Search in ISMS Guides


Wednesday, July 25, 2007

What is ISM3 ?

The Information Security Management Maturity Model (ISM3, or ISM-cubed) extends ISO9001 quality management principles to information security management (ISM) systems. Rather than focussing on controls, it focusses on the common processes of information security, which are shared to some extent by all organisations.

Under ISM3, the common processes of information security are formally described, given performance targets and metrics, and used to build a quality assured process framework. Performance targets are unique to each implementation and depend upon business requirements and resources available. Altogether, the performance targets for security become the Information Security Policy. The emphasis on the practical and the measurable is what makes ISM3 unusual, and the approach ensures that ISM systems adapt without re-engineering in the face of changes to technology and risk.

Implementations of ISM3 are compatible with ISO27001 (Information Security Management Systems – Requirements), which establishes control objectives for each process. Implementations use management responsibilities framework akin to the IT Governance Institute's CobIT framework model, which describes best practice in the parent field of IT service management. ITIL users can employ ISM3 process orientation to strengthen ITIL security process seamlessly. Using ISM3 style metrics, objectives and targets it is possible to create measurable Service Level Agreements for outsourced security processes.

ISM3 describes five basic ISM system configurations, equivalent to maturity levels, and these are used to help organisations choose the scale of ISM system most appropriate to their needs. The maturity spectrum relates cost, risk and threat reduction and enables incremental improvement, benchmarking and long term targets.

ISM3 systems and products are accreditable through the ISM3 Consortium, and it is the intention of the ISM3 Consortium to strengthen linkages and compatibility with existing ISO standards, so that existing investment in ISM systems is protected as ISM systems are improved.

In summary, ISM3 aims to:

  • Enable the creation of ISM systems that are fully aligned with the business mission and compliance needs.
  • Be applicable to any organization regardless of size, context and resources.
  • Enable organisations to prioritize and optimize their investment in information security.
  • Enable continuous improvement of ISM systems using metrics.
  • Support the outsourcing of security processes.

No comments: