- What is ISM3 ?
- Who developed ISM3 ?
- Why was ISM3 developed? Are you reinventing the wheel ?
- SSE-CMM (ISO21287) is a maturity standard for security. What need there is for another one ?
- Why does ISM3 have maturity levels? Won't it make everything be more complicated and confusing ?
- Do I have to drop my current ISM system to adopt ISM3 ?
No. The existing investment in ISM systems is protected by ISM3. ISM3 describes processes in such a way that current practices can be easily adapted to ISM3 requirements.
- Under what license is ISM3 released ?
The Creative-Commons Attribs-NonDerivs License. This means you can use the method and distribute the method freely without modifications and preserving the copyright notice.
- Will future ISM3 versions be backwards compatible ?
Yes.
- Do you plan to push ISM3 as a formal national or international standard ?
Yes. That is the mission of the ISM3 Consortium.
- What do ISM3 metrics measure ? Security ? Risk ?
- Can I use Risk Analysis to choose my ISM processes and design my ISM system ?
- Are there any advantages of using ISM3 instead of other ISMS method and a Risk Analysis ?
- It looks like if you just propose a new list of controls. Are a control and a process the same thing ?
- Does ISM3 use confidentiality, integrity, availability, authentication, non repudiation, etc ?
- Does ISM3 compete with ISO27001 and Cobit ?
- I see ISM3 doesn't follow ISO27001. Can a ISM system be ISM3 and ISO27001 compliant ?
- Why can’t I choose what processes to implement to get my ISM3 based ISMS system certified ?