The Open Group Information Security Management Maturity Model (O-ISM3) is a maturity model for managing information security.
It aims to ensure that security processes in any organization are implemented so as to operate at a level consistent with that organization’s business requirements.
[1] The original motivation behind O-ISM3 development was to narrow the gap between theory and practice for information security management systems, and the trigger was the idea of linking security management and maturity models.
O-ISM3 strove to keep clear of a number of pitfalls with previous approaches.
looked at Capability Maturity Model Integration, ISO 9000, COBIT, ITIL, ISO/IEC 27001:2013, and other standards, and found some potential for improvement in several fields, such as linking security to business needs, using a process based approach, providing some additional details (who, what, why) for implementation, and suggesting specific metrics, while preserving compatibility with the most popular IT and security management standards.