Risk Assessment at it Company by Focusing on Information Security Area Using Iso 27001:2022

  • Athallariq Rafii Nugroho Master of Information System Management, Bina Nusantara University, Jakarta, Indonesia
  • Nilo Legowo Master of Information System Management, Bina Nusantara University, Jakarta, Indonesia
Keywords: Risk, Risk Assessment, Information Security, Risk Management, ISO 27001

Abstract

Modern technology companies should prioritize information security by focusing on system vulnerabilities and adopting a risk management approach based on the ISO/IEC 27001:2022 standard. This method needs to be implemented through several stages of risk assessment to ensure and measure the extent to which the organization effectively addresses information security issues. The assessment approach involves the three stages of identifying, analyzing and evaluating risks and mapping them to the controls specified in ISO/IEC 27001:2022. The implementation shows that the IT risk assessment of the company has a percentage of 86.87% as low risk, 6.06% as medium risk, and 7.07% as High risk. IT Software companies can be considered safe because most risk assessment findings are low, which means they are in the safe category. In practice, regular monitoring of the implementation of risk assessments in line with the ISO/IEC 27001:2022 standard is still very much needed.

Downloads

Download data is not yet available.

References

M. A. Manuhutu et al., Pengantar Forensik Teknologi Informasi. Yayasan Kita Menulis, 2021.
I. Y. Sari et al., Keamanan Data dan Informasi. Yayasan Kita Menulis, 2020.
S. Siswanti, “Penilaian Kematangan Proses Keamanan Sistem Informasi Pendaftaran Pasien Menggunakan Framework Cobit 4.1,” SATIN-Sains dan Teknologi Informasi, vol. 9, no. 1, pp. 123–133, 2021.
N. R. Mosteanu, “Artificial intelligence and cyber security–face to face with cyber attack–a maltese case of risk management approach,” Ecoforum Journal, vol. 9, no. 2, 2020.
M. Farhat, V., B., R. Raysman, and J. Canale, “Cyber Attacks: Prevention and Proactive Responses. Practical Law.”
A. F. Basyarahil, H. M. Astuti, and B. C. Hidayanto, “Evaluasi Manajemen Keamanan Informasi Menggunakan Indeks Keamanan Informasi (KAMI) Berdasarkan ISO/IEC 27001:2013 pada Direktorat Pengembangan Teknologi dan Sistem Informasi (DPTSI) ITS Surabaya,” Jurnal Teknik ITS, vol. 6, no. 1, pp. 116–121, 2017.
C. Chazar, “Standar Manajemen Keamanan Informasi Berbasis ISO/IEC 27001: 2015,” Jurnal Informasi, 2015.
J. Seah and R. Ridho, “PERANCANGAN SISTEM INFORMASI PERSEDIAAN SUKU CADANG UNTUK ALAT BERAT BERBASIS DESKTOP PADA CV BATAM JAYA,” JURNAL COMASIE, 2020.
I. Ava Dianta, E. Zusrony, and S. Tinggi Elektronika dan Komputer, “Analisis Pengaruh Sistem Keamanan Informasi Perbankan pada Nasabah Pengguna Internet Banking Analysis of Influence of Banking Information Security System to Internet Banking User Customer,” Intensif, vol. 3, no. 1, pp. 2549–6824, 2019.
A. N. Puriwigati and U. M. Buana, “Sistem Informasi Manajemen-Keamanan Informasi,” May, 2020.
ISO, “ISO/IEC 27001: 2013.” 2013. [Online]. Available: https://www.iso.org/
S. Amraoui, M. Elmaallam, B. H., and K. A, “Information Systems Risk Management: Litterature Review,” Computer and Information Science, vol. 12, no. 3, p. 1, 2019, doi: 10.5539/cis.v12n3p1.
R. Akbar, S. Jarot, and P. Firman, “ICIMTech 2020:,” in International Conference on Information Management and Technology : 13-14 August 2020, 2020.
A. C. Laksono and Y. Prayudi, “Threat Modeling Menggunakan Pendekatan STRIDE dan DREAD untuk Mengetahui Risiko dan Mitigasi Keamanan pada Sistem Informasi Akademik,” 2021.
