A maturity model consists of a set of structured levels that describe the stages of maturity of the behaviours, practises and processes of an organisation can repeatedly, reliably and sustainably produce the required outcomes.
A maturity model does not provide behaviours, practises and processes that directly relate to the function being analysed but provides a mechanism for improving those behaviours, practises and processes that already exist in the organisation.
A maturity model provides 5 levels of maturity ranging from ad-hoc to optimised, although in some cases a 6th lower level is used to describe the situation of no behaviours, practises and processes are in place. This 6th non-existent process level is probably apt for the information security field in the case of some organisations.
For information security there are two maturity models that can be applied.
- ISO/IEC 21827 is a Capability Maturity Model for system security engineering
- Information Security Management Maturity Model that is focused on management
Information Security Management Maturity Model (ISM3) is another form of Information Security Management System (ISMS). The ISM3 builds on existing standards such as ISO 20000, ISO 9001, CMM, ISO/IEC 27001, and other general information governance and security concepts, rather than being control based such as ISO/IEC 27001 and CoBiT, ISM3 is process based and includes process metrics.
The standard levels of a maturity model are
- Initial (chaotic, ad hoc, individual heroics) - the starting point for use of a new or undocumented repeat process.
- Repeatable - the process is at least documented sufficiently such that repeating the same steps may be attempted.
- Defined - the process is defined/confirmed as a standard business process.
- Managed - the process is quantitatively managed in accordance with agreed-upon metrics.
- Optimising - process management includes deliberate process optimisation/improvement.
Level 0 - Non-existent
No thought about information security is given by anyone in the organisation, a state that often exists until the first breach.
Level 1 - Ad-hoc
Information security incidents are handled by individual using their own knowledge, none of the actions are documented and each incident is often treated differently, the organisation is highly vulnerable to an individual leaving and taking their knowledge with them.
Level 2 - Repeatable
Some form of documentation is available to those responding to incidents, handling has become consistent, the documentation can be used by an individual with the relevant skill set. The organisation is no longer dependent on individuals. New incidents/events will require new documentation to be produce. No overall policy on information security has been issued, no organisation wide ISMS implemented
Level 3 - Defined
An organisation wide ISMS is in place, with full documentation (policies, procedures, standards and guidelines)
Level 4 - Managed
The ISMS is audited and ISMS lifecycle is in place to act upon the feedback from the auditing
Level 5 - Optimised
A wide class ISMS has been implemented with the organisation, accreditation against international standards. Full review lifecycle is in place ensuring the ISMS fully supports the organisations mission and changes within the organisation aim or technology are acted on and implemented within the ISMS.
No comments:
Post a Comment