Assessment of ISMS Based On Standard ISO/IEC

27001:2013 at DISKOMINFO Depok City

Nurbojatmiko,
Information System of Scince and Technology Faculty,
UIN Syarif Hidayatullah Jakarta
nurbojatmiko@uinjkt.ac.id,
Aries Susanto,
Information System of Scince and Technology Faculty,
UIN Syarif Hidayatullah Jakarta
aries.susanto@uinjkt.ac.id,
Euis Shobariah.
Information System of Scince and Technology Faculty,
UIN Syarif Hidayatullah Jakarta
euissh23@gmail.com

Abstract: This research is done on the Data and process. It was caused by a lack of
Information Division at the Department of understanding about the risk of information loss
Communications and Information Technology at Depok
City ( DISKOMINFO Depok City ). The problems that and information security controls.
occur are no frameworks and guidelines for information DISKOMINFO Depok City has never perform
security. The handling of information security issues are an audit of information technology governance,
still dealt with in accordance with the requirements and in to be able to assess the extent to which the
accordance with the knowledge of employees. ISMS
planning methods using PDCA ( Plan- Do- Check -Act ) in
organization is run for the benefit of society,
accordance with the standard ISO 27001 : 2013 . It is particularly in the field of information
necessary for an assessment of the Information Security technology.
Management System (ISMS). In journal, “An Approach to Map
Keyword: ISO 27001:2013, Information Security COBIT Processes to ISO/IEC 27001
Management System, ISMS, Assessment, Plan Do Check
Information Security Management Control”,
Act, PDCA
explores the role of information security within
I. INTRODUCTION COBIT and describes mapping approach of
COBIT processes to ISO/IEC27001 controls for
Information security management is information security management [5]. And
important for Data and Information Division at “Cost-Benefit Trade-Off Analysis of an ISMS
the DISKOMINFO Depok City Government, based on 27001”, this papers propose using
because it has the duty to organize activities in combinatorial optimization. Such optimization
the field of communication and information should weigh the benefit of a policy in term of
technology to assist in the governance of avoiding, mitigating or transferring the risk up
Information and Communication Technology in to some predetermined investment limit [6]. On
Depok City. In addition DISKOMINFO Depok paper “Information Security Management
City has a role to fulfill the need for information System Standards: A Comparative Study of the
with the development of information technology Big Five”, introduce various information security
and services for data processing. standards briefly and then provide a comparative
As government agencies have a role to data study for major information security standards,
and information management, governance namely ISO27001, BS 7799, PCIDSS, ITIL and
should have good information security COBIT. And also provide a picture of the
governance. But the reality has not had position and specialization of each standard,
guidelines related to information security
adoption by countries and their usability levels ISO/IEC 27001 : 2013, domain requirements
[7]. and security controls . Security controls have 14
This Research on information security security control clauses, 35 Control Objectives
management system as a first step to secure the and Controls have 114 [3]. Phases of ISMS in
information by identifying assets, provides a accordance with the requirements set ISO / IEC
description of the risk occurring, the impact and 27001 is as [1], STAGE 1, Determine the scope
control of information security risks. Phase of the ISMS,STAGE 2: Determining the ISMS
control of information security risks in the form policy, STAGE 3: Determine how the risk
of objective election on information security assessment, STAGE 4: Identification of risk,
controls. STAGE 5: Analysis and evaluation of risk,
The method of collecting data through STAGE 6: Identification and evaluation of risk
observation, questionnaires, literature and management election, STAGE 7 : Choosing
interviews. The results of this research are objective control and information security
expected to recommendations of security controls
controls that can be used as guidelines and
procedures for the implementation of D. Methodology PDCA (Plan – Do – Check –
information security so as to improve Act)
information security. The process approach defined in ISO/IEC
27001 in building ISMS adopt PDCA cycle
II. STUDY LITERATURE (Plan - Do - Check - Act). Explanation of the
PDCA model applied to ISMS processes will be
A. Information security presented; Plan, this phase is planning and
Information security is keeping information design of the ISMS. Do, activity in this phase is
from the threat of fear or prove possible to the implementation and operation of the policy,
guarantee and ensure business continuity, controls, processes and procedures of the ISMS
minimize business risk and maximize or refer to stage plan. Check, This section discusses
accelerate decision investment and the business the activities of monitoring the implementation
opportunities [1]. of the ISMS, including an evaluation and audit.
Act, is the improvement that the repair and
B. Information Security Management System development of ISMS[1]
(ISMS)
ISO defines ISMS to be part of the overall E. SSE-CMM
management system , to establish, implement , System Security Engineering Capability
operate, monitor , review, and improve Maturity Model (SSE-CMM) describe the
information security . ISMS is a process created essential characteristics of an organization's
by business risk approach to plan ( plan) , security engineering process that must exist to
operates and implements ( do ) , review and ensure good security engineering. This model
