS systems is formulated in business terms.
13.- It looks like if you just propose a new list of controls. Are a control and a process the same thing?
Processes and controls are different. Both controls and processes can be audited testing them. For example a control like "No information or information systems should be removed from the premises without authorization" can be audited by trying to remove an information system from the premises without authorization
Processes results are defined (Work Products), so it is very clear what to do to implement the process and the process can be improved using the process metrics. On the other hand, controls don't have a defined result, which makes them less management friendly, as a malfunctioning control doesn’t produce information (result) necessary to learn what went wrong and take a management decision to fix it.
14.- Does ISM3 use confidentiality, integrity, availability, authentication, non repudiation, etc?
ISM3 uses the following list of security objectives:
Use of services and access to repositories is restricted to authorized users;
- Intellectual property is accessible to authorized users only;
- Personal information of clients and employees is accessible for a valid purpose to authorized users only and is held for no longer than required;
- Secrets are accessible to authorized users only;
- Third party services and repositories are appropriately licensed and accessible only to authorized users;
- Information repositories and systems are physically accessible only to authorized users;
- Availability of repositories, services and channels exceeds client needs;
Reliability and performance of services and channels exceeds client needs;
Existence of repositories and services is assured for exactly as long as client requirements;
Expired or end of life-cycle repositories are permanently destroyed;
Precision, relevance and consistency of repositories is assured;
Accurate time and date is reflected in all records;
Users are accountable for the repositories and messages they create or modify;
Users are accountable for their use of services and acceptance of contracts and agreements;
So the answer is yes and no. The concepts are there, but ISM3 expresses them in a unambiguous way.
15.- Does ISM3 compete with ISO27001, ITIL or Cobit?
No, ISM3 can be use standalone or to enhance ISO27001, ITIL and Cobit based systems.
16.- I see ISM3 doesn't follow ISO27001. Can a ISM system be ISM3 and ISO27001 compliant?
ISM3 is a specification for creating ISM systems, so ISM3 itself doesn't need to be ISO27001 compliant. Certification is performed on specific ISM systems, so ISM3 can be used to create ISO27001 compliant ISM systems, that will have to use risk analysis/assessment and implement all applicable ISO27001 controls.
17.- Why can’t I choose what processes to implement to get my ISM3 based ISMS system certified?
Choice is generally speaking good, but too much choice leads to very different ISMS getting the same certification. As non-equivalent ISMS shouldn’t get the same certificate, choice is restricted for certification, but not, obviously, for implementation.
18.-How are ISECOM SOMA and ISM3 related? Is ISM3 an ISECOM project?
ISM3 v1.0 was an ISECOM project, later versions are not. SOMA is an ISECOM project that started in 2006. We will publish a comparison between ISM3 and SOMA as soon as any deliverables are published. None have been so far.
|