Press Release of V1.20

The publication of ISM3 v1.20 (Information Security Management Maturity Model, pronounced ISM cubed) offers many advantages for information security management systems. ISM3 can be used standalone or enhance systems based on ITIL, ISO27001 or Cobit.

The principal approach of ISM3 is based on “Achievable Security” rather than “Absolute Security”. By achievable security, ISM3 intends that the objective of Information Security should ensure the realization of business objectives. The traditional view that “Information Security is to prevent attacks” is not realistic. ISM3 achieves this by mapping the business objectives (deliver products on time) of an organization directly to security objectives (ensure database access only to authorized users).

The significant features of ISM3 are:

Metrics for Information Security - “What you can't measure, you can't manage, and what you can't manage, you can't improve” - ISM3 v1.20 makes information security a “measurable” process by using metrics for every process, making it probably the first information security standard to do so. This allows for a continuous improvement of the processes, as there are criterion to measure the efficiency and performance of the informations security management system.

Maturity Levels - With this standard it is possible to create ISMS (Information Security Management Systems) for small and big organizations. ISM3 has 5 maturity levels, each level tailored to the security objectives of the organization and available resources. This makes it a standard for small organizations to behemoths.

Process Based - ISM3 v1.20 is process based, which makes it specially attractive for organizations familiar with ISO9001 or those that use ITIL for as the IT management model. Using ISM3 fosters the collaboration between information security clients and providers, as the outsourcing of security processes is enable by explicit mechanisms for outsourcing.

Adopts best practices - ISM3 implementation enjoys of advantages like the extensive reference to established standards for every process, and the explicit distribution of responsibilities in the organization between leaders, managers and technical personnel using the concept of “Strategic, Tactical and Operational Management” for Information Security.

Accreditation - ISMS based in ISM3 are Accreditable under ISO9001 or ISO27001 schemes, which means that you can use ISM3 to implement an ISO 27001 based ISMS. This will be attractive as well to organizations that are already quality certified and have experience and infrastructure for ISO9001.

Business Friendly – A key advantage of using ISM3 for ISMS is that Senior Managers and Stake Holders are able to clearly see Information Security as a business investment and measure ROSI ( Return on Security Investment).