Analysis of Risk Management Information System Applications Using Iso/Iec 27001:2022
Keywords:
Information System, Information System Security, Risk, Risk Management, ISO/IEC 27001:2022
Abstract
The rapid development of information technology can make it easier for anyone to obtain, process, and disseminate various information systems. Information system security is an important aspect in maintaining information confidentiality. One way to maintain the security of information systems is by conducting risk management. The goal of risk management is to control and lessen the likelihood of risks that could jeopardize information system security. This research aims to carry out a risk management process in one of the government agencies in Indonesia by controlling mitigation that refers to ISO / IEC 27001: 2022. Data collection in this study was carried out by means of observation, interviews, and Forum Group Discussion (FGD). The results of this study were the discovery of 15 risks, 50 risk threats, and 15 impacts caused by the risk. This research resulted in 42% of the risks falling into a moderate impact.
Downloads
Download data is not yet available.
References
M. Andriana, “Jenis-jenis Information Security,†School of Information Systems BINUS University, 2023. https://sis.binus.ac.id/2023/01/06/jenis-jenis-information-security/
Angraini, Megawati, and L. Haris, “Risk Assessment on Information Asset an academic Application Using ISO 27001,†in The 6th International Conference on Cyber and IT Service Management, CITSM 2018, 2018, pp. 1–4. doi: 10.1109/CITSM.2018.8674294.
A. da Veiga, L. V Astakhova, A. Botha, and M. Herselman, “Defining organisational information security culture—Perspectives from academia and industry,†Comput. Secur., vol. 92, no. May, 2020, 2020, doi: https://doi.org/10.1016/j.cose.2020.101713.
S. Kramer and J. C. Bradfield, “A general definition of malware,†J. Comput. Virol., vol. 6, no. 2, pp. 105–114, 2009, doi: 10.1007/s11416-009-0137-1.
O. Aslan and R. Samet, “A Comprehensive Review on Malware Detection Approaches,†IEEE Access, vol. 8, pp. 1–23, 2020, doi: 10.1109/ACCESS.2019.2963724.
Ekta and U. Bansal, “A Review on Ransomware Attack,†ICSCCC 2021 - Int. Conf. Secur. Cyber Comput. Commun., pp. 221–226, 2021, doi: 10.1109/ICSCCC51823.2021.9478148.
I. Akkiyat and N. Souissi, “Modelling risk management process according to ISO standard,†Int. J. Recent Technol. Eng., vol. 8, no. 2, pp. 1–6, 2019, doi: 10.35940/ijrte.B3751.078219.
I. 31000:2009, “ISO 31000:2009(en) Risk management — Principles and guidelines,†2009. [Online]. Available: https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-1:v1:en
S. K. Boell and D. Cecez-Kecmanovic, “What is an information system?,†Proc. Annu. Hawaii Int. Conf. Syst. Sci., vol. 2015-March, no. March, pp. 4959–4968, 2015, doi: 10.1109/HICSS.2015.587.
A. P. Putra, “MANAJEMEN RISIKO KEAMANAN INFORMASI PADA APLIKASI DATA KORPORASI DENGAN MENGGUNAKAN ISO/IEC 27005:2018 DAN NIST SP 800-30 REV.1 (STUDI KASUS: PT. XYZ),†UNIVERSITAS BINA NUSANTARA, 2023. [Online]. Available: http://library.binus.ac.id/Collections/ethesis_detail/OS2-KG-MTI-2023-0003
Y. P. Surwade and H. J. Patil, “Information Security,†Knowl. Resour. Centre, Dr. Babasaheb Ambedkar Marathwada Univ., vol. 101v1.1, no. February, p. 10, 2019, doi: 2394-2479.
I. D. Gurpreet Dhillon, Kane Smith, “Information systems security research agenda: Exploring the gap between research and practice,†J. Strateg. Inf. Syst., vol. 30, no. 4, 2021, [Online]. Available: https://www.sciencedirect.com/science/article/abs/pii/S0963868721000408
N. I. Goncharov, I. V. Goncharov, P. A. Parinov, A. V. Dushkin, and M. Maximova, “Modeling of Information Processes for Modern Information System Security Assessment,†Proc. 2019 IEEE Conf. Russ. Young Res. Electr. Electron. Eng. ElConRus 2019, pp. 1758–1763, 2019, doi: 10.1109/EIConRus.2019.8656828.
