Information Security Management Maturity Model (ISM-cubed) is a new method that seeks to apply ISO 9000-style quality management processes to information security management. The method’s description paper naturally mentions ISO 17799, ISO 27001, COBIT, ITIL, CRAMM and other buzzwords. Unfortunately it does not explain how the method was developed (e.g. does it have an academic or pragmatic basis?).
Capability maturity model and metrics are particularly interesting aspects of the method. Standards such as ISO 17799 and COBIT are quite 'flat' with no obvious sequence in which organizations might implement the basics and then progressively improve their security. ISO 27001 does include the classic Deming PDCA continuous quality improvement model but falls short on metrics. ISO 21827 is a security maturity model, again with limited metrics. NIST SP 800-55 includes an enormous list of security metrics but little in the way of practical guidance on selecting or using them to mature an organization's information security management.
More information security management links