[ISM3 Users] Tuesday Insight: Blast from the Past - Implementation Plan
Vicente Aceituno
vac at zenobia.es
Wed Aug 1 14:07:51 CEST 2007
BTW, In September I will continue with new ISM3 posts. Blasts from the
Past are only for this summer...
****Implementation Plan****originally posted Feb 13, 2007 12:08 pm***
I suggested to replace the popular 4 step implementation plan:
1- Where do we want to be?
2- Where are we now?
3- How do we get where we want to be?
4- How do we know we have arrived?
With a more detailed implementation plan:
1- How do you know were you are? You do an assessment, comparing you
a model of company with theoretical model, which can be a standard or
compliance requirements for example.
2- Where are you? – This is answered by the assessment result. This
can range from the result of a PenTest to finding you current ISM3
maturity.
3- Where would you like to be? – This is answered by stating you
goals (Business goals, legal and standard compliance goals, Technical
goals). Some say their goal is just C-I-A ,some learn Security in
Context.
4- How close to your Goal can you afford to be? Answer this by
setting a target. Unless you org has unlimited resources, of course.
4- How can you get there? The answer are implementation plans,
setting agreements, procedures, procuring resources...walking the
walk.
5- How do you stay there when you manage it? Answer: Take decisions to get
closer to your goals and use metrics to monitor your results.
6- How do you stay there when you get someone to manage it for you?
Answer: Use metrics to monitor your results. Agree goals on SLAs with
your providers.tg
7- How do you improve you ISMS effectiveness and efficiency? Use
quality management, like control charts. Compare results with the use
of resources...metrics are you friends.
8- How good are you at staying there? – Capability Assessment...
9- How do you prove to others were you are? – Certification...
Lesson to learn: Be careful what do you compare your org with and how
do you model it (scope and depth)...it will have deep consequences in
all your information security management results.
If you want to go beyond compliance compare you ISMS practices with
ISM3 for starters...setting targets, using metrics and outsourcing
services, your efficiency, maturity, capability (and compliance)
limits will be bounded only by the resources available to you.... :)
More information about the Users
mailing list