Information Security Management System Assessment Model by Integrating ISO 27002 and 27004
DOI:
https://doi.org/10.57152/malcom.v4i2.1245Keywords:
Assessment Model, Information Security Management System, ISO 27001, ISO 27002, ISO 27004Abstract
The rapid development of information and communication technology has also led to a significant increase in cybercrime activities. According to the Annual Cybersecurity Monitoring Report by the National Cyber and Cryptography Agency, there were 495 million instances of traffic anomalies or attempted attacks in 2020, which rose to 1.6 billion in 2021 in Indonesia. Implementing the ISO 27001 standard for information security management system (ISMS) can help mitigate these cyber-attack attempts. However, with various levels of resources and organizational commitment, different levels of ISMS maturity can be achieved. Therefore, there is a need for an ISMS assessment model. This is crucial, considering cyber incidents such as data breaches in organizations that have implemented or are certified with ISO 27001. This research proposed a concept of ISMS assessment model by integrating ISO 27002 and 27004 to a case study (Directorate XYZ), where the guidance function of ISO 27002 is transformed into assessment parameters and ISO 27004 for measuring performance. Using this model, the score of the case study’s ISMS was found to be 53.925, which is still below the established standard of 80.
References
Achmadi, D., Suryanto, Y. and Ramli, K. “On Developing Information Security Management System (ISMS) framework for ISO 27001-based data center”, 2018 International Workshop on Big Data and Information Security (IWBIS) [Preprint]. doi:10.1109/iwbis.2018.8471700, 2018.
BSSN, 2020 Cyber Security Monitoring Results Report, BSSN Cloud. Available at: https://cloud.bssn.go.id/s/ZSdfebRTKW7p8nW, 2021. (Accessed: 19 December 2022).
BSSN, 2021 Cyber Security Monitoring Annual Report, BSSN Cloud. Available at: https://cloud.bssn.go.id/s/Lyw8E4LxwNiJoNw, 2022. (Accessed: 20 December 2022).
BSSN, Indonesia's Cybersecurity Landscape in 2022, BSSN Cloud. Available at: https://cloud.bssn.go.id/s/3S5B2ToddAFsiXs, 2023. (Accessed: 27 February 2023).
Eskaluspita, AY, “ISO 27001:2013 for Laboratory Management Information System at School of Applied Science Telkom University”, IOP Conference Series: Materials Science and Engineering, 879(1), p. 012074.doi:10.1088/1757-899x/879/1/012074, 2020.
Fathoni, Simbolon, N. and Yunika Hardiyanti, D., “Security audit on loan Debit Network Corporation system using COBIT 5 and ISO 27001: 2013”, Journal of Physics: Conference Series, 1196, p. 012033.doi:10.1088/1742-6596/1196/1/012033, 2019.
ISO, ISO/IEC 27002:2013 Information security, cybersecurity and privacy protection — Information security control, ISO. Available at: https://www.iso.org/standard/54533.html, 2022. (Accessed: 28 November 2022).
ISO, ISO/IEC 27004:2016 Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation, ISO. Available at: https://www.iso.org/standard/64120.html, 2022. (Accessed: 29 November 2022).
ISO, ISO/IEC 27001 and related standards Information security management, ISO. Available at: https://www.iso.org/isoiec-27001-information-security.html, 2022. (Accessed: 11 November 2022).
ISO, ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements, ISO. Available at: https://www.iso.org/standard/54534.html, 2022. (Accessed: 12 November 2022).
ISO, ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements, ISO. Available at: https://www.iso.org/standard/82875.html, 2022. (Accessed: 20 November 2022).
ISO, ISO/IEC 27002:2022 - Information technology - Security techniques - Code of practice for information security controls, ISO. Available at: https://www.iso.org/standard/78342.html, 2022. (Accessed: 20 November 2022).
Indonesia Ministry of Finance, Decree of the Minister of Finance Number 942/KMK.01/2019 concerning Management of Information Security within the Ministry of Finance, Jakarta, 2019.
Indonesia Ministry of Finance, Regulation of the Minister of Finance Number 118/010/2021 concerning the Organization and Work Procedure of the Ministry of Finance, Jakarta, 2021.
