[ISN] STANDARD FOR INFORMATION SECURITY MANAGEMENT UPDATED

From: InfoSec News <alerts_at_private>
Date: Thu, 2 Apr 2009 05:02:00 -0600 (CST)
Forwarded from: <consortium (at) ism3.com>

STANDARD FOR INFORMATION SECURITY MANAGEMENT UPDATED

April the 2nd 2009, Madrid

Following a series of important updates to the Information Security 
Management Maturity Model, the ISM3 Consortium, with members from the 
US, Spain, India and Colombia, today announced the worldwide launch of 
version 2.3 of this advanced information security management standard.

Today, the ISM3 Consortium published the print version of Information 
Security Management Maturity Model (ISM3) v2.3. The method has been 
updated with security management metrics proven in the field, and a new 
approach that defines security maturity objectively as a direct result 
of the metrics used to manage information security processes.

ISM3 focuses on “Achievable Security” rather than “Absolute Security”. 
Achievable security is a trade-off between absolute security and 
business requirements. The traditional view that “Information Security 
should prevent all attacks” is not realistic for most organizations. 
ISM3 achieves its balance by mapping an organization’s business 
objectives (such as product delivery and profitability) directly against 
security objectives (such as ensuring data access only to authorized 
users).

ISM3 builds on successful principles from the field of quality 
management (Six Sigma, ISO9001), and applies these ideas to the field of 
information security, providing an opportunity for organizations of all 
types and sizes to enhance their ISM systems and align them with their 
business needs. Implementations of ISM3 are compatible with ISO27001, 
which establishes control objectives for each process.  Implementations 
use management responsibilities framework similar to the IT Governance 
Institute's CobIT framework model, which describes best practices in the 
parent field of IT service management. ITIL users can use ISM3 process 
orientation to seamlessly strengthen ITIL security process. Using ISM3 
style metrics, objectives, and targets it is possible to create 
measurable Service Level Agreements for outsourced security processes.

The significant features of ISM3 are:

* Metrics for Information Security – “What you can’t measure, you can’t 
  manage, and what you can’t manage, you can’t improve” – ISM3 v2.3 is 
  probably the first information security standard to make information 
  security a measurable process by using metrics for every process. This 
  allows continuous improvement, as the standard defines criteria to 
  measure efficiency and performance.

* Capability Levels – ISM3 is the first standard that defines capability 
  in terms of metrics, a leap that makes ISM3 orientation to continuous 
  improvement unique.

* Maturity Levels – ISM3 comes in five different sizes, or maturity 
  levels. This makes it suitable for a wide range of organizations, from 
  the very large to the very small. Each maturity level is tailored to 
  the security objectives of the target organization.

* Process Based – ISM3 v2.3 is process based, which makes it specially 
  suited to organizations familiar with ISO9001 and those that use ITIL 
  as the IT management model. It also works well for outsourced services 
  as it provides a common language for collaboration between information 
  security clients and providers.

* Adopts best practices – implementation of ISM3 is facilitated by its 
  extensive cross-references to other established standards. The IT 
  governance model reflects best practices by clearly distributing 
  responsibility for information security processes between strategic, 
  tactical and operational levels of management.

* Accreditation – ISM systems based on ISM3 can be certified under 
  ISO9001 or ISO27001 systems, and ISM3 can be used as a tool to 
  implement an ISO27001 ISM system. This should increase its 
  attractiveness to organizations that already hold quality 
  certification or have experience with ISO9001.


About the ISM3 Consortium
The ISM3 Consortium represents the ISM3 business community. The 
Consortium develops ISM3 and promotes and protects the ISM3 brand.

Learn more about the Consortium at http://tinyurl.com/ism3consortium
Learn more about ISM3 at http://tinyurl.com/ism3about
Steven McElwee on ISM3 at http://tinyurl.com/ism3others
Purchase the method from http://tinyurl.com/ism3v23

###

Media Contact
ISM3 Consortium
Vicente Aceituno
C. Olimpico Francisco Fernández Ochoa 9, 28923 Alcorcón, Madrid, Spain
0034696470328 - Available 8-5 Monday to Friday, Western European Time
consortium (at) ism3.com
www.ism3.com


_______________________________________________      
Best Selling Security Books and More!
http://www.shopinfosecnews.org/
Received on Thu Apr 02 2009 - 04:02:00 PDT

This archive was generated by hypermail 2.2.0 : Thu Apr 02 2009 - 04:10:56 PDT