The new standard, the Open Group Information Security Management Maturity Model (O-ISM3), allows organizations to prioritize and optimize investments in information security, as well as enable continuous improvement of ISM systems using defined metrics, the group said.
O-ISM3, a product of six years of work and collaboration between the Open Group's Security Forum and the ISM3 Consortium, focuses on common information security processes that most organizations share, so operational metrics can be applied to security management processes and protection techniques.
"Information security management has always lacked proper guidelines and best practices to design processes that increase security while aligning ISM with changing business goals", said Vicente Aceituno, manager at Sistemas Informaticos Abiertos and director of the ISM3 Consortium. "Our first deliverable through O-ISM3 addresses both of these pain points, while laying the foundation for better guidance within the industry."
Explained Jim Hietala, vice president of security for the Open Group: "There has long been a need for an information security management standard that permits alignment of security controls with business objectives and that enables continuous improvement of security processes. By building upon work originally done in the ISM3 consortium, the Open Group Security Forum has been able to bring forward a new international standard for information security management, O-ISM3, that delivers a process-based approach to information security management, and that enables continuous improvement through the use of key security metrics."
Among the organizations currently using O-ISM3 are CajaMadrid, a financial institution headquartered in Madrid, and the Swiss Armed Forces. Both organizations are using O-ISM3 to manage their respective information security systems through O-ISM3's process-based approach, allowing organizations to build on current ISM efforts, define maturity levels and metrics, and reference current best practices.
O-ISM3 is compatible with other ISM industry standards, such as the ISO2700x series, ITIL, and COBIT, the Open Group said.