All businesses need information security to protect our systems from the risk of threats. This Open Information Security Management Maturity Model (O-ISM3) supports information security practitioners in this fundamental task by covering the key areas required to minimise these threats:• Risk Management : identifying and estimating levels of exposure to thelikelihood of loss and how to manage those risks of loss; • Security Controls : crafting the IT Security Policy which assures operations are as secure as they need to be;• Security Management : supporting the selection, maintenance, and overallSecurity Policy for the security controls deployed in a business enterprise.The O-ISM3 standard focuses on the common processes of information security. It is technology-neutral, very practical and considers the business aspect in depth. This means that practitioners can use O-ISM3 with a wide variety of protection techniques used in the marketplace.The distinctive benefits of O-ISM3 are:•A fully process-based approachIt breaks information security management down into a comprehensive but manageable number of processes, with specifically relevant security control(s) being identified. In addition it covers the principles of continuous improvement that O-ISM3 supports.•Maturity coverageO-ISM3 defines information security management maturity in terms of theoperation of an appropriate complementary set of ISM3 information security processes. •A business approachThe coverage considers the business drivers and also the specific business challenges of outsourcing and partnering. The critical issue of how to translate key business objectives to security objectives and targets is covered in depth.•Compatibility with ISO 9000 Quality ManagementWith similarities in structure and approach to quality management methods like ISO 9000, O-ISM3 also emphasises the practical and the measurable so that ISMSs can adapt without re-engineering in the face of changes to technology and risk.•Compatibility with ISO/IEC 27000ISM3 is compatible in many ways with the ISO/IEC 27000:2009 standard, in addition provides a comprehensive framework for selecting, implementing, and managing a set of security processes to meet measurable business goals. •Compatibility with COBITO-ISM3 implementations use a management responsibilities framework consistent with the ISACA COBIT framework model. •Compatibility with ITILITIL users can use the O-ISM3 process orientation to strengthen their ITIL security processes
