O-ISM3 Online Training

Reach new heights!

Many of you asked and it finally is here. O-ISM3 training online via Udemy

In this course you will master the design and operation of information security processes with metrics and you will be able to represent this metrics in compact and engaging dashboards or reports. You will learn what is a measurement, how your choice of a model influences what gets measured, what is the relationship between security activity and business goals, and how to use reports in a way that leads to understanding the security posture of the organisation and drive the right decisions.

Don't be fooled by the 1.5 hours duration of the course. It is a highly condensed rendition of the full 24 hours course, and therefore it requires you to pause, think, spend time doing the exercises, and hopefully asking questions.

O-ISM3 Security Body of Knowledge

O-ISM3 SECBOK is an Information Security Management System implementation template based on the O-ISM3 standard. It assists the creation of ISMS for organisations of any size, environment, and with any availability of resources Buy now your copy of O-ISM3 SECBOK and take your ISMS to new heights!

Process Flow

Can you pass the O-ISM3 Test?

Do you dare?

The current state of affairs is that most information security professionals use the concepts of Confidentiality, Integrity and Availability for audits, consulting projects, risk assessment and management, and development of new standards. These concepts present a series of problems that have yet to be solved. The use of ambiguous, incomplete, not operational concepts without units of measurement has created a number of problems for information security management. Communication with between specialists and non-specialists in information security is difficult. Demonstrating the value of information security is difficult. Generally speaking, the use of these proxy concepts that don't add value makes information security management more difficult that it needs to be. Time is wasted, security projects that need funding don't get it, and trendy projects with little return get the green light. Luckily, change is possible.

The O-ISM3 Test pits the CIA triad versus O-ISM3 security objectives. In order to pass the O-ISM3 Test you have to solve the Use Case. You have two options: using traditional concepts like Confidentiality, Integrity, Availability (CIA triad option), or new concepts like O-ISM3’s security objectives. (OISM3 option). The options are mutually exclusive.

The O-ISM3 Test presents you with a Use Case scenario. The Use Case is a fictional travel agency in Madrid, Spain. Your role is to act as information security consultant who is preparing a meeting where you have to determine what are the information security needs of the Travel Agency.

Determining the security needs of the Use Case will enable the you (the consultant) to determine the reasonable security measures to be applied, which are likely to be different, and cheaper, than all the security measures that could be taken. In order to prove that they can successfully determine the security needs, you have to create a meeting Agenda with a list of Questions to ask the managers or employees of the client company. This should be, in principle, easy since ALL THE ANSWERS PART OF THE USE CASE ARE AVAILABLE.

You have a choice to make:

  • CIA Option: Questions can ONLY ask about Confidentiality, Integrity and Availability. NOT using at least one of these terms (or Confidential, Integer, Available) in any question results in a FAIL.
  • O-ISM3 Option : Questions can NOT ask about Confidentiality, Integrity or Availability. Using ANY of these terms in any question will result in a FAIL.

For a question to be valid it should render naturally the answers given, for someone with intimate knowledge of the Use Case.

Since 13/4/2017 when the O-ISM3 Test was originally published, no one has ever passed this test using the CIA Option. if you think you did, please post online your list of questions and let me know via Twitter. You think you can? Download the O-ISM3 Test here.

Please note that there is a difference between finding out what the Travel Agency needs and what the Travel Agency might do regarding information security. If we were to compare the security practices of the Travel Agency with some standard, we could find out that the Travel Agency is not doing everything that a standard says can be done. There is a difference between doing everything that is standards state is possible, and everything that meets the needs of the business.

To learn more of why the O-ISM3 Test is important, check my lecture on Measuring Security.


Subscribe to Information Security Management using O-ISM3 RSS