Kholis Gunawan, N., Budiarto Hadiprakoso, R. and Kabetta, H, “Comparative study between the integration of ITIL and ISO / IEC 27001 with the integration of COBIT and ISO / IEC 27001”, IOP Conference Series: Materials Science and Engineering, 852(1), p. 012128.doi:10.1088/1757-899x/852/1/012128, 2020.
Monev, V, “Organizational Information Security Maturity Assessment based on ISO 27001 and ISO 27002”, 2020 International Conference on Information Technologies (InfoTech) [Preprint]. doi:10.1109/infotech49733.2020.9211066, 2020.
Nasir A, Arshah R.A, Ab Hamid M.R, and Fahmy S, “An analysis on the dimensions of information security culture concept: A Review”, Journal of Information Security and Applications, 44, pp. 12–22. doi:10.1016/j.jisa.2018.11.003, 2019.
Prapenan, GG and Pamuji, GC, “Information System Security Analysis of XYZ Company using COBIT 5 framework and ISO 27001:2013”, IOP Conference Series: Materials Science and Engineering, 879(1), p. 012047.doi:10.1088/1757-899x/879/1/012047, 2020.
R. Basu, The Green Six Sigma Handbook: A Complete Guide for Lean Six Sigma Practitioners and Managers. New York: Productivity Press, 2022.
Nurbojatmiko, A. Susanto, and E. Shobariah, “Assessment of ISMS based on standard ISO/IEC 27001:2013 at DISKOMINFO depok city,” 2016 4th International Conference on Cyber and IT Service Management, 2016. doi:10.1109/citsm.2016.7577471
N. Al-shaibany, “A model for enhancing the information security management systems in Yemen banks,” Sana'a University Journal of Applied Sciences and Technology, vol. 1, no. 1, 2023. doi:10.59628/jast.v1i1.14
R. Santi, A. I. Alfresi, and B. Octariana, “Information system security audit using ISO/IEC 27002:2013 at University of XXX,” Jurnal Teknik Informatika (Jutif), vol. 4, no. 4, pp. 733–750, 2023. doi:10.52436/1.jutif.2023.4.4.689
W. Adi Nugroho and R. Sutomo, “Evaluation of Information System Governance Capability Level of engineering construction services firm using COBIT framework 5,” International Journal of Science, Technology & Management, vol. 4, no. 4, pp. 1015–1022, 2023. doi:10.46729/ijstm.v4i4.879
L. Sikman, T. Latinovic, N. Sarajlic, and G. Sikanjic, “A model of sustainable information security management system in Higher Education Institutions,” Journal of Physics: Conference Series, vol. 2540, no. 1, p. 012003, 2023. doi:10.1088/1742-6596/2540/1/012003
A. Fathurohman and R. W. Witjaksono, “Analysis and design of information security management system based on ISO 27001: 2013 using Annex Control (Case Study: District of Government of Bandung City),” Bulletin of Computer Science and Electrical Engineering, vol. 1, no. 1, pp. 1–11, 2020. doi:10.25008/bcsee.v1i1.2
Fonseca-Herrera OA, Rojas AE, Florez H, “A model of an information security management system based on NTC-ISO/IEC 27001 standard,” IAENG Int. J. Comput. Sci, 2021.
CNN Indonesia, “10 Kasus Kebocoran Data 2022: Bjorka Dominan, Ramai-Ramai Bantah,” teknologi, https://www.cnnindonesia.com/teknologi/20221230125430-192-894094/10-kasus-kebocoran-data-2022-bjorka-dominan-ramai-ramai-bantah (accessed Dec. 10, 2023).
CNN Indonesia, “4 Kasus Kebocoran data di semester I 2023, Mayoritas Dibantah,” teknologi, https://www.cnnindonesia.com/teknologi/20230720060802-192-975421/4-kasus-kebocoran-data-di-semester-i-2023-mayoritas-dibantah (accessed Dec. 10, 2023).
CNN Indonesia, “Kronologi Lengkap 91 Juta Akun Tokopedia Bocor Dan Dijual,” teknologi, https://www.cnnindonesia.com/teknologi/20200503153210-185-499553/kronologi-lengkap-91-juta-akun-tokopedia-bocor-dan-dijual (accessed Dec. 10, 2023).
