From The Secure Arc Wiki

Jump to: navigation, search

The following summary in italics is referenced from the ISECOM(Institute for Security and Open Methodologies) website (reproduced in accordance with the Copyleft and Open Methodology License):

The Institute for Security and Open Methodologies (ISECOM) is an open-source collaborative community since January 2001 with non-profit status in the USA and Spain. They are dedicated to providing practical security awareness, research, certification and business integrity. ISECOM provides certification, training support, and project support services for non-partisan and vendor-neutral funding of our projects and infrastructure and to assure you their training programs, standards, and best practices are truly neutral of national or commercial influence.

OSSTMM (Open Source Security Testing Methodology Manual), is a peer-reviewed methodology for performing security tests and metrics.

Each requirement of the testing standard can be mapped back to the Security Principles that drive them.



The OSSTMM test cases are divided into five channels (sections) which collectively test:

  • information and data controls
  • personnel security awareness levels
  • fraud and social engineering control levels
  • computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes
  • physical locations such as buildings, perimeters, and military bases

There are a set of Metrics used by OSSTMM, referred to as Risk Assessment Values. (RAVs) Security metrics form a cornerstone of Information Security Management, in measuring, testing and comparing numbers relating to risk, or loss.

Standard Practice

In order to use OSSTMM, one must contact a certified OSSTMM provider. Providers can be found here.

Use of the RAVs is open to all both privately and commercially. Access can be found here


It is possible to become certified to perform OSSTMM testing. See the following link for details.


Personal tools