Swiss Armed Forces using O-ISM3

by Lars Minth 29.03.2011

The usage of ISM3 within the Information Assurance program of the Swiss Armed Forces is threefold:

  • first there is the necessity to comply with a couple of regulations inter alia the ISO 27k family, ISO 31000 and ISO 20000.
  • then the development of measurable and achievable security processes is very demanding in such a high security environment while the pure implementation of ISO 27k, especially its controls, is not sufficient to prove a Return of Security Investment (ROSI)
  • at last the governance of security in a highly decentralized organization needs a clever structuring.

Basically in all of these action areas O-ISM3 is giving us a helping hand and therefore saving us time and money to develop an own interpretation of ISO 27k. ISM3 came into the focus of the Swiss Armed Forces during a study about a business-driven implementation of an ISMS in order to regain management attention and acceptance for the restructuring of security. O-ISM3 itself is not a new invention but a straight forward and enabling approach to comprehend existing security frameworks in order to make security understandable for the rest of the (business) world. During the long process of aligning diverse security initiatives within the Swiss Armed Forces ISM3 is and will be the central repository and helping cornucopia to establish security processes which are measurable, acceptable and achievable in the sense of ROSI. The methodology O-ISM3 provides is helping to achieve ROSI while the O-ISM3 security processes in detail are helping to focus on the servicing and main-tenance of security at all levels: operational, tactical and strategic.

If you liked this article, consider taking advanced ISMS training online via Udemy, it is rated 8.2 in Coursemarks

Bankia’s experience with O-ISM3

CajaMadrid (now Bankia) started using O-ISM3 in the security process of ethical hacking of systems and applications. Several enhancements were made in order to measure the metrics of this process, and a Service Level Agreement was established based on those metrics. Using O-ISM3 criteria, the classification of information systems, which determines how frequently the systems are tested, was improved.

As a result of O-ISM3 implementation, the team’s productivity doubled during the first year. The follow-up reports with metrics made collaboration between developers, system administrators and security personnel easier and more productive. The information available is so detailed that CajaMadrid now uses objective criteria to give an award to the manager whose applications or systems present the fewest vulnerabilities, and vulnerabilities that are found are fixed faster.

The methodology’s orientation on deliverables makes the entire evidence-generating activity possible, which means that it is auditable, measurable and manageable. As the management system is metrics based, daily operations do not require audits for improvement, speeding up the improvement cycle significantly. When metrics correlate well with pursued goals, process improvement leads directly to the achievement of goals with greater effectiveness, efficiency and quality. Metrics make the status and progress of activities clearly visible, making it easier to reach agreements with our internal client and partners, and communicate our achievements to upper management. Ultimately, this methodology allows information security to be managed using best practices that apply to business in general. Based on the success of the methodology, we are extending the use of the method to other processes.

This is what the CISO had to say: "We are very interested in the method, and once it has been set up, it is simple to use.”

Bankia is ISO27001 and ISO20000 certified, and uses CMMI-3 and standards like ITIL, OSSTMM and many others. O-ISM3 integrates seamlessly with all of them and we have even received a positive note about our ISMS certification thanks to O-ISM3.

If you liked this article, consider taking advanced ISMS training online via Udemy, it is rated 8.2 in Coursemarks

What is O-ISM3 good for?

Reach new heights

There are several ways to use O-ISM3:

  • For someone who is using ISO9001: Build your ISMS using ISO9001 principles and infrastructure you already have and understand;
  • For someone who has no IS Management System: Build your ISMS in stages around your Business Goals, not some external or artificial goals;
  • For someone who wants to outsource security processes: Find out exactly what to outsource, who to link it to internal processes and how to create SLAs;
  • For someone who want to show commitment with security: Get a meaningful certificate that is not only compliant but useful (further business goals);
  • For someone who is already spending loads in IS: Use Security Targets and learn at least if the IS management system is working, or use Metrics and manage your IS management system with or without Auditors around you;
  • For someone who is experiencing pains using other approaches: Suit you processes to your needs in an environment by environment basis. Stop using Production Environment requirement for your Development Environment;
  • For a CISO: Get to tell Top Management, Middle Management and Administrators what are their responsibilities on security, in a more specific way than "Security is everyone's responsibility";
  • For businesses that are going out to tender for their services; For businesses that require a consistent approach by all service providers in a supply chain;
  • For  service providers to benchmark their IT service management; As the basis for an independent assessment;
  • For an organisation which needs to demonstrate the ability to provide services that meet customer requirements;
  • For  organizations which aims to improve service through the effective application of processes to monitor and improve service quality.

If you liked this article, consider taking advanced ISMS training online via Udemy, it is rated 8.2 in Coursemarks