Can you pass the O-ISM3 Test?

Do you dare?

The current state of affairs is that most information security professionals use the concepts of Confidentiality, Integrity and Availability for audits, consulting projects, risk assessment and management, and development of new standards. These concepts present a series of problems that have yet to be solved. The use of ambiguous, incomplete, not operational concepts without units of measurement has created a number of problems for information security management. Communication with between specialists and non-specialists in information security is difficult. Demonstrating the value of information security is difficult. Generally speaking, the use of these proxy concepts that don't add value makes information security management more difficult that it needs to be. Time is wasted, security projects that need funding don't get it, and trendy projects with little return get the green light. Luckily, change is possible.

The O-ISM3 Test pits the CIA triad versus O-ISM3 security objectives. In order to pass the O-ISM3 Test you have to solve the Use Case. You have two options: using traditional concepts like Confidentiality, Integrity, Availability (CIA triad option), or new concepts like O-ISM3’s security objectives. (OISM3 option). The options are mutually exclusive.

The O-ISM3 Test presents you with a Use Case scenario. The Use Case is a fictional travel agency in Madrid, Spain. Your role is to act as information security consultant who is preparing a meeting where you have to determine what are the information security needs of the Travel Agency.

Determining the security needs of the Use Case will enable the you (the consultant) to determine the reasonable security measures to be applied, which are likely to be different, and cheaper, than all the security measures that could be taken. In order to prove that they can successfully determine the security needs, you have to create a meeting Agenda with a list of Questions to ask the managers or employees of the client company. This should be, in principle, easy since ALL THE ANSWERS PART OF THE USE CASE ARE AVAILABLE.

You have a choice to make:

  • CIA Option: Questions can ONLY ask about Confidentiality, Integrity and Availability. NOT using at least one of these terms (or Confidential, Integer, Available) in any question results in a FAIL.
  • O-ISM3 Option : Questions can NOT ask about Confidentiality, Integrity or Availability. Using ANY of these terms in any question will result in a FAIL.

For a question to be valid it should render naturally the answers given, for someone with intimate knowledge of the Use Case.

Since 13/4/2017 when the O-ISM3 Test was originally published, no one has ever passed this test using the CIA Option. if you think you did, please post online your list of questions and let me know via Twitter. You think you can? Download the O-ISM3 Test here.

Please note that there is a difference between finding out what the Travel Agency needs and what the Travel Agency might do regarding information security. If we were to compare the security practices of the Travel Agency with some standard, we could find out that the Travel Agency is not doing everything that a standard says can be done. There is a difference between doing everything that is standards state is possible, and everything that meets the needs of the business.

To learn more of why the O-ISM3 Test is important, check my lecture on Measuring Security.

If you liked this article, consider taking advanced ISMS training online via Udemy

Ten ways ISMS fail


These are symptoms that you need O-ISM3 SECBOK because your ISMS is failing:

  1. When certain people go on leave or get sick, performance is affected.
  2. Audits are painful and it takes a significant effort to pass successfully.
  3. Changes in the ways things are done are difficult and slow to implement.
  4. The same errors are made over and over again.
  5. More than 20% of the time of the team is used trying to determine what to do or how to do it.
  6. It is no infrequent to enter discussions with other teams about who is responsible for what.
  7. The available Metrics do not reflect the performance of the team or the level of security.
  8. Magic bullets are tried by management on a monthly basis and forgotten shortly after.
  9. New workflow software was supposed to solve all management issues. Instead, it has introduced issues of its own.
  10. Your ISMS is certified, but you are conscious that this wouldn't prevent a serious incident from happening.

If you have any of this symptoms, I would love to show you how O-ISM3 SECBOK could help you getting rid of all of them...

If you liked this article, consider taking advanced ISMS training online via Udemy

The CIA triad is not helping you as much as you think


There are multiple reasons for this:

Luckily, THERE IS AN ALTERNATIVE, summarised in this funny video, or this other funny video with the Cookie Monster.

If you still believe the CIA triad is correct or useful in any way, try passing the O-ISM3 Test.

If you liked this article, consider taking advanced ISMS training online via Udemy