monitor ( check ) and to improve and maintain also highlights the relationship between security
or develop the ( act) to the organization's techniques and systems engineering [4].
information security [2]. Level Capability SSE-CMM [4], Level 1
Performed Informally, Level 2 Planned and
C. ISO 27001 Tracked, Level 3 Well Defined, Level 4
ISO 27001 provides guidelines for implementing Quantitatively Controlled, Level 5 Continuity
ISMS, and to obtain international certificates Improving.
from a third party . It was to prove that the
security controls exist and operate in accordance III. ISMS ASSESSMENT AT DISKOMINFO
with the requirements of the standard. ISO DEPOK CITY
27001 ISMS describes the system as the overall
management of business risk approach that aims A. Phase PLAN
to establish, implement, operate, monitor, and Determining the Scope ISMS; ISMS processes
maintain ISMS [ 2 ] and assessment activities focused on controlling
 information as an asset that must be protected to
the maximum. The scope includes the database,
application, hardware, environmental and human
resources. Determining The ISMS Policy;
Things to consider in determining the ISMS The first step in identifying risk is to identify the
policy at table 1, which describes the assets existing assets in Department DISKOMINFO
owned in DISKOMINFO Depok City. It’s have Depok City.
“Dinas OPD Depok” Database Monitoring Identifying Threats and Weaknesses, Threats
System and Database Budget Transparency Calculating Value; Next will be identified
Information System. weaknesses and threats on the assets of
Table 1 Department of DISKOMINFO Depok City.
Example Identify Assets Based on ISO 27001, the input of the
identification of weaknesses and threats are on
N
o Name Assets Type Explanation location
the first assessment report and the results of the
The database audit.
“Dinas OPD
contains data DISKOM Table 3
Depok” Database Informatio
1 Applications INFO Example Identifying and Assessing Threats and Weaknesses
Monitoring n
Monitoring Depok Threats
System
System
The database Rerata
contains data on Probabil
Database Budget No Incident Type Probabi
Information DISKOM itas
Transparency Informatio litas
2 Budget INFO
Information n
Transparency Depok Hardware Vulner
System 1 Medium 0.5
Information Failure able
Application
Surrounding
2 Threat Medium 0.4
- The scope of ISMS with the characteristics environment
of the business, company organization, Average Number
Number of Events 2 0.9
location, assets and technology companies. Prob.
- The risk management methods used in the Value threat = Average Number Prob. /
0.45
Total Events
preparation and implementation of the ISMS
should be aligned with the risk management
Analyzing Business Impact; Business impact
methods used by the company.
analysis is to determine how much influence or
- ISMS policy document should be approved
impact of the risks posed by weaknesses and
by the head of the company.
threats on the course of business processes
Identifying Assets and Assets Appraisal; The
within the organization.
first step in identifying risk is to identify the
existing assets in the field of Data and
Information DISKOMINFO Depok associated Table 4
Assessing
Example of Valuethe
Risk; After authorsImpact
Business calculation
with inforrmasi.
N Value Threat Risk Risk
Name Assets BIA
B. Phase DO o Assets Value Value Level
Identifying Assets and Assets Appraisal; Database
29.7 High
1 Monitoring 11 0.35 114.34
0 Risk
Table 2 System
Value of Assets Database
Budget
Value Value Value 29.7 High
Name Value 2 Transparency 11 0.35 114.34
Confidential Integrity Availability 0 Risk
Assets Assets Information
ity (VC) (VI) (VA) System
Database
Monitoring 3 4 4 11 phase value on the business impact of Data and
System Information DISKOMINFO Depok. The next
 Table 6
stage of assessing the risk of the author Mapping Clause ISO 27001: 2013
conducted on the Field Data and Information
Material Clauses
DISKOMINFO Depok. This phase aims to
Security Human 7
determine the risk that occurs directly received
Resources
by the Field Data and Information
DISKOMINFO Depok or still need to risk Asset Management 8
management based on risk acceptance criteria. access control 9
Physical and 11
Environmental
Table 5 Examples of Value Risk Security
security Operations 12
Value Threat Business Management 16
No Name Assets Information Security
BIA probability Impact
Incident
Database
1 Monitoring 99 0.3 29.70 Determination of Value Level Using the SSE-
Sistem 2. CMM Maturity; The determination of the
Database Budget level of maturity can describe the measurement
Transparency of the extent to which the Field Data and
2 99 0.3 29.70
Information Information DISKOMINFO Depok able to meet
System the standards of information security
management processes properly. Maturity level
C. Phase Check assessment performed on each control in
Choose Objective Control and Information accordance with the results of audits conducted.
Security Controls; Having measured the In this study, a list of statements made on the
magnitude of the risk to the security of the basis of any objective security controls selected
information assets of Data and Information control to be applied in the field of Data and
DISKOMINFO Depok, takes an action or Information DISKOMINFO Depok. List this
control can reduce the risk. Selection of control statement was made and customized based on
and security control objective in this study is the standard ISO 27002: 2013.
based on an objective control and control of the Examples of value calculation framework
ISO 27001: 2013, by adjusting the results of the maturity level can be seen in Table 7, for
risk assessment on the information security example the calculation results can be seen in
assets of Data and Information DISKOMINFO Table 8 and sample representation of the results
Depok. in a radar diagram is shown in Figure 1

