The Open Group's new information security management standard, Information Security Management Maturity Model (O-ISM3), has been crafted to enable the creation of information security management (ISM) systems that are fully aligned with any organization's business mission and compliance needs, regardless of size, context and resources. Compatible with other ISM industry standards--such as the ISO2700x series, Information Technology Infrastructure Library (ITIL) and COBIT--O-ISM3 is a comprehensive set of guidelines and best practices that will allow organizations to prioritize and optimize investments in information security, as well as enable continuous improvement of ISM systems using defined metrics.
This standard is not about security per se, says Paul Proctor, VP, distinguished analyst and the role service director for risk management, Gartner Research. "There is no connection between the shifting threat landscape and maturing models. Are you doing the basic blocking and tackling? Rather than a framework of control, it's a measurement regime."
Maturity models are becoming a big thing that ultimately measures how well you do something, he says. "Where you are not doing something well, you have more risk, and where you are doing it well, you have less risk."
He gives security incident responses as an example. Measuring the number of incidents doesn't really help. If you're good, the number doesn't matter, and if you're not good, the number also doesn't matter. The risk is attached to the ability to handle the issue, not the numbers involved.
"The reality is organizations don't have the ability to determine how good or bad they are in security ... and a maturity model is a good way to do that. This is transparency so you can make some good decisions so you can get better."