ISM3 1.0.
This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Any copyrighted material mentioned in this document is property of their respective owners.
WWW.ISECOM.ORG / WWW.OSSTMM.ORG / WWW.HACKERHIGHSCHOOL.ORG / WWW.ISESTORM.ORG
CREATIVE COMMONS NODERIVS LICENSE 2004, SOME RIGHTS RESERVED,
VICENTE ACEITUNO AND THE INSTITUTE FOR SECURITY AND OPEN METHODOLOGIES (ISECOM).

ISM3 1.0. - Quick Maturity Assessment
By Vicente Aceituno Canal
1
ent
This document is intended as a quick self-assessment of ISM system maturity. A deeper assessment is needed for planning a ISM3 compliant implementation.
Three criteria are used for the quick assessment:
 Supervised : The process has one and only one competent Process Owner.
 Resourced : Adequate resources in terms of budget, staff and space are available to carry out the process.
Every process score in every category is calculated as follows:
 Yes: 1
 No: 0
 Incomplete: 0.5
 Don’t know: -1
Add the Supervised and Resourced collumns. The final score gives a rough idea of maturity
Total Supervised Score
13
27
35
42
Total Resourced Score
13
27
35
42
ISM3 Level
3
4
1
2
WWW.ISECOM.ORG / WWW.OSSTMM.ORG / WWW.HACKERHIGHSCHOOL.ORG / WWW.ISESTORM.ORG
CREATIVE COMMONS NODERIVS LICENSE 2004, SOME RIGHTS RESERVED,
VICENTE ACEITUNO AND THE INSTITUTE FOR SECURITY AND OPEN METHODOLOGIES (ISECOM).
2

ISM3 1.0. - Quick Maturity Assessment
By Vicente Aceituno Canal
General Grading Table
GP-1 Document Management
SUBTOTAL
Strategic Management Grading Table
Supervised Resourced
SSP-1 Report to Stakeholders
SSP-2 Coordination
SSP-3 Strategic vision
SSP-4 Define rules for the division of duties: transparency, partitioning, supervision, rotation and separation of responsibilities
(TPSRSR).
SSP-5 Check compliance with TPSRSR rules.
SSP-6 Allocate resources for information security
SUBTOTAL
Tactical Management Grading Table
Supervised Resourced
Supervised Resourced
TSP-1 Report to strategic management.
TSP-2 Manage allocated resources.
TSP-3 Define Security Targets.
TSP-4 Define metrics for security processes
TSP-5 Define Properties Groups.
TSP-6 Define environments and lifecycles.
TSP-7 Background Checks
TSP-8 Security Personnel Selection
TSP-9 Security Personnel Training
TSP-10 Disciplinary Process
TSP-11 Security Awareness
TSP-12 Select Specific Processes
SUBTOTAL
3
WWW.ISECOM.ORG / WWW.OSSTMM.ORG / WWW.HACKERHIGHSCHOOL.ORG / WWW.ISESTORM.ORG
CREATIVE COMMONS NODERIVS LICENSE 2004, SOME RIGHTS RESERVED,
VICENTE ACEITUNO AND THE INSTITUTE FOR SECURITY AND OPEN METHODOLOGIES (ISECOM).

ISM3 1.0. - Quick Maturity Assessment
By Vicente Aceituno Canal
Operational Management Grading Table
OSP-1 Report to tactical management.
OSP-2 Select tools for implementing security measures
OSP-3 Inventory Management
OSP-4 Information Systems Environment Change Control
OSP-5 Environment Patching
OSP-6 Environment Clearing
OSP-7 Environment Hardening
OSP-8 Software Development Lifecycle Control
OSP-9 Security Measures Change Control
OSP-10 Backup & Redundancy Management
OSP-11 Access control over services, repositories channels and interfaces
OSP-12 User Registration
OSP-13 Encryption Management
OSP-14 Physical Environment Protection Management
OSP-15 Operations Continuity Management
OSP-16 Segmentation and Filtering Management
OSP-17 Malware Protection Management
OSP-18 Insurance Management
OSP-19 Attacks, Errors and Accidents Emulation
OSP-20 Incident Emulation
OSP-21 Information Quality Probing
OSP-22 Alerts Monitoring
OSP-23 Events Detection and Analysis
OSP-24 Handling of incidents and near-incidents
OSP-25 Forensics
SUBTOTAL
Supervised Resourced
WWW.ISECOM.ORG / WWW.OSSTMM.ORG / WWW.HACKERHIGHSCHOOL.ORG / WWW.ISESTORM.ORG
CREATIVE COMMONS NODERIVS LICENSE 2004, SOME RIGHTS RESERVED,
VICENTE ACEITUNO AND THE INSTITUTE FOR SECURITY AND OPEN METHODOLOGIES (ISECOM).
4