New standard helps to align security investments with business priorities

Businesses will be able to tailor their IT security investments more closely to their business priorities, following the creation of an industry-backed information management security standard

Businesses will be able to tailor their IT security investments more closely to their business priorities, following the creation of an industry-backed information management security standard.

The Information Security Management Maturity Model (O-ISM3), the first of its type, aims to help security professionals focus their resources on systems that are most critical to the business.

Early adopters of the standard have reported significant reductions in the number of security vulnerabilities affecting their IT systems.

Open Information Security Management Maturity Model. Click to download PDF (requires registration)

The model, created by the Open Group, an independent industry consortium, will help businesses to make continuous improvements to the way they manage security, according to Jim Hietala, VP of security for the group.

"There was not sufficient guidance on how you manage a process that makes up an information systems programme. A continuous improvement approach was lacking in IS security," he said. "It really fills a gap in how you manage your information security programme."

The Spanish financial group, Caja Madrid, one of the first organisations to take up the model, says the standard has helped its ethical hacking team to increase the number of vulnerabilities it fixes by a factor of five.

"With O-ISM3, the security team's productivity doubled during the first year of usage," said CISO Miguel Angel Navarrete.

Caja Madrid began the project in early 2008 with a team of four people. It set security targets to match the company's business objectives and created a simple knowledge management system to monitor the security team's progress.

Vicente Aceituno, director of the ISM3 consortium, which developed O-ISM3, was a consultant on the project.

"The key lessons were, first, you have to have priorities and understand what systems are worth more attention. Second, you need to understand you are there to help others fix vulnerabilities. You can't stay in your castle and complain to others that there are problems," he said.

The Open Group plans to develop the model by creating an accreditation programme for individuals and organisations. It also plans a range of industry-specific maturity models, covering, for example, e-commerce and small and medium-sized companies.

Sign up to Computer Weekly to download in-depth publications and reports from the Open Group>>>

Cloud Computing

Cloud buyers' requirements questionnaire

Cloud buyers' decision tree

Building return on investment from cloud computing

Strengthening your business case for using cloud


Supporting requirements management in TOGAF

Governance in IT and Architecture - TOGAF

The Open Group Architecture Framework (TOGAF™ 9) and the US Department of Defense Architecture Framework

Risk and security

Open Information Security Management Maturity Model

How to tackle risk taxonomy

How to handle requirements for risk assessment methodologies

Jericho Security Forum - the vision

Overview of the Open Group Security Forum


World-class enterprise architecture

How to manage emerging technology in IT

Technical Documents

The Single Unix Specification

IT Specialist Certification Accreditation Policy

IT Specialist Certification (ITSC) Conformance Requirements

TOGAF 9 Translation Glossary: English - French

Open Group: FAIR -ISO/IEC 27005 Cookbook

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.