All businesses need information security to protect our systems from the risk of threats. This Open Information Security Management Maturity Model (O-ISM3) supports information security practitioners in this fundamental task by covering the key areas required to minimise these threats:
Risk Management : identifying and estimating levels of exposure to the
likelihood of loss and how to manage those risks of loss;
Security Controls : crafting the IT Security Policy which assures operations are as secure as they need to be;
Security Management : supporting the selection, maintenance, and overall
Security Policy for the security controls deployed in a business enterprise.
The O-ISM3 standard focuses on the common processes of information security. It is technology-neutral, very practical and considers the business aspect in depth. This means that practitioners can use O-ISM3 with a wide variety of protection techniques used in the marketplace.
The distinctive benefits of O-ISM3 are:
A fully process-based approach
It breaks information security management down into a comprehensive but manageable number of processes, with specifically relevant security control(s) being identified. In addition it covers the principles of continuous improvement that O-ISM3 supports.
Maturity coverage
O-ISM3 defines information security management maturity in terms of the
operation of an appropriate complementary set of ISM3 information security
processes.
A business approach
The coverage considers the business drivers and also the specific business challenges of outsourcing and partnering. The critical issue of how to translate key business objectives to security objectives and targets is covered in depth.
Compatibility with ISO 9000 Quality Management
With similarities in structure and approach to quality management methods like ISO 9000, O-ISM3 also emphasises the practical and the measurable so that ISMSs can adapt without re-engineering in the face of changes to technology and risk.
Compatibility with ISO/IEC 27000
ISM3 is compatible in many ways with the ISO/IEC 27000:2009 standard, in addition provides a comprehensive framework for selecting, implementing, and managing a set of security processes to meet measurable business goals.
Compatibility with COBIT
O-ISM3 implementations use a management responsibilities framework consistent with the ISACA COBIT framework model.
Compatibility with ITIL
ITIL users can use the O-ISM3 process orientation to strengthen their ITIL security processes