NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > InfoSec News> 2009-q2

[ISN] STANDARD FOR INFORMATION SECURITY MANAGEMENT UPDATED

From: InfoSec News (alertsinfosecnews.org)
Date: Thu Apr 02 2009 - 06:02:00 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: <consortium (at) ism3.com>

STANDARD FOR INFORMATION SECURITY MANAGEMENT UPDATED

April the 2nd 2009, Madrid

Following a series of important updates to the Information Security
Management Maturity Model, the ISM3 Consortium, with members from the
US, Spain, India and Colombia, today announced the worldwide launch of
version 2.3 of this advanced information security management standard.

Today, the ISM3 Consortium published the print version of Information
Security Management Maturity Model (ISM3) v2.3. The method has been
updated with security management metrics proven in the field, and a new
approach that defines security maturity objectively as a direct result
of the metrics used to manage information security processes.

ISM3 focuses on “Achievable Security” rather than “Absolute Security”.
Achievable security is a trade-off between absolute security and
business requirements. The traditional view that “Information Security
should prevent all attacks” is not realistic for most organizations.
ISM3 achieves its balance by mapping an organization’s business
objectives (such as product delivery and profitability) directly against
security objectives (such as ensuring data access only to authorized
users).

ISM3 builds on successful principles from the field of quality
management (Six Sigma, ISO9001), and applies these ideas to the field of
information security, providing an opportunity for organizations of all
types and sizes to enhance their ISM systems and align them with their
business needs. Implementations of ISM3 are compatible with ISO27001,
which establishes control objectives for each process. Implementations
use management responsibilities framework similar to the IT Governance
Institute's CobIT framework model, which describes best practices in the
parent field of IT service management. ITIL users can use ISM3 process
orientation to seamlessly strengthen ITIL security process. Using ISM3
style metrics, objectives, and targets it is possible to create
measurable Service Level Agreements for outsourced security processes.

The significant features of ISM3 are:

* Metrics for Information Security – “What you can’t measure, you can’t
  manage, and what you can’t manage, you can’t improve” – ISM3 v2.3 is
  probably the first information security standard to make information
  security a measurable process by using metrics for every process. This
  allows continuous improvement, as the standard defines criteria to
  measure efficiency and performance.

* Capability Levels – ISM3 is the first standard that defines capability
in terms of metrics, a leap that makes ISM3 orientation to continuous
improvement unique.

* Maturity Levels – ISM3 comes in five different sizes, or maturity
  levels. This makes it suitable for a wide range of organizations, from
  the very large to the very small. Each maturity level is tailored to
  the security objectives of the target organization.

* Process Based – ISM3 v2.3 is process based, which makes it specially
  suited to organizations familiar with ISO9001 and those that use ITIL
  as the IT management model. It also works well for outsourced services
  as it provides a common language for collaboration between information
  security clients and providers.

* Adopts best practices – implementation of ISM3 is facilitated by its
  extensive cross-references to other established standards. The IT
  governance model reflects best practices by clearly distributing
  responsibility for information security processes between strategic,
  tactical and operational levels of management.

* Accreditation – ISM systems based on ISM3 can be certified under
  ISO9001 or ISO27001 systems, and ISM3 can be used as a tool to
  implement an ISO27001 ISM system. This should increase its
  attractiveness to organizations that already hold quality
  certification or have experience with ISO9001.

About the ISM3 Consortium
The ISM3 Consortium represents the ISM3 business community. The
Consortium develops ISM3 and promotes and protects the ISM3 brand.

Learn more about the Consortium at http://tinyurl.com/ism3consortium
Learn more about ISM3 at http://tinyurl.com/ism3about
Steven McElwee on ISM3 at http://tinyurl.com/ism3others
Purchase the method from http://tinyurl.com/ism3v23

###

Media Contact
ISM3 Consortium
Vicente Aceituno
C. Olimpico Francisco Fernández Ochoa 9, 28923 Alcorcón, Madrid, Spain
0034696470328 - Available 8-5 Monday to Friday, Western European Time
consortium (at) ism3.com
www.ism3.com

_______________________________________________
Best Selling Security Books and More!
http://www.shopinfosecnews.org/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]