A. Fathurohman and R. W. Witjaksono, “Analysis and Design of Information Security Management System Based on ISO 27001: 2013 Using ANNEX Control (Case Study: District of Government of Bandung City),†Bull. Comput. Sci. Electr. Eng., vol. 1, no. 1, pp. 1–11, 2020, doi: 10.25008/bcsee.v1i1.2.
D. Kim and M. G. Solomon, Fundamentals of Information Systems Security, 3rd Editio. Burlington: Jones & Bartlett Learning, LLC, an Ascend Learning Company, 2018.
J. S. Suroso and M. A. Fakhrozi, “Assessment of Information System Risk Management with Octave Allegro at Education Institution,†Procedia Comput. Sci., vol. 135, pp. 202–213, 2018, doi: 10.1016/j.procs.2018.08.167.
ISO31000:18, “Risk Management - Guidelines,†British Standards Istitution Limited 2018, Switzerland, 2018.
E. Wheeler, Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. 2011. doi: 10.1016/C2010-0-64926-1.
C. Yuliana, “Manajemen Risiko Kontrak Untuk Proyek Konstruksi,†Rekayasa Sipil, vol. 11, no. 1, pp. 1–8, 2017, doi: 10.21776/ub.rekayasasipil.2017.011.01.2.
British Standards Institution, “ISO/IEC 27001 Information Security Management System: Keep your confidential information safe,†BSIGroup.com, 2022. https://www.bsigroup.com/en-ID/ISO-IEC-27001/
M. Malatji, “Management of enterprise cyber security: A review of ISO/IEC 27001:2022,†in 2023 International Conference On Cyber Management And Engineering (CyMaEn), 2023. doi: 10.1109/CyMaEn57228.2023.10051114.
I. B. Kaja Prislan, “Risk Management with ISO 27000 Standards in Information Security,†Fac. Crim. Justice Secur. Univ. Maribor, pp. 1–6, 2010.
E. Kaban and N. Legowo, “Audit Information System Risk Management Using ISO 27001 Framework at Private Bank,†J. Theor. Appl. Inf. Technol., vol. 96, no. 1, pp. 1–10, 2018.
N. Legowo and Y. Juhartoyo, “Risk Management; Risk Assessment of Information Technology Security System at Bank Using ISO 27001,†J. Syst. Manag. Sci., vol. 12, no. 3, pp. 181–199, 2022, doi: 10.33168/JSMS.2022.0310.
B. GÜR, Ş. YAVUZ, A. D. ÇAKIR, and D. A. KÖSE, “Determination Of Hazards And Risks In A Solar Power Plant Using The Matrix Risk Analysis,†Eur. J. Sci. Technol., no. 23, pp. 497–511, 2021, doi: 10.31590/ejosat.881614.
Angraini, Megawati, and L. Haris, “Risk Assessment on Information Asset an academic Application Using ISO 27001,†in The 6th International Conference on Cyber and IT Service Management, CITSM 2018, 2018, pp. 1–4. doi: 10.1109/CITSM.2018.8674294.
A. da Veiga, L. V Astakhova, A. Botha, and M. Herselman, “Defining organisational information security culture—Perspectives from academia and industry,†Comput. Secur., vol. 92, no. May, 2020, 2020, doi: https://doi.org/10.1016/j.cose.2020.101713.
S. Kramer and J. C. Bradfield, “A general definition of malware,†J. Comput. Virol., vol. 6, no. 2, pp. 105–114, 2009, doi: 10.1007/s11416-009-0137-1.
O. Aslan and R. Samet, “A Comprehensive Review on Malware Detection Approaches,†IEEE Access, vol. 8, pp. 1–23, 2020, doi: 10.1109/ACCESS.2019.2963724.
Ekta and U. Bansal, “A Review on Ransomware Attack,†ICSCCC 2021 - Int. Conf. Secur. Cyber Comput. Commun., pp. 221–226, 2021, doi: 10.1109/ICSCCC51823.2021.9478148.
I. Akkiyat and N. Souissi, “Modelling risk management process according to ISO standard,†Int. J. Recent Technol. Eng., vol. 8, no. 2, pp. 1–6, 2019, doi: 10.35940/ijrte.B3751.078219.
I. 31000:2009, “ISO 31000:2009(en) Risk management — Principles and guidelines,†2009. [Online]. Available: https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-1:v1:en
S. K. Boell and D. Cecez-Kecmanovic, “What is an information system?,†Proc. Annu. Hawaii Int. Conf. Syst. Sci., vol. 2015-March, no. March, pp. 4959–4968, 2015, doi: 10.1109/HICSS.2015.587.
