Maturity model for information security management
The Open Group announced a new information security management standard, The Open Group Information Security Management Maturity Model (O-ISM3), which enables the creation of Information Security Management (ISM) systems that are fully aligned with any organization’s business mission and compliance needs regardless of size, context and resources.
The new standard allows organizations to prioritize and optimise investments in information security, as well as enable continuous improvement of ISM systems using defined metrics. O-ISM3 is compatible with other ISM industry standards, such as the ISO2700x series, ITIL and COBIT.
Intended to be a practical guide on security management for information security practitioners, O-ISM3 is the culmination of more than six years of work and collaboration by the ISM3 Consortium and The Open Group’s Security Forum.
With an increased need for organizations to protect their systems from security threats, information security management procedures help organizations ensure their security policies, measures and controls are effective.
O-ISM3 focuses on common information security processes that the majority of organizations share so operational metrics can be applied to security management processes and protection techniques. Using the standard, organizations can make more informed decisions about security investments through better alignment of security controls with key business objectives.
“Information security management has always lacked proper guidelines and best practices to design processes that increase security while aligning ISM with changing business goals,” stated Vicente Aceituno, Director of the ISM3 Consortium. “Our first deliverable through O-ISM3 addresses both of these pain points, while laying the foundation for better guidance within the industry.”
“There has long been a need for an information security management standard that permits alignment of security controls with business objectives and that enables continuous improvement of security processes,” said Jim Hietala, VP of Security for The Open Group. “By building upon work originally done in the ISM3 consortium, The Open Group Security Forum has been able to bring forward a new international standard for information security management, O-ISM3, that delivers a process-based approach to information security management, and that enables continuous improvement through the use of key security metrics.”
Among the organizations currently using O-ISM3 are CajaMadrid and the Swiss Armed Forces. CajaMadrid is a major financial institution headquartered in Madrid, Spain, and the Swiss Armed Forces is the primary defense force of the Switzerland. Both organizations are using O-ISM3 to better manage their respective information security systems through O-ISM3’s process-based approach allowing organizations to build on current ISM efforts, define maturity levels and metrics and easily reference current best practices.
Information security management is one of The Open Group Security Forum’s primary focuses, and the O-ISM3 standard is the first formal deliverable in its information security management work program. The Security Forum is also currently building maturity models for O-ISM3 and expects to extend the program by developing certification programs for the standard.
O-ISM3 is available for complimentary download here.