[ISM3 Users] Tuesday Insight - What is ISM3 good for?

[Vicente Aceituno]

Just in case someone didn't notice:

- For someone who is using ISO9001, you can build your ISMS using ISO9001
principles and infrastructure you already have and understand.
- For someone who has no IS Management System, you can build your ISMS in
stages around your Business goals, not some external or artificial goals.
- For someone who wants to outsource security processes, you can find out
exactly what to outsource, who to link it to internal processes and
how to create SLAs using metrics.
- For someone who want to show commitment with security you can get a
meaningful certificate that is not only compliant but useful (because
it's linked to *your* Business goals)
- For someone who is already spending loads in IS, you can use
Security Targets and learn at least if the IS management system is
working (or not), or you can use Metrics and manage your IS management
system with or without Auditors around you.
- For someone who is experiencing pains using other approaches, you
can suit you processes to your needs in an environment by environment
basis. Stop using Production Environment requirements for your
Development Environment, for example.
- For a CISO: Get to tell Top Management, Middle Management and
Administrators what are their responsibilities on security, in a more
specific way than "Security is everyone's responsibility"

My best

Vicente