Forwarded from: <consortium (at) ism3.com> STANDARD FOR INFORMATION SECURITY MANAGEMENT UPDATED April the 2nd 2009, Madrid Following a series of important updates to the Information Security Management Maturity Model, the ISM3 Consortium, with members from the US, Spain, India and Colombia, today announced the worldwide launch of version 2.3 of this advanced information security management standard. Today, the ISM3 Consortium published the print version of Information Security Management Maturity Model (ISM3) v2.3. The method has been updated with security management metrics proven in the field, and a new approach that defines security maturity objectively as a direct result of the metrics used to manage information security processes. ISM3 focuses on “Achievable Security” rather than “Absolute Security”. Achievable security is a trade-off between absolute security and business requirements. The traditional view that “Information Security should prevent all attacks” is not realistic for most organizations. ISM3 achieves its balance by mapping an organization’s business objectives (such as product delivery and profitability) directly against security objectives (such as ensuring data access only to authorized users). ISM3 builds on successful principles from the field of quality management (Six Sigma, ISO9001), and applies these ideas to the field of information security, providing an opportunity for organizations of all types and sizes to enhance their ISM systems and align them with their business needs. Implementations of ISM3 are compatible with ISO27001, which establishes control objectives for each process. Implementations use management responsibilities framework similar to the IT Governance Institute's CobIT framework model, which describes best practices in the parent field of IT service management. ITIL users can use ISM3 process orientation to seamlessly strengthen ITIL security process. Using ISM3 style metrics, objectives, and targets it is possible to create measurable Service Level Agreements for outsourced security processes. The significant features of ISM3 are: * Metrics for Information Security – “What you can’t measure, you can’t manage, and what you can’t manage, you can’t improve” – ISM3 v2.3 is probably the first information security standard to make information security a measurable process by using metrics for every process. This allows continuous improvement, as the standard defines criteria to measure efficiency and performance. * Capability Levels – ISM3 is the first standard that defines capability in terms of metrics, a leap that makes ISM3 orientation to continuous improvement unique. * Maturity Levels – ISM3 comes in five different sizes, or maturity levels. This makes it suitable for a wide range of organizations, from the very large to the very small. Each maturity level is tailored to the security objectives of the target organization. * Process Based – ISM3 v2.3 is process based, which makes it specially suited to organizations familiar with ISO9001 and those that use ITIL as the IT management model. It also works well for outsourced services as it provides a common language for collaboration between information security clients and providers. * Adopts best practices – implementation of ISM3 is facilitated by its extensive cross-references to other established standards. The IT governance model reflects best practices by clearly distributing responsibility for information security processes between strategic, tactical and operational levels of management. * Accreditation – ISM systems based on ISM3 can be certified under ISO9001 or ISO27001 systems, and ISM3 can be used as a tool to implement an ISO27001 ISM system. This should increase its attractiveness to organizations that already hold quality certification or have experience with ISO9001. About the ISM3 Consortium The ISM3 Consortium represents the ISM3 business community. The Consortium develops ISM3 and promotes and protects the ISM3 brand. Learn more about the Consortium at http://tinyurl.com/ism3consortium Learn more about ISM3 at http://tinyurl.com/ism3about Steven McElwee on ISM3 at http://tinyurl.com/ism3others Purchase the method from http://tinyurl.com/ism3v23 ### Media Contact ISM3 Consortium Vicente Aceituno C. Olimpico Francisco Fernández Ochoa 9, 28923 Alcorcón, Madrid, Spain 0034696470328 - Available 8-5 Monday to Friday, Western European Time consortium (at) ism3.com www.ism3.com _______________________________________________ Best Selling Security Books and More! http://www.shopinfosecnews.org/Received on Thu Apr 02 2009 - 04:02:00 PDT
This archive was generated by hypermail 2.2.0 : Thu Apr 02 2009 - 04:10:56 PDT