P. D. Intika and U. M. Buana, “Sistem Informasi Manajemen: Perkembangan Sistem Pengembangan Sistem Informasi Dosen Pengampu,” 2020.
M. Humayun, M. Niazi, N. Jhanjhi, M. Alshayeb, and S. Mahmood, “Cyber Security Threats and Vulnerabilities: A Systematic Mapping Study,” Arab J Sci Eng, vol. 45, no. 4, pp. 3171–3189, 2020, doi: doi.org/10.1007/s13369-019-04319-2.
R. Hidayat and Y. Widara, “MITIGATION MODEL FOR RISK HANDLING,” ISLAMIC EDUCATION INSTITUTIONS, vol. 1, no. 1, 2023.
E. K. Szczepaniuk, Hubert. Szczepaniuk, Tomasz. Rokicki, and B. Klepacki, “Information security assessment in public administration,” Comput Secur, vol. 90, 2020, doi: 10.1016/j.cose.2019.101709.
American Bureau of Shipping, “RELIABILITY-CENTERED MAINTENANCE,” 2004.
N. Kovačević, A. Stojiljković, and M. Kovač, “Application of the matrix approach in risk assessment,” Operational Research in Engineering Sciences: Theory and Applications, vol. 2, no. 3, pp. 55–64, Dec. 2019, doi: 10.31181/oresta1903055k.
R. Ilyas, “Analisis Risiko Pembiayaan Bank Syariah,” BISNIS : Jurnal Bisnis dan Manajemen Islam, vol. 7, no. 2, p. 189, 2019, doi: 10.21043/bisnis.v7i2.6019.
N. A. Prisidiyani and A. H. Prasetyo, “Pedoman Risiko, Struktur Risiko, dan Asesmen Risiko PT XYZ Tahun 2022-2023,” Journal of Emerging Business Management and Entrepreneurship Studies, vol. 2, no. 2, pp. 86–108, 2022, doi: 10.34149/jebmes.v2i2.77.
M. A. Pranatha, Moeljadi, and E. Hernawati, “Penerapan Enterprise Risk Management Dalam,” Ekonomi dan Bisnis, vol. 5, no. 1, pp. 17–42, 2018.
K. B. Mahardika, A. F. Wijaya, and A. D. Cahyono, “MANAJEMEN RISIKO TEKNOLOGI INFORMASI MENGGUNAKAN ISO 31000 : 2018 (STUDI KASUS: CV. XY),” Sebatik, vol. 23, no. 1, 2019.
D. L. Fitrani, “Assessment and Development of Access Control Information Security Governance Based on ISO 27001:2013 at XYZ University,” Jurnal Teknik Informatika dan Sistem Informasi, vol. 9, no. 2, pp. 891–907, 2022.
B. S. Deva and R. Jayadi, “Analisis Risiko dan Keamanan Informasi pada Sebuah Perusahaan System Integrator Menggunakan Metode Octave Allegro,” J. Teknol. dan Inf., 2022.
F. Pradana, F. A. Bachtiar, and B. Priyambadha, “Pengaruh Elemen Gamification Terhadap Hasil Belajar Siswa Pada E-Learning Pemrograman Java,” Semnasteknomedia, no. February, pp. 7–12, 2018.
W. C. Pamungkas and F. T. Saputra, “Evaluasi Keamanan Informasi Pada SMA N 1 Sentolo Berdasarkan Indeks Keamanan Informasi (KAMI) ISO/IEC 27001:2013,” J. Sist. Komput. dan Inform, vol. 1, no. 2, p. 101, 2020, doi: 10.30865/json.v1i2.1924.
Ahmad Suhaimi, M.A, “Studi Manajeman Risiko Pada Bank Syariah Indonesia (Bsi),” Jurnal Manajemen Risiko, vol. 2, no. I, pp. 73–78, 2021, doi: 10.33541/mr.v2ii.3438.
J. G. Landol, The Security Risk Assessment Handbook. Abingdon: CRC Press, 2021.
N. Legowo and Y. Juhartoyo, “Risk Management; Risk Assessment of Information Technology Security System at Bank Using ISO 27001,” Journal of System and Management Sciences, vol. 12, no. 3, pp. 181–199, 2022, doi: 10.33168/JSMS.2022.0310.
T. R. Peltier, Risk management: The facilitated risk analysis and assessment process. 2013. doi: 10.1201/b15573.
H. Sarvari, A. Valipour, N. Yahya, N. M. D. Noor, M. Beer, and N. Banaitiene, “Approaches to risk identification in public–private partnership projects: Malaysian private partners’ overview,” Adm Sci, vol. 9, no. 1, Mar. 2019, doi: 10.3390/admsci9010017.
I. P. A. E. Pratama and M. T. S. Pratika, “Manajemen Risiko Teknologi Informasi Terkait Manipulasi dan Peretasan Sistem pada Bank XYZ Tahun 2020 Menggunakan ISO 31000:2018,” Jurnal Telematika, vol. 15, no. 2, pp. 63–70, 2020.
I. Putu, A. Eka, P. #1, and T. S. Pratika, “Manajemen Risiko Teknologi Informasi Terkait Manipulasi dan Peretasan Sistem pada Bank XYZ Tahun 2020 Menggunakan ISO 31000:2018,” Jurnal Telematika, vol. 15, no. 2, 2020.