A. P. Putra, “MANAJEMEN RISIKO KEAMANAN INFORMASI PADA APLIKASI DATA KORPORASI DENGAN MENGGUNAKAN ISO/IEC 27005:2018 DAN NIST SP 800-30 REV.1 (STUDI KASUS: PT. XYZ),†UNIVERSITAS BINA NUSANTARA, 2023. [Online]. Available: http://library.binus.ac.id/Collections/ethesis_detail/OS2-KG-MTI-2023-0003
Y. P. Surwade and H. J. Patil, “Information Security,†Knowl. Resour. Centre, Dr. Babasaheb Ambedkar Marathwada Univ., vol. 101v1.1, no. February, p. 10, 2019, doi: 2394-2479.
I. D. Gurpreet Dhillon, Kane Smith, “Information systems security research agenda: Exploring the gap between research and practice,†J. Strateg. Inf. Syst., vol. 30, no. 4, 2021, [Online]. Available: https://www.sciencedirect.com/science/article/abs/pii/S0963868721000408
N. I. Goncharov, I. V. Goncharov, P. A. Parinov, A. V. Dushkin, and M. Maximova, “Modeling of Information Processes for Modern Information System Security Assessment,†Proc. 2019 IEEE Conf. Russ. Young Res. Electr. Electron. Eng. ElConRus 2019, pp. 1758–1763, 2019, doi: 10.1109/EIConRus.2019.8656828.
A. Fathurohman and R. W. Witjaksono, “Analysis and Design of Information Security Management System Based on ISO 27001: 2013 Using ANNEX Control (Case Study: District of Government of Bandung City),†Bull. Comput. Sci. Electr. Eng., vol. 1, no. 1, pp. 1–11, 2020, doi: 10.25008/bcsee.v1i1.2.
D. Kim and M. G. Solomon, Fundamentals of Information Systems Security, 3rd Editio. Burlington: Jones & Bartlett Learning, LLC, an Ascend Learning Company, 2018.
J. S. Suroso and M. A. Fakhrozi, “Assessment of Information System Risk Management with Octave Allegro at Education Institution,†Procedia Comput. Sci., vol. 135, pp. 202–213, 2018, doi: 10.1016/j.procs.2018.08.167.
ISO31000:18, “Risk Management - Guidelines,†British Standards Istitution Limited 2018, Switzerland, 2018.
E. Wheeler, Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. 2011. doi: 10.1016/C2010-0-64926-1.
C. Yuliana, “Manajemen Risiko Kontrak Untuk Proyek Konstruksi,†Rekayasa Sipil, vol. 11, no. 1, pp. 1–8, 2017, doi: 10.21776/ub.rekayasasipil.2017.011.01.2.
British Standards Institution, “ISO/IEC 27001 Information Security Management System: Keep your confidential information safe,†BSIGroup.com, 2022. https://www.bsigroup.com/en-ID/ISO-IEC-27001/
M. Malatji, “Management of enterprise cyber security: A review of ISO/IEC 27001:2022,†in 2023 International Conference On Cyber Management And Engineering (CyMaEn), 2023. doi: 10.1109/CyMaEn57228.2023.10051114.
I. B. Kaja Prislan, “Risk Management with ISO 27000 Standards in Information Security,†Fac. Crim. Justice Secur. Univ. Maribor, pp. 1–6, 2010.
E. Kaban and N. Legowo, “Audit Information System Risk Management Using ISO 27001 Framework at Private Bank,†J. Theor. Appl. Inf. Technol., vol. 96, no. 1, pp. 1–10, 2018.
N. Legowo and Y. Juhartoyo, “Risk Management; Risk Assessment of Information Technology Security System at Bank Using ISO 27001,†J. Syst. Manag. Sci., vol. 12, no. 3, pp. 181–199, 2022, doi: 10.33168/JSMS.2022.0310.
B. GÜR, Ş. YAVUZ, A. D. ÇAKIR, and D. A. KÖSE, “Determination Of Hazards And Risks In A Solar Power Plant Using The Matrix Risk Analysis,†Eur. J. Sci. Technol., no. 23, pp. 497–511, 2021, doi: 10.31590/ejosat.881614.
Published
2024-03-16
Section
Original Articles
Copyright (c) 2022 Kanka Wiemas N. G. Wiemas N. G., Jarot S. Suroso
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
