By Jim Hietala, The Open Group
The Open Group yesterday announced the approval of a new standard in information security, O-ISM3. This standard, which derives its name from The Open Group Information Security Management Maturity Model, aims to help information security managers and practitioners to more effectively manage information security. Information security management is one of two focus areas for The Open Group Security Forum (security architecture being the other).
The development of the O-ISM3 standard has been in process in the Security Forum for the past 18 months. Like all Open Group standards, O-ISM3 was developed through an open, consensus-based process. The O-ISM3 standard leverages work previously done by the ISM3 consortium to produce the ISM3 version 2.3 document.
O-ISM3 brings some fresh thinking to information security management. O-ISM3:
- Provides a framework to align security objectives and security targets to overall business objectives
- Delivers a much-needed continuous improvement approach to the management of information security
- Expresses security outcomes in positive terms
O-ISM3 can be implemented as a top-down methodology to manage an entire information security program, or it can be deployed more tactically, starting with just a few information security processes. As such, it can deliver value to information security organizations of varying sizes, maturity levels, and in different industries.
The O-ISM3 standard is available free on The Open Group website (registration required), and on Kindle. The standard provides an approach which is complementary to ISO 27001/2, as well as to ITIL and COBIT.
Many thanks to the many members of The Open Group who worked hard over the past 18 months to make O-ISM3 a reality. Many had a hand in developing O-ISM3 in the Security Forum, and I thank them all; however, I would be remiss if I did not recognize the leadership of workgroup chair Vicente Aceituno, who brought this work to The Open Group, and who has continued to work tirelessly to make O-ISM3 an important standard for information security.
The working group will in the coming months be developing maturity levels for O-ISM3, and exploring certification programs. If you have interest in O-ISM3 and these future developments, please contact us at firstname.lastname@example.org and we will help you get involved.
An IT security industry veteran, Jim is Vice President of Security at The Open Group, where he is responsible for security programs and standards activities. He holds the CISSP and GSEC certifications. Jim is based in the U.S.