AOH :: IS1913.HTM



  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

Forwarded from: 


April the 2nd 2009, Madrid

Following a series of important updates to the Information Security 
Management Maturity Model, the ISM3 Consortium, with members from the 
US, Spain, India and Colombia, today announced the worldwide launch of 
version 2.3 of this advanced information security management standard.

Today, the ISM3 Consortium published the print version of Information 
Security Management Maturity Model (ISM3) v2.3. The method has been 
updated with security management metrics proven in the field, and a new 
approach that defines security maturity objectively as a direct result 
of the metrics used to manage information security processes.

ISM3 focuses on =E2=80=9CAchievable Security=E2=80=9D rather than =E2=80=9CAbsolute Security=E2=80=9D. 
Achievable security is a trade-off between absolute security and 
business requirements. The traditional view that =E2=80=9CInformation Security 
should prevent all attacks=E2=80=9D is not realistic for most organizations=2E 
ISM3 achieves its balance by mapping an organization=E2=80=99s business 
objectives (such as product delivery and profitability) directly against 
security objectives (such as ensuring data access only to authorized 

ISM3 builds on successful principles from the field of quality 
management (Six Sigma, ISO9001), and applies these ideas to the field of 
information security, providing an opportunity for organizations of all 
types and sizes to enhance their ISM systems and align them with their 
business needs. Implementations of ISM3 are compatible with ISO27001, 
which establishes control objectives for each process.  Implementations 
use management responsibilities framework similar to the IT Governance 
Institute's CobIT framework model, which describes best practices in the 
parent field of IT service management. ITIL users can use ISM3 process 
orientation to seamlessly strengthen ITIL security process. Using ISM3 
style metrics, objectives, and targets it is possible to create 
measurable Service Level Agreements for outsourced security processes.

The significant features of ISM3 are:

* Metrics for Information Security =E2=80=93 =E2=80=9CWhat you can=E2=80=99t measure, you can=E2=80=99t 
  manage, and what you can=E2=80=99t manage, you can=E2=80=99t improve=E2=80=9D =E2=80=93 ISM3 v2.3 is 
  probably the first information security standard to make information 
  security a measurable process by using metrics for every process. This 
  allows continuous improvement, as the standard defines criteria to 
  measure efficiency and performance.

* Capability Levels =E2=80=93 ISM3 is the first standard that defines capability 
  in terms of metrics, a leap that makes ISM3 orientation to continuous 
  improvement unique.

* Maturity Levels =E2=80=93 ISM3 comes in five different sizes, or maturity 
  levels. This makes it suitable for a wide range of organizations, from 
  the very large to the very small. Each maturity level is tailored to 
  the security objectives of the target organization.

* Process Based =E2=80=93 ISM3 v2.3 is process based, which makes it specially 
  suited to organizations familiar with ISO9001 and those that use ITIL 
  as the IT management model. It also works well for outsourced services 
  as it provides a common language for collaboration between information 
  security clients and providers.

* Adopts best practices =E2=80=93 implementation of ISM3 is facilitated by its 
  extensive cross-references to other established standards. The IT 
  governance model reflects best practices by clearly distributing 
  responsibility for information security processes between strategic, 
  tactical and operational levels of management.

* Accreditation =E2=80=93 ISM systems based on ISM3 can be certified under 
  ISO9001 or ISO27001 systems, and ISM3 can be used as a tool to 
  implement an ISO27001 ISM system. This should increase its 
  attractiveness to organizations that already hold quality 
  certification or have experience with ISO9001.

About the ISM3 Consortium
The ISM3 Consortium represents the ISM3 business community. The 
Consortium develops ISM3 and promotes and protects the ISM3 brand.

Learn more about the Consortium at 
Learn more about ISM3 at 
Steven McElwee on ISM3 at 
Purchase the method from 


Media Contact
ISM3 Consortium
Vicente Aceituno
C. Olimpico Francisco Fern=C3=A1ndez Ochoa 9, 28923 Alcorc=C3=B3n, Madrid, Spain
0034696470328 - Available 8-5 Monday to Friday, Western European Time
consortium (at) 

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Best Selling Security Books and More! 


Site design & layout copyright © 1986-2014 CodeGods