The main novelties are:
- - Capability is not subjective any more. It depends on what types of metrics are used to manage every process. ISM3 is the first method that defines capability this way.
- - Metric types are now 7 instead of 4. Activity, Unavailability, Scope, Load, Quality, Efficacy and Efficiency.
- - GP-1 Document Management is updated to GP-1 Knowledge Management.
- - OSP-23 Events Detection and Analysis is updated to OSP-23 Internal Events Detection and Analysis.
- - TSP-6 Define environments and lifecycles is updated to TSP-6 Security Architecture
New process OSP-28 External Events Detection and Analysis takes care of reputation, copyright violations and phishing.
- - New process TSP-14 Information Operations includes intelligence and misinformation.
- - Maturity levels have been renamed as follows: Basic Level, SME Level, eCommerce Level, Enterprise Level and Military Level.
- - Enhanced metric management guidance (Measurement-Interpretation-Investigation-Representation-Diagnosis)
Today, the ISM3 Consortium published the print version of Information Security Management Maturity Model (ISM3) v2.3. The method has been updated with security management metrics proven in the field, and a new approach that defines security maturity objectively as a direct result of the metrics used to manage information security processes.
ISM3 focuses on “Achievable Security” rather than “Absolute Security”. Achievable security is a trade-off between absolute security and business requirements. The traditional view that “Information Security should prevent all attacks” is not realistic for most organizations. ISM3 achieves its balance by mapping an organization’s business objectives (such as product delivery and profitability) directly against security objectives (such as ensuring data access only to authorized users).
ISM3 builds on successful principles from the field of quality management (Six Sigma, ISO9001), and applies these ideas to the field of information security, providing an opportunity for organizations of all types and sizes to enhance their ISM systems and align them with their business needs. Implementations of ISM3 are compatible with ISO27001, which establishes control objectives for each process. Implementations use management responsibilities framework similar to the IT Governance Institute’s CobIT framework model, which describes best practices in the parent field of IT service management. ITIL users can use ISM3 process orientation to seamlessly strengthen ITIL security process. Using ISM3 style metrics, objectives, and targets it is possible to create measurable Service Level Agreements for outsourced security processes.
The significant features of ISM3 are:
- - Metrics for Information Security – “What you can’t measure, you can’t manage, and what you can’t manage, you can’t improve” – ISM3 v2.3 is probably the first information security standard to make information security a measurable process by using metrics for every process. This allows continuous improvement, as the standard defines criteria to measure efficiency and performance.
- - Capability Levels – ISM3 is the first standard that defines capability in terms of metrics, a leap that makes ISM3 orientation to continuous improvement unique.
- - Maturity Levels – ISM3 comes in five different sizes, or maturity levels. This makes it suitable for a wide range of organizations, from the very large to the very small. Each maturity level is tailored to the security objectives of the target organization.
- - Process Based – ISM3 v2.3 is process based, which makes it specially suited to organizations familiar with ISO9001 and those that use ITIL as the IT management model. It also works well for outsourced services as it provides a common language for collaboration between information security clients and providers.
- - Adopts best practices – implementation of ISM3 is facilitated by its extensive cross-references to other established standards. The IT governance model reflects best practices by clearly distributing responsibility for information security processes between strategic, tactical and operational levels of management.
- - Accreditation – ISM systems based on ISM3 can be certified under ISO9001 or ISO27001 systems, and ISM3 can be used as a tool to implement an ISO27001 ISM system. This should increase its attractiveness to organizations that already hold quality certification or have experience with ISO9001.