CMMI, COBIT AND O-ISM3 CAPABILITY LEVELS MAPPED

Inovement - CREATIVE COMMONS ATTRIB-NODERIVS 3.0 LICENSE 2007, SOME RIGHTS RESERVED.

INFORMATION SECURITY MANAGEMENT MATURITY MODEL

LICENSE AND COPYRIGHT

This work is licensed under the Creative Commons Attribution-No Derivative Works 3.0 License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nd/3.0/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

The cover is cropped from the Wikimedia Commons “Streichholz” by Sebastian Ritter, licensed under the Creative Commons Attribution-ShareAlike 2.5 License, used withpermission of the author.

Any copyrighted material mentioned in this document is property of their respective owners.

2 Inovement - CREATIVE COMMONS ATTRIB-NODERIVS 3.0 LICENSE 2013, SOME RIGHTS RESERVED.

INFORMATION SECURITY MANAGEMENT MATURITY MODEL

1 Formal Management PracticesManagement systems normally evolve to fit the purposes of the organization they serve. Several management practices contribute to this evolution:

Implementation. Practice performed when no pre-existing management system or management process. This practice uses information from an assessmentof the organization's goals and informal management practices in place to design an appropriate management system or process. As GP-3 ISM Design andEvolution is the process used to implement other processes, it is used to underpin management systems.

Operation. Practice routinely performed that normally implies in addition to execution: Testing. Checking whether we get the expected outputs from invented or selected inputs purposefully fed into the process. This is performed using

TSP-4 Service Level Management. Monitoring. Checking whether the outputs of the process and the resources used are within normal ranges. This is performed using TSP-4 Service

Level Management with metrics. Improving. Making changes in the process to make it better fit the purpose (or to lead to a saving in resources by removing faults before they produce

incidents, removing bottlenecks that hamper performance or making trade-offs. This management practice needs information gained from testing,monitoring or diagnosing the process. The gains from the changes (if any) can be diagnosed with subsequent testing, monitoring or auditing. GP-3ISM Design and Evolution is the process used to improve other processes.

Planning. Organizing and forecasting the amount, assignment and milestones of tasks, resources, budget and deliverables with a common goal. Evaluation. Practice performed periodically or as required.

Assessment. Checking whether the existing process matches the organization's needs and compliance goals, or if it performs better and with betteruse of resources than it used to. This practice is performed using GP-3 ISM Design and Evolution.

Audit. Checking whether the process inputs, activities and results match their documentation. This practice is performed using GP-2 ISM System andBusiness Audit.

Certify. Checking whether process documentation, inputs, outputs and activities comply with a pre-defined standard, law or regulation. The certificateis a proof of compliance that third parties can trust. This practice is performed using GP-2 ISM System and Business Audit.

Rationalization. Reporting to supervisors the value of the process for the organization and justifying the use of resources.

Inovement - CREATIVE COMMONS ATTRIB-NODERIVS 3.0 LICENSE 2013, SOME RIGHTS RESERVED. 3

INFORMATION SECURITY MANAGEMENT MATURITY MODEL

2 Capability LevelsThe following definition of capability levels in terms of the metrics used to manage the process is not subjective, enabling auditors to use evidence to determine the capability of aprocess.

Capability Level Metrics Enabled Management ActivitiesUndefined Not Documented None

Defined Documented Audit / Certify

Managed DocumentedScopeActivityAvailabilityEfficacy

Audit / CertifyTestingMonitorRationalization Improvement

• Remove faults before they produce incidents• Feedback on the result of changes

Controlled DocumentedScopeActivityAvailabilityEfficacy (comparison with ideal outcome)Load (what resources are used to produce the outcomes,finding bottlenecks)Update (are outcomes recent enough to be valid)

Audit / CertifyTestingMonitorRationalization Improvement

• Remove faults before they produce incidents• Feedback on the result of changes• Remove bottlenecks that hamper performance

PlanningOptimized Documented

ScopeActivityAvailabilityEfficacyLoadUpdateEfficiency, ROSI

Audit / CertifyTestingMonitorRationalization Improvement

• Remove faults before they produce incidents• Feedback on the result of changes• Remove bottlenecks that hamper performance;• Finding points of diminishing return:• Making tradeoffs.

Planning

4 Inovement - CREATIVE COMMONS ATTRIB-NODERIVS 3.0 LICENSE 2013, SOME RIGHTS RESERVED.

INFORMATION SECURITY MANAGEMENT MATURITY MODEL

3 Capability Levels MappingO-ISM3 Capability Levels

Cobit Capability Levels CMMI Capability Levels

Not ApplicableManagement processes arenot applied Incomplete

UndefinedThe process might be used,but it is not defined or Documented.

Processes are ad hoc and disorganized

PerformedA performed process is a process that satisfies the specific goals of the process area. It supports and enables the work needed to produce work products.

Not ApplicableProcesses follow a regular pattern Not Applicable

DefinedThe process is Documented and used.

Processes are documentedand communicated

ManagedA managed process is a performed process that has the basic infrastructure in place to support the process. It is planned and executed in accordance with policy; employs skilled people who have adequate resources to produce controlled outputs; involves relevant stakeholders; is monitored, controlled, and reviewed; and is evaluated for adherence to its process description

ManagedThe process is Defined andthe results of the process are used to fix and improvethe process. (ISO9001 equivalent)

The following metrics are used:

● Scope● Activity● Availability● Efficacy

Not Applicable

DefinedA defined process is a managed process that is tailored from the organization's set of standard processes according to the organization's tailoring guidelines, and contributes work products, measures, and other process improvement information to the organizational process assets.

A critical distinction between capability levels 2 (Managed) and 3 i(Defined) s the scope of standards, process descriptions, and procedures. At capability level 2, the standards, process descriptions, and procedures may be quite different in each specific instance of the process (e.g., on a particular project). At capability level 3, the standards, process descriptions, and procedures for a project are tailored from the organization's set of standard processes to suit a particular project or organizational unit and therefore are more consistent, except for the differences allowed bythe tailoring guidelines.

Another critical distinction is that at capability level 3, processes are typically described more rigorously than at capability level 2. A defined process clearly states the purpose, inputs, entry criteria, activities, roles, measures, verification steps, outputs, and exit criteria. At capability level 3, processes are managed more pro actively using an understanding of the interrelationships of the process activities and detailed measures of the process, its work products, and its services.

Inovement - CREATIVE COMMONS ATTRIB-NODERIVS 3.0 LICENSE 2013, SOME RIGHTS RESERVED. 5

INFORMATION SECURITY MANAGEMENT MATURITY MODEL

O-ISM3 Capability Levels

Cobit Capability Levels

CMMI Capability Levels

ControlledThe process is Managed and milestones and need ofresources is accurately predicted.

The following metrics are used:

● Load● Update

Processes are monitored and measured

Quantitatively ManagedA quantitatively managed process is a defined process that is controlled using statistical and other quantitative techniques. Quantitative objectives for quality and process performance are established and used as criteria in managing the process. Quality and process performance is understood in statistical terms and is managed throughout the life of the process.

OptimizedThe process is Controlled and improvement leads to a saving in resources

The following metrics are used:

● Efficiency, ROSI

Good Practices are followedand automated

OptimizingAn optimizing process is a quantitatively managed process that is improved based on an understanding of the common causes of variation inherent in the process. The focus of an optimizing process is on continually improving the range of process performance through both incremental and innovative improvements.

6 Inovement - CREATIVE COMMONS ATTRIB-NODERIVS 3.0 LICENSE 2013, SOME RIGHTS RESERVED.