Open Information Security Management Maturity Model

The Open Group Information Security Management Maturity Model (O-ISM3) is a maturity model for managing information security. It aims to ensure that security processes in any organization are implemented so as to operate at a level consistent with that organization’s business requirements. O-ISM3 defines a comprehensive but manageable number of information security processes sufficient for the needs of most organizations, with the relevant security control(s) being identified within each process as an essential subset of that process.^[1]

The original motivation behind the development of O-ISM3 was to narrow the gap between theory and practice for information security management systems, and the trigger was the idea of linking security management and maturity models. O-ISM3 strove to keep clear of a number of pitfalls with previous approaches.^[2]

The Open Group, a global consortium concerned with "the achievement of business objectives through technology standards",^[3] looked at Capability Maturity Model Integration, using ISO 9000, COBIT, ITIL, ISO/IEC 27001:2013, and other standards,^[4] and found some potential for improvement in several fields, such as linking security to business needs, using a process-based approach, providing some additional details (who, what, why) for implementation, and suggesting specific metrics, while preserving compatibility with the most popular IT and security management standards.^{[citation needed]}

The Open Group provides a standard model, which is available free of charge.^[5]