ISM³

The Information Security Management Maturity Model (ISM³ or ISM-cubed)

The Information Security Management Maturity Model (ISM³ or ISM-cubed) extends ISO9001 quality management principles to information security management (ISM) systems. Rather than focusing on controls, it focuses on the common processes of information security, which are shared to some extent by all organizations.

Under ISM³, the common processes of information security are formally described, given performance targets and metrics, and used to build a quality assured process framework. Performance targets are unique to each implementation and depend upon business requirements and resources available. Altogether, the performance targets for security become the Information Security Policy. The emphasis on the practical and the measurable is what makes ISM3 unusual, and the approach ensures that ISM systems adapt without re-engineering in the face of changes to technology and risk.

Implementations of ISM³ are compatible with ISO27001 (Information Security Management Systems – Requirements), which establishes control objectives for each process. Implementations use management responsibilities framework akin to the IT Governance Institute's COBIT framework model, which describes best practice in the parent field of IT service management. ITIL users can employ ISM³ process orientation to strengthen ITIL security process seamlessly. Using ISM³ style metrics, objectives and targets it is possible to create measurable Service Level Agreements for security processes.

ISM³ describes five basic ISM system configurations, equivalent to maturity levels, and these are used to help organizations choose the scale of ISM system most appropriate to their needs. The maturity spectrum relates cost, risk and threat reduction and enables incremental improvement, benchmarking and long term targets.

ISM³ systems and products are accreditable through the ISM³Consortium, and it is the intention of the ISM³ Consortium to strengthen linkages and compatibility with existing ISO standards, so that existing investment in ISM systems is protected as ISM systems are improved.

In summary, ISM³ aims to:

Enable the creation of ISM systems that are fully aligned with the business mission and compliance needs.

Be applicable to any organization regardless of size, context and resources.

Enable organizations to prioritize and optimize their investment in information security.

Enable continuous improvement of ISM systems using metrics.

Support the outsourcing of security processes.

ISM³ uses the following list of security objectives:

Use of services and access to repositories is restricted to authorized users; Intellectual property is accessible to authorized users only; Personal information of clients and employees is accessible for a valid purpose to authorized users only and is held for no longer than required;Secrets are accessible to authorized users only; Third party services and repositories are appropriately licensed and accessible only to authorized users; Information repositories and systems are physically accessible only to authorized users; Availability of repositories, services and channels exceeds client needs; Reliability and performance of services and channels exceeds client needs; Existence of repositories and services is assured for exactly as long as client requirements; Expired or end of life-cycle repositories are permanently destroyed; Precision, relevance and consistency of repositories are assured; Accurate time and date is reflected in all records; Users are accountable for the repositories and messages they create or modify; Users are accountable for their use of services and acceptance of contracts and agreements.

ISM³ is a specification for creating ISM systems. Certification is performed on specific ISM systems, so ISM³ can be used to create ISO27001 compliant ISM systems; that will have to use risk analysis/assessment and implement all applicable ISO27001 controls.