The Open Group Releases Maturity Model For Information Security Management

O-ISM3 is compatible with other ISM industry standards, such as the ISO2700x series

April 12, 2011

4 Min Read


SAN FRANCISCO, April 11, 2011 /PRNewswire/ -- The Open Group today announced a new information security management standard, The Open Group Information Security Management Maturity Model (O-ISM3), which enables the creation of Information Security Management (ISM) systems that are fully aligned with any organization's business mission and compliance needs regardless of size, context and resources. The new standard allows organizations to prioritize and optimize investments in information security, as well as enable continuous improvement of ISM systems using defined metrics. O-ISM3 is compatible with other ISM industry standards, such as the ISO2700x series, ITIL and COBIT.

Intended to be a practical guide on security management for information security practitioners, O-ISM3 is the culmination of more than six years of work and collaboration by the ISM3 Consortium and The Open Group's Security Forum. With an increased need for organizations to protect their systems from security threats, information security management procedures help organizations ensure their security policies, measures and controls are effective. O-ISM3 focuses on common information security processes that the majority of organizations share so operational metrics can be applied to security management processes and protection techniques. Using the standard, organizations can make more informed decisions about security investments through better alignment of security controls with key business objectives.

"Information security management has always lacked proper guidelines and best practices to design processes that increase security while aligning ISM with changing business goals," stated Vicente Aceituno, Manager at Sistemas Informaticos Abiertos and Director of the ISM3 Consortium. "Our first deliverable through O-ISM3 addresses both of these pain points, while laying the foundation for better guidance within the industry."

"There has long been a need for an information security management standard that permits alignment of security controls with business objectives and that enables continuous improvement of security processes," said Jim Hietala, VP of Security for The Open Group. "By building upon work originally done in the ISM3 consortium, The Open Group Security Forum has been able to bring forward a new international standard for information security management, O-ISM3, that delivers a process-based approach to information security management, and that enables continuous improvement through the use of key security metrics."

Among the organizations currently using O-ISM3 are CajaMadrid and the Swiss Armed Forces. CajaMadrid is a major financial institution headquartered in Madrid, Spain, and the Swiss Armed Forces is the primary defense force of the Switzerland. Both organizations are using O-ISM3 to better manage their respective information security systems through O-ISM3's process-based approach allowing organizations to build on current ISM efforts, define maturity levels and metrics and easily reference current best practices.

"CajaMadrid implemented O-ISM3 to focus on the ethical hacking of systems and applications and to measure the metrics of this process," said Miguel Ange Navarrete, CISO of CajaMadrid. "With O-ISM3, the security team's productivity doubled during the first year of usage. In addition, follow-up reports we received after the initial information systems classification emphasized metrics that helped increase collaboration between developers, systems administrators and security personnel and doubled the team's productivity."

"O-ISM3 has helped us improve security governance and comply with regulations for the ISO 2700x series within a highly decentralized organization that demands an intelligent security infrastructure," said Lars Minth, XYZ of the Swiss Armed Forces. "However, the biggest advantage of implementing the standard has been its straightforward approach to making security frameworks accessible to the business world and our ability to measure the return on our security investments - something that we have struggled to do until now."

Information security management is one of The Open Group Security Forum's primary focuses, and the O-ISM3 standard is the first formal deliverable in its information security management work program. The Security Forum is also currently building maturity models for O-ISM3 and expects to extend the program by developing certification programs for the standard.

O-ISM3 is available for complimentary download online:

The Open Group will host a series of informative webcasts on the new O-ISM standard. Registration details may be found here:

About The Security Forum

The Security Forum works to raise industry confidence levels by defining technical standards and guidelines to counter the whole range of security risks and vulnerabilities, and also addresses business and technology perspectives. Covering all aspects of information security in open systems environments, including risk management, governance (including audit and compliance), confidentiality, integrity, accountability, non-repudiation, copy-protection, availability, privacy, policy, best practice and frameworks for legal and regulatory issues at global as well as national levels. Further information on The Security Forum can be found at

About The Open Group

The Open Group is a vendor-neutral and technology-neutral consortium, which drives the creation of Boundaryless Information Flow(TM) that will enable access to integrated information within and between enterprises based on open standards and global interoperability. The Open Group works with customers, suppliers, consortia and other standard bodies. Its role is to capture, understand and address current and emerging requirements, establish policies and share best practices; to facilitate interoperability, develop consensus, and evolve and integrate specifications and open source technologies; to offer a comprehensive set of services to enhance the operational efficiency of consortia; and to operate the industry's premier certification service. Further information on The Open Group can be found at

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights