In mid 2019 I receive a call from the commercial manager of a company dedicated to the sale of FMCG products, the call was motivated by a security incident, they had a data breach that triggered alerts regarding their security posture.  The intention of this executive was to hire the Ethical Hacking services offered by Gudix Security Consulting.


Hands on, we began preliminary discussions, but after talking with members of the management team we identified that the company had additional concerns, among which were:

How can we promote a culture where everyone in the company is responsible for information security, and how can we show customers that we are protecting their data? At the moment we do not have funds available to make large investments.

Based on this background, performing Ethical Hacking would not be able to answer the questions and your financial scenario. So I suggested them to adopt a maturity model, which would allow them to improve their security posture gradually and then think about an Ethical Hacking type security test.

What is ISM3?

ISM3 is a
maturity model for security
five levels
that facilitates improvement and alignment between business and security management needs for organizations of all types and sizes.

It was created by a consortium created in March 2007 and formed by the companies ESTEC Systems (Canada), First Legion Consulting and Valiant Technologies (India), Seltika (Colombia), Global 4 Ingenier√≠a (Spain) and M3 Security (United States), with the aim of bringing the principles of security management to a new level. quality ISO9001 or Six Sigma to the management systems of information security.

We know that reaching a level of cybersecurity maturity takes a long time for some organizations. For this reason, ISM3 adapts perfectly to this scenario, providing the organization with the opportunity to develop short, medium and long term plans that are measurable, adaptable and 100% integrated to the business, allowing it to gradually reach the expected optimal level of security.



It is made up of 4 types of processes: general, strategic, operational and tactical.

Well, the client agreed to go through the ISM3 adoption process, in the next installments I will talk more about ISM3 and I will tell you how we did with Ethical Hacking, which due to an ethics and conflict of interest issue I left in the hands of another consultant.

For more information about ISM3, please visit their website. ISM3


Do you have any advice? If so, feel free to let us know below in the comments.


Leave a Reply

Your email address will not be published. Required fields are marked *