Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:18 PM
Dark Reading
Dark Reading
Products and Releases

The Open Group Releases Maturity Model For Information Security Management

O-ISM3 is compatible with other ISM industry standards, such as the ISO2700x series

SAN FRANCISCO, April 11, 2011 /PRNewswire/ -- The Open Group today announced a new information security management standard, The Open Group Information Security Management Maturity Model (O-ISM3), which enables the creation of Information Security Management (ISM) systems that are fully aligned with any organization's business mission and compliance needs regardless of size, context and resources. The new standard allows organizations to prioritize and optimize investments in information security, as well as enable continuous improvement of ISM systems using defined metrics. O-ISM3 is compatible with other ISM industry standards, such as the ISO2700x series, ITIL and COBIT.

Intended to be a practical guide on security management for information security practitioners, O-ISM3 is the culmination of more than six years of work and collaboration by the ISM3 Consortium and The Open Group's Security Forum. With an increased need for organizations to protect their systems from security threats, information security management procedures help organizations ensure their security policies, measures and controls are effective. O-ISM3 focuses on common information security processes that the majority of organizations share so operational metrics can be applied to security management processes and protection techniques. Using the standard, organizations can make more informed decisions about security investments through better alignment of security controls with key business objectives.

"Information security management has always lacked proper guidelines and best practices to design processes that increase security while aligning ISM with changing business goals," stated Vicente Aceituno, Manager at Sistemas Informaticos Abiertos and Director of the ISM3 Consortium. "Our first deliverable through O-ISM3 addresses both of these pain points, while laying the foundation for better guidance within the industry."

"There has long been a need for an information security management standard that permits alignment of security controls with business objectives and that enables continuous improvement of security processes," said Jim Hietala, VP of Security for The Open Group. "By building upon work originally done in the ISM3 consortium, The Open Group Security Forum has been able to bring forward a new international standard for information security management, O-ISM3, that delivers a process-based approach to information security management, and that enables continuous improvement through the use of key security metrics."

Among the organizations currently using O-ISM3 are CajaMadrid and the Swiss Armed Forces. CajaMadrid is a major financial institution headquartered in Madrid, Spain, and the Swiss Armed Forces is the primary defense force of the Switzerland. Both organizations are using O-ISM3 to better manage their respective information security systems through O-ISM3's process-based approach allowing organizations to build on current ISM efforts, define maturity levels and metrics and easily reference current best practices.

"CajaMadrid implemented O-ISM3 to focus on the ethical hacking of systems and applications and to measure the metrics of this process," said Miguel Ange Navarrete, CISO of CajaMadrid. "With O-ISM3, the security team's productivity doubled during the first year of usage. In addition, follow-up reports we received after the initial information systems classification emphasized metrics that helped increase collaboration between developers, systems administrators and security personnel and doubled the team's productivity."

"O-ISM3 has helped us improve security governance and comply with regulations for the ISO 2700x series within a highly decentralized organization that demands an intelligent security infrastructure," said Lars Minth, XYZ of the Swiss Armed Forces. "However, the biggest advantage of implementing the standard has been its straightforward approach to making security frameworks accessible to the business world and our ability to measure the return on our security investments - something that we have struggled to do until now."

Information security management is one of The Open Group Security Forum's primary focuses, and the O-ISM3 standard is the first formal deliverable in its information security management work program. The Security Forum is also currently building maturity models for O-ISM3 and expects to extend the program by developing certification programs for the standard.

O-ISM3 is available for complimentary download online: https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12238.

The Open Group will host a series of informative webcasts on the new O-ISM standard. Registration details may be found here:


About The Security Forum

The Security Forum works to raise industry confidence levels by defining technical standards and guidelines to counter the whole range of security risks and vulnerabilities, and also addresses business and technology perspectives. Covering all aspects of information security in open systems environments, including risk management, governance (including audit and compliance), confidentiality, integrity, accountability, non-repudiation, copy-protection, availability, privacy, policy, best practice and frameworks for legal and regulatory issues at global as well as national levels. Further information on The Security Forum can be found at http://www.opengroup.org/security/.

About The Open Group

The Open Group is a vendor-neutral and technology-neutral consortium, which drives the creation of Boundaryless Information Flow(TM) that will enable access to integrated information within and between enterprises based on open standards and global interoperability. The Open Group works with customers, suppliers, consortia and other standard bodies. Its role is to capture, understand and address current and emerging requirements, establish policies and share best practices; to facilitate interoperability, develop consensus, and evolve and integrate specifications and open source technologies; to offer a comprehensive set of services to enhance the operational efficiency of consortia; and to operate the industry's premier certification service. Further information on The Open Group can be found at http://www.opengroup.org.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...