Open Information Security Management Maturity Model

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages) This article includes a list of general references, but it lacks sufficient corresponding inline citations. Please help to improve this article by introducing more precise citations. (September 2017) (Learn how and when to remove this message) This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Open Information Security Management Maturity Model" – news · newspapers · books · scholar · JSTOR (July 2018) (Learn how and when to remove this message) This article needs attention from an expert on the subject. Please add a reason or a talk parameter to this template to explain the issue with the article. When placing this tag, consider associating this request with a WikiProject. (July 2018) (Learn how and when to remove this message)

The Open Group information security management maturity model (O-ISM3) is The Open Group framework for managing information security, and wider still to managing information in the wider context. It aims to ensure that security processes in any organization are implemented so as to operate at a level consistent with that organization’s business requirements. O-ISM3 is technology-neutral. It defines a comprehensive but manageable number of information security processes sufficient for the needs of most organizations, with the relevant security control(s) being identified within each process as an essential subset of that process. In this respect, it is fully compatible with the well-established ISO/IEC 27000:2009, COBIT®, and ITIL® standards in this field. Additionally, as well as complementing the TOGAF® framework for Enterprise Architecture, O-ISM3 defines operational metrics and their allowable variances..^[1]

The original motivation behind O-ISM3 development was to narrow the gap between theory and practice for information security management systems, and the trigger was the idea of linking security management and maturity models. O-ISM3 strove to keep clear of a number of pitfalls with previous approaches.^[2]

The "O-ISM3". {{cite web}}: Cite has empty unknown parameter: |1= (help) website indicates that the project looked at Capability Maturity Model Integration, ISO 9000, COBIT, ITIL, ISO/IEC 27001:2013, and other standards, and found some potential for improvement in several fields, such as linking security to business needs, using a process based approach, providing some additional details (who, what, why) for implementation, and suggesting specific metrics, while preserving compatibility with current IT and security management standards.

The Open Group provides the standard "O-ISM3 v.20". {{cite web}}: Cite has empty unknown parameter: |1= (help) free of charge.