ISO, “ISO/IEC 31000: 2018,” vol. 95, no. 7, pp. 777–778, 2018, doi: 10.5594/j09750.
S. Jikrillah, M. Ziyad, and D. Stiadi, “ANALISIS MANAJEMEN RISIKO TERHADAP KEBERLANGSUNGAN USAHA UMKM DI KOTA BANJARMASIN,” 2021.
R. Hidayat and Y. Widara, “MITIGATION MODEL FOR RISK HANDLING IN ISLAMIC EDUCATION INSTITUTIONS,” 2023.
Y. Bruinen de Bruin et al., “Initial impacts of global risk mitigation measures taken during the combatting of the COVID-19 pandemic,” Saf Sci, vol. 128, Aug. 2020, doi: 10.1016/j.ssci.2020.104773.
D. Achmadi, Y. Suryanto, and K. Ramli, “On Developing Information Security Management System (ISMS) Framework for ISO 27001-based Data Center,” 2018 International Workshop on Big Data and Information Security, IWBIS 2018, pp. 149–157, 2018, doi: 10.1109/IWBIS.2018.8471700.
F. Wijayanti, D. I. Sensuse, A. A. Putera, and A. Syahrizal, “Assessment of Information Security Management System: A Case Study of Data Recovery Center in Ministry XYZ,” 2020 3rd International Conference on Computer and Informatics Engineering, IC2IE 2020, pp. 393–398, 2020, doi: 10.1109/IC2IE50715.2020.9274574.
J. Velasco, R. Ullauri, L. Pilicita, B. Jacome, P. Saa, and O. Moscoso-Zea, “Benefits of implementing an ISMS according to the ISO 27001 standard in the ecuadorian manufacturing industry,” Proceedings - 3rd International Conference on Information Systems and Computer Science, INCISCOS 2018, vol. 2018-Decem, pp. 294–300, 2018, doi: 10.1109/INCISCOS.2018.00049.
A. Nechai, E. Pavlova, T. Batova, and V. Petrov, “Implementation of Information Security System in Service and Trade,” IOP Conf Ser Mater Sci Eng, vol. 940, no. 1, 2020, doi: 10.1088/1757-899X/940/1/012048.
N. Mumtaz, “Analysis of information security through asset management in academic institutes of Pakistan,” 2015 International Conference on Information and Communication Technologies, ICICT 2015, 2016, doi: 10.1109/ICICT.2015.7469581.
Angraini, Megawati, and L. Haris, “Risk Assessment on Information Asset an academic Application Using ISO 27001,” 2018 6th International Conference on Cyber and IT Service Management, CITSM 2018, no. Citsm, pp. 1–4, 2019, doi: 10.1109/CITSM.2018.8674294.
H. Khajouei, M. Kazemi, and S. H. Moosavirad, “Ranking information security controls by using fuzzy analytic hierarchy process,” Information Systems and e-Business Management, vol. 15, no. 1, pp. 1–19, 2017, doi: 10.1007/s10257-016-0306-y.
O. C. Briliyant, J. Widhi Candra, and S. Rebeca Tamba, “ISMS Planning Based On ISO / IEC 27001 : 2013 Using Analytical Hierarchy Process at Gap Analysis Phase ( Case Study : XYZ Institute ),” 1th International Conference on Telecommunication Systems Services and Applications (TSSA), vol. 4, no. 4, pp. 4–9, 2016.
V. Monev, “Organisational Information Security Maturity Assessment Based on ISO 27001 and ISO 27002,” 2020 34th International Conference on Information Technologies, InfoTech 2020 - Proceedings, no. September, pp. 17–18, 2020, doi: 10.1109/InfoTech49733.2020.9211066.
C. Hsu, T. Wang, and A. Lu, “The impact of ISO 27001 certification on firm performance,” Proceedings of the Annual Hawaii International Conference on System Sciences, vol. 2016-March, pp. 4842–4848, 2016, doi: 10.1109/HICSS.2016.600.
A. Y. Eskaluspita, “ISO 27001:2013 for Laboratory Management Information System at School of Applied Science Telkom University,” in IOP Conference Series: Materials Science and Engineering, IOP Publishing Ltd, Aug. 2020. doi: 10.1088/1757-899X/879/1/012074.
Y. Kurii and I. Opirskyy, “Analysis and Comparison of the NIST SP 800-53 and ISO/IEC 27001:2013,” 2022.
Published
2024-02-27