ISM3 v1.20 published, a standard for advanced information security management

[aceituno () yahoo com]

The publication of ISM3 v1.20 (Information Security Management Maturity
Model, pronounced ISM cubed) offers many advantages for information
security management systems. ISM3 can be used standalone or enhance
systems based on ITIL, ISO27001 or Cobit.

The principal approach of ISM3 is based on “Achievable Security” rather
than “Absolute Security”. By achievable security, ISM3 intends that the
objective of Information Security should ensure the realization of
business objectives. The traditional view that “Information Security is to
prevent attacks” is not realistic. ISM3 achieves this by mapping the
business objectives (e.g. deliver products on time) of an organization
directly to security objectives (e.g. ensure database access only to
authorized users).

The significant features of ISM3 are:

*Metrics for Information Security - “What you can't measure, you can't
manage, and what you can't manage, you can't improve”  - ISM3 v1.20 makes
information security a “measurable” process by using metrics  for every
process, making it probably the first information security standard to do
so. This allows for a continuous improvement of the processes, as there
are criterion to measure the efficiency and performance of the information
security management system.

*Maturity Levels - With this standard it is possible to create ISMS
(Information Security Management Systems) for small and big organizations.
ISM3 has 5 maturity levels, each  level tailored to the security
objectives of the organization and available resources. This makes it a
standard for small organizations to behemoths.

*Process Based - ISM3 v1.20 is process based, which makes it especially
attractive for organizations familiar with ISO9001 or those that use ITIL
for as the IT management model. Using ISM3 fosters the collaboration
between information security clients and providers, as the outsourcing of
security processes is enable by explicit mechanisms for outsourcing.

*Adopts best practices - ISM3 implementation enjoys of advantages like the
extensive reference to established standards for every process, and the
explicit distribution of responsibilities in the organization between
leaders, managers and technical personnel using the concept of “Strategic,
Tactical and Operational Management” for Information Security.

*Accreditation - ISMS based in ISM3 are Accreditable under ISO9001 or
ISO27001 schemes, which means that you can use ISM3 to implement an ISO
27001 based ISMS. This will be attractive as well to organizations that
are already quality certified and have experience and infrastructure for
ISO9001.

*Business Friendly – A key advantage of using ISM3 for ISMS is that Senior
Managers and Stake Holders are able to clearly see Information Security as
a business investment and measure ROSI ( Return on Security Investment).

ISM3 v1.20 is freely downloadable from www.ism3.com.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------