Does the World Need Another Information Security Maturity Model?

One of the big information security analyst firms recently introduced a new, proprietary information security maturity model (ISMM). Existing ISSMs include ISO 27001/27002, NIST SP 800-53, sections of CobiT 4.1, NERC, and so on. ISMMs serve mainly to provide a comprehensive list of security controls and guidance on how to implement those controls, in order to help security functions avoid blindspots and organize their risk-reduction activities. A good ISMM will also describe a maturity scale for each of the controls-what does basic implementation look like, vs. best-in-class implementation.

Considering only this basic use of an ISMM, another one might seem to provide a welcome alternative point of view. However, previous Council research (see for example this and this) has shown that which ISMM you choose does not matter nearly as much as how you implement the ISMM. Furthermore, there are numerous additional uses of ISMMs that are not served with a new, proprietary ISMM:

  1. Provide a standard language for security organizations to communicate.
  2. Serve as a platform for the development of standardized security processes.
  3. Allow for detailed benchmarking between organizations.

In 2010, 77% of large security organizations are using ISO 27001/27002 (this will be covered in today’s webinar on budget and organizational trends). ISO has become a near universal language for security organizations, except for those required to use NIST. This is why when the Council created our Controls Maturity Benchmarking Service, we avoided the temptation to try to improve on the existing ISMMs, and instead created a tool to help CISOs measure their controls maturity against the ISO and NIST standards. This has contributed to the popularity and usefulness of the Controls Maturity Benchmarking Service, which now allows organizations to obtain a detailed benchmark their security controls against those of almost one third of the Fortune 500.

Explore posts in the same categories: Information Risk Governance

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: