Risk Management: identifying and estimating levels of exposure to the likelihood of loss and how to manage those risks of loss;
Security Controls: crafting the IT Security Policy which assures operations are as secure as they need to be;
Security Management: supporting the selection, maintenance, and overall Security Policy for the security controls deployed in a business enterprise.
The O-ISM3 standard focuses on the common processes of information security. It is technology-neutral, very practical and considers the business aspect in depth. This means that practitioners can use O-ISM3 with a wide variety of protection techniques used in the marketplace.