Search in ISMS Guides


Wednesday, July 25, 2007


- What is ISM3 ?

- Who developed ISM3 ?

- Why was ISM3 developed? Are you reinventing the wheel ?

- SSE-CMM (ISO21287) is a maturity standard for security. What need there is for another one ?

- Why does ISM3 have maturity levels? Won't it make everything be more complicated and confusing ?

- Do I have to drop my current ISM system to adopt ISM3 ?

No. The existing investment in ISM systems is protected by ISM3. ISM3 describes processes in such a way that current practices can be easily adapted to ISM3 requirements.

- Under what license is ISM3 released ?

The Creative-Commons Attribs-NonDerivs License. This means you can use the method and distribute the method freely without modifications and preserving the copyright notice.

- Will future ISM3 versions be backwards compatible ?


- Do you plan to push ISM3 as a formal national or international standard ?

Yes. That is the mission of the ISM3 Consortium.

- What do ISM3 metrics measure ? Security ? Risk ?

- Can I use Risk Analysis to choose my ISM processes and design my ISM system ?

- Are there any advantages of using ISM3 instead of other ISMS method and a Risk Analysis ?

- It looks like if you just propose a new list of controls. Are a control and a process the same thing ?

- Does ISM3 use confidentiality, integrity, availability, authentication, non repudiation, etc ?

- Does ISM3 compete with ISO27001 and Cobit ?

- I see ISM3 doesn't follow ISO27001. Can a ISM system be ISM3 and ISO27001 compliant ?

- Why can’t I choose what processes to implement to get my ISM3 based ISMS system certified ?

No comments: