Information Security Assurance
Training and Rating Program
Please keep your contact information current.
Please contact isatrp (at) isatrp.org if you feel your information needs updating.
The following information is under revision and is provided for information purposes only. This section will be updated when new information is available. Should you have any questions, please contact firstname.lastname@example.org.
The Information Security Assurance - Capability Maturity Model (ISA-CMM) is based on the System Security Engineering Capability Maturity Model (SSE-CMM) and the INFOSEC Assurance Capability Maturity Model (IA-CMM) and is modified to address the information security assurance processes.
Whereas ISATRP methodology training focuses on an individual's ability to conduct an Information Security assurance service, the ISA-CMM appraisal focuses on a provider organization's capability to support Information Security analyst in conducting their mission objectives (i.e. to provide quality Information Security Assurance or Evaluation). The ISA-CMM is used to measure two things; the maturity of processes (specific functions) that produce products (e.g., identified vulnerabilities, countermeasures, and threats) and the level of compliance a process has with respect to an ISATRP methodology.
Capability maturity is a measurement of the level of assurance that an organization can perform a process consistently (i.e., providing a consistent product from the process). The ISA-CMM identifies nine process areas related to performing Information Security assurance services. For each of the nine process areas, the ISA-CMM defines six levels of process maturity from Level "0" to Level "5". The higher the maturity levels, the more likely the process will be performed consistently. From this consistency, quality can be implied but not guaranteed.
In CMM processes, it is conceivable that a well-defined process that consistently produces a poor product can receive a fairly high maturity rating. The ISA-CMM counters this by focusing on the process areas as they relate to the ISATRP methodologies. The use of standardized ISATRP methodology products adds additional assurance of quality (i.e., the right products are being produced).
At the conclusion of an ISA-CMM appraisal, the organization will be assigned an ISA-CMM Ratings Profile. This is a list of nine numbers (one for each process area) from “0” to “5”. The organization will also receive check marks for each of “9” process areas that is compliant with the ISATRP methodology. For example an organization has an “identify impact” process area rating of “2” and a check for IAM. This means that not only is the process area at a capability maturity level of “2”, but it is also compliant for the ISAM (i.e., proven all ISAM related products are produced). Each ISATRP methodology (e.g. ISAM) will have separate compliance requirements. Thus, each methodology will have a separate check box for the organization’s rating.
When a customer is deciding on an Information Security assurance provider organization, they can use the ISA-CMM rating profile along with the experience of the Information Security analysts to determine what is best to meet their needs. The lower the process area maturity rating, the more dependence the consumer should put on the experience of the individual analyst.
In order to maintain a corporate ISA-CMM rating the following guidelines must be met:
If the organization has received a rating of "1" in any Process Area, an appraisal must be completed within 18 months from the date of the current rating.
If the organization has received a rating of "2" in any Process Area, an appraisal must be completed within 30 months from the date of the current rating.
If the organization has received a rating of "3" or better across all Process Area, an appraisal must be completed within 42 months from the date of the current rating.
Failure of the organization to maintain its rating as prescribed above will result in the corporate ISA-CMM rating profile being removed from the www.ISATRP.com website until such time that the organization is compliant. Furthermore, if there is no rating listed on the ISATRP site, the response to any request for data on the organization’s rating will be "NOT RATED".
Any change in the organizational structure (e.g. re-organization, merger, acquisition, significant attrition – greater than 10% or loss of SME) needs to be reported so the Government ISATRP Program Manager (PM) can determine if a new appraisal needs to be conducted.