An ISMS (Im)-Maturity Capability Model

Capability maturity models have been used to assess and guide process improvement initiatives for everything from software development to systems engineering, product acquisition, team management and information security to name a few. These models are based on process improvement and provide a framework to guide and measure the implementation and improvement of processes. In all of these models, the higher the level an organisation is assessed, the better (in theory) the organisation is at defining, assessing and improving their process capability This paper proposes a unique process maturity model for assessing the capability and maturity of processes that affect Information Security Management System (ISMS) within an organisation. The model describes nine levels of process maturity, four of which are below the existing five levels defined in most popular models.

[1]  S. Woodhouse,et al.  Information Security: End User Behavior and Corporate Culture , 2007, 7th IEEE International Conference on Computer and Information Technology (CIT 2007).

[2]  G. Dhillon Challenges in Managing Information Security in the New Millennium , 2001 .

[3]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[4]  Mark Ciampa Security+ Guide to Network Security Fundamentals , 2008 .

[5]  Harris Kern,et al.  Managing IT As An Investment: Partnering for Success, 1/e , 2002 .

[6]  R. Baskerville,et al.  An information security meta‐policy for emergent organizations , 2002 .

[7]  Sangkyun Kim,et al.  Assessment Methodology on Maturity Level of ISMS , 2005, KES.

[8]  Steven Woodhouse,et al.  A management approach to securing geospatial information systems , 2007 .

[9]  Richard Baskerville Designing information systems security , 1988 .

[10]  John McCumber Assessing and Managing Security Risk in IT Systems: A Structured Methodology , 2004 .

[11]  Andrew Jones,et al.  Risk Management for Computer Security - Protecting Your Network and Information Assets , 2005 .

[12]  A. Clark,et al.  Enterprise Security Architecture: A Business-Driven Approach , 2005 .

[13]  A. Calder A business guide to information security , 2005 .

[14]  G. Dhillon Information Security Management: Global Challenges in the New Millennium , 2000 .

[15]  Paul Robbins Chasing the Holy Grail? - Effective 21st Century Equipment Maintenance , 2007 .

[16]  Dr.Afie M. Badawy Managing IT as an Investment: Ken Moskowitz, Harris Kern, Prentice-Hall PTR, Upper Saddle River, NJ, 2003, 159 pp. , 2003 .