Search in ISMS Guides


Wednesday, July 25, 2007

Are there any advantages of using ISM3 instead of other ISMS method and a Risk Analysis ?

There are several advantages of the ISM3 approach:

Management friendly - Everyone knows incidents are a fact of life. Upon an incident it should be possible to determine if ISMS has been successful or not, what failed, and improve the ISMS accordingly. ISM3 is process based, which enables this kind of management.

Process Based – ISM3 is especially attractive for organizations familiar with ISO9001 or those that use ITIL for as the IT management model. The PDCA model is used in a process by process manner, not ISMS wide. Every process is planned, performed, checked and acted upon, not the whole ISMS.

Outsourcing support - Using ISM3 fosters the collaboration between information security clients and providers, as the outsourcing of security processes is enabled by explicit mechanisms for outsourcing. For example, work products and metrics help to define the scope of the outsourced service and the definition of SLA.

Maturity Levels - This helps organizations with limited resources to prioritise their investment getting the maximum reduction of investment at every step. An ISMS project can be long, so maturity levels help to show progress too.

References – There is a extensive reference to established standards for every process.

Distribution of responsibilities – There is a clear division of responsibilities between leaders, managers and technical personnel using the concepts of Strategic, Tactical and Operational Management.

Accreditation - ISMS based in ISM3 are Accreditable under ISO9001 or ISO27001 schemes, which means that you can use ISM3 to implement an ISO 27001 based ISMS. This will be attractive as well to organizations that are already quality certified and have experience and infrastructure for ISO9001. ISM3 certification enables trust relationships among Clients, Providers, Partners and Vendors.

Business Friendly – Business Objectives and Security Objectives help Senior Managers and Stake Holders to clearly see that Security is not just related to business objectives; it is all about achieving business objectives. The success of ISMS systems is formulated in business terms.


No comments: