OSSTMM is a methodology for testing and measuring operational information security.
The OSSTMM is developed by the Institute for Security and Open Methodologies - ISECOM, whose co-director is Pete Herzog. Pete’s mission as creator and writer of the OSSTMM - as I understand it - is to bring a more scientific approach to infosec.
In a security test (or penetration test) you don’t want to evaluate the ingeniousness of the tester (whitehat hacker) but rather the security of your information technology infrastructure. You don’t want to deal with biased terms like “risk” but rather measure factual operational security.
Risk is not something to measure but something you decide for yourself.
It’s biased. A tester should not give me a biased view but rather a reproducible and comprehensive view of factual operational security.
I have these and those systems that run services x,y,z of which some might have vulnerabilities or not and I have security controls in place or not. Maybe the controls themselves have limitations (weaknesses or concerns) that reduce their effect, or not. The OSSTMMv3 takes into account all of these aspects.
Whether or not the remaining risk is acceptable for my own business is not something that a penetration tester or consultant could decide for me.
I have not yet read the whole manual in the current version but there are certainly many points that need further discussion or clarification.
But one thing is sure: the OSSTMM version 3 is the best, most complete, least biased security testing methodology we have today and since the ISO apparently considers the OSSTMM for a new ISO standard, this methodology will most probably be here to stay and evolve.