Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:18 PM
Dark Reading
Dark Reading
Products and Releases

The Open Group Releases Maturity Model For Information Security Management

O-ISM3 is compatible with other ISM industry standards, such as the ISO2700x series

SAN FRANCISCO, April 11, 2011 /PRNewswire/ -- The Open Group today announced a new information security management standard, The Open Group Information Security Management Maturity Model (O-ISM3), which enables the creation of Information Security Management (ISM) systems that are fully aligned with any organization's business mission and compliance needs regardless of size, context and resources. The new standard allows organizations to prioritize and optimize investments in information security, as well as enable continuous improvement of ISM systems using defined metrics. O-ISM3 is compatible with other ISM industry standards, such as the ISO2700x series, ITIL and COBIT.

Intended to be a practical guide on security management for information security practitioners, O-ISM3 is the culmination of more than six years of work and collaboration by the ISM3 Consortium and The Open Group's Security Forum. With an increased need for organizations to protect their systems from security threats, information security management procedures help organizations ensure their security policies, measures and controls are effective. O-ISM3 focuses on common information security processes that the majority of organizations share so operational metrics can be applied to security management processes and protection techniques. Using the standard, organizations can make more informed decisions about security investments through better alignment of security controls with key business objectives.

"Information security management has always lacked proper guidelines and best practices to design processes that increase security while aligning ISM with changing business goals," stated Vicente Aceituno, Manager at Sistemas Informaticos Abiertos and Director of the ISM3 Consortium. "Our first deliverable through O-ISM3 addresses both of these pain points, while laying the foundation for better guidance within the industry."

"There has long been a need for an information security management standard that permits alignment of security controls with business objectives and that enables continuous improvement of security processes," said Jim Hietala, VP of Security for The Open Group. "By building upon work originally done in the ISM3 consortium, The Open Group Security Forum has been able to bring forward a new international standard for information security management, O-ISM3, that delivers a process-based approach to information security management, and that enables continuous improvement through the use of key security metrics."

Among the organizations currently using O-ISM3 are CajaMadrid and the Swiss Armed Forces. CajaMadrid is a major financial institution headquartered in Madrid, Spain, and the Swiss Armed Forces is the primary defense force of the Switzerland. Both organizations are using O-ISM3 to better manage their respective information security systems through O-ISM3's process-based approach allowing organizations to build on current ISM efforts, define maturity levels and metrics and easily reference current best practices.

"CajaMadrid implemented O-ISM3 to focus on the ethical hacking of systems and applications and to measure the metrics of this process," said Miguel Ange Navarrete, CISO of CajaMadrid. "With O-ISM3, the security team's productivity doubled during the first year of usage. In addition, follow-up reports we received after the initial information systems classification emphasized metrics that helped increase collaboration between developers, systems administrators and security personnel and doubled the team's productivity."

"O-ISM3 has helped us improve security governance and comply with regulations for the ISO 2700x series within a highly decentralized organization that demands an intelligent security infrastructure," said Lars Minth, XYZ of the Swiss Armed Forces. "However, the biggest advantage of implementing the standard has been its straightforward approach to making security frameworks accessible to the business world and our ability to measure the return on our security investments - something that we have struggled to do until now."

Information security management is one of The Open Group Security Forum's primary focuses, and the O-ISM3 standard is the first formal deliverable in its information security management work program. The Security Forum is also currently building maturity models for O-ISM3 and expects to extend the program by developing certification programs for the standard.

O-ISM3 is available for complimentary download online: https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12238.

The Open Group will host a series of informative webcasts on the new O-ISM standard. Registration details may be found here:


About The Security Forum

The Security Forum works to raise industry confidence levels by defining technical standards and guidelines to counter the whole range of security risks and vulnerabilities, and also addresses business and technology perspectives. Covering all aspects of information security in open systems environments, including risk management, governance (including audit and compliance), confidentiality, integrity, accountability, non-repudiation, copy-protection, availability, privacy, policy, best practice and frameworks for legal and regulatory issues at global as well as national levels. Further information on The Security Forum can be found at http://www.opengroup.org/security/.

About The Open Group

The Open Group is a vendor-neutral and technology-neutral consortium, which drives the creation of Boundaryless Information Flow(TM) that will enable access to integrated information within and between enterprises based on open standards and global interoperability. The Open Group works with customers, suppliers, consortia and other standard bodies. Its role is to capture, understand and address current and emerging requirements, establish policies and share best practices; to facilitate interoperability, develop consensus, and evolve and integrate specifications and open source technologies; to offer a comprehensive set of services to enhance the operational efficiency of consortia; and to operate the industry's premier certification service. Further information on The Open Group can be found at http://www.opengroup.org.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-24
Cross-site request forgery (CSRF) vulnerability in GS108Ev3 firmware version 2.06.10 and earlier allows remote attackers to hijack the authentication of administrators and the product's settings may be changed without the user's intention or consent via unspecified vectors.
PUBLISHED: 2020-11-24
Untrusted search path vulnerability in the installers of multiple SEIKO EPSON products allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
PUBLISHED: 2020-11-24
includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
PUBLISHED: 2020-11-24
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.
PUBLISHED: 2020-11-24
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into the r...