Table 7
Example Calculation Framework Maturity Level
8.1.2 Asset Ownership
No Statement grade 1 2 3 4 5 Value
Ownership of assets must be given when the assets
1 obtained or received by the organization 1 3
— 
Assets are defined and reviewed periodically by the
2 access control policies that apply. 1 — 2

Their proper handling when the asset for removed.
3 1 — 2

Total Grade 3 level of proficiency 2.33
 Table 8
Example Results Maturity Level Clause 8

Average /
Clause Objective Control Security Control Ability Levels
Objective Control
8.1.1 Assets
2.00
8.1 Responsibility Inventory
2.16
To Asset
8. Asset 8.1.2 Assets 2.33
Management Ownership
8.2 Information 8.2.1 Information 1.00 1.00
Classification Classification
Maturity Level Clause 8 1.58

D. Phase Act
1. Recommendation
After conducting an objective assessment on Physics and Environment Security, 12
the maturity level of control and security control Operational Security, 16 Information Security
information of Department DISKOMINFO Incident Management have to representation of
Depok City subsequent recommendations that maturity level that point 1 until 5.
are used as suggestions for improvement of
security controls. Recommendations derived Preparation of Findings
from observation, interviews and questionnaires Table 9
conducted by the authors. Results Maturity Level All Clauses
After the entire assessment is completed
next maturity level values obtained maturity Clouse Level Maturity
level of the average of all values clause, the
following is the result of maturity level of the
7 HRM Performance 1.25
overall average value of the clause. 8 Assets Management 1.58
9 Access Control 1.53
Physics and Environment
1.30
11 Security
12 Operational Security 1.26
Information Security Incident
1.20
16 Management

After analysis and evaluation of the security of

information systems in the field of Department
DISKOMINFO Depok City, here are still many
who do not follow the standards of information
security.
Formulation of Recommendations
Based on the findings of the analysis and
evaluation of the security of information systems
Figure 1 Representation Maturity Level Results All then compiled recommendations for
Clause improvements to the conditions in the field of
Data and Information DISKOMINFO Depok are
On figure 1, All clause of ISO 27001:2013; 8
not in accordance with the procedure. Some
Assets Management, 9 Access Control, 11
recommend namely:
1. Provide training and education programs to Achieve 27001 Certification: An Example
all employees and information data fields. of Applied Compliance Management, vol.
2. Assets related to information and information 28. 2007.
processing facilities on the Field Data and [3] ISO, “International Standard ISO/IEC
Information to be identified and inventoried 27001 Information Technology - Security
right, and information assets must be Techniques - Information Security
properly maintained. Asset inventory must be Management Systems - Requirements,”
accurate, up to date and consistent. Iec, vol. 27001, no. 27001, 2013.
3. Field Data and Information DISKOMINFO [4] CMU, “System Security Engineering
Depok should make the rules on access Capability Maturity Model (SSE-
control CMM),” Proc. 19th Int. Conf. Softw.
4. Safe area must be protected by appropriate Eng. ICSE 97, vol. 35, pp. 566–567,
physical entry controls to ensure that only 2003.
authorized personnel are allowed to enter. [5] Razieh Sheikhpour and Nasser Modiri,
5. Field Data and Information DISKOMINFO “An Approach to Map COBIT Processes
Depok should establish policies prohibit the to ISO/IEC 27001 Information Security
use of unauthorized software Management Control”, International
Journal of Security and Its Applications,
IV. CONCLUSION Vol. 6, No. 2, April, 2012
[6] Wolfgang BOEHMER, ”Cost-Benefit
1. Identify the level of security risk in this Trade-Off Analysis of an ISMS based on
research by looking at the matrix level of 27001”, International Conference on
risk, identification is divided into three Availability, Reliability and Security,
levels: high risk, medium risk and low risk, January 2009
such as mail servers and Information System [7] Heru Susanto, Mohammad Nabil
for Budget Transparency (SITRA) (high Almunawar and Yong Chee Tuan,
risk) , desktop and application Depok “Information Security Management
Transport Direction (medium risk), printer System Standards: A Comparative Study
and scanner (low risk). of the Big Five”, International Journal of
2. Control of information security risks to be Electrical & Computer Sciences IJECS-
performed on the Field Data and IJENS Vol: 11 No: 05
Information DISKOMINFO Depok City
with an objective selection and control of
information security controls.
3. Planning Information Security Management
System (ISMS) is using the standard ISO
27001: 2013 and the assessment of the level
of maturity (maturity level) using the
System Security Engineering Capability
Maturity Model (SSE-CMM). Future studies
could use another maturity model for
comparison, such as the Capability Maturity
Model Integration (CMMI).

REFFERENCE

[1] R. Sarno and I. Iffano, Sistem

Manajemen Keamanan Informasi
Berbasis ISO 27001. Surabaya: ITS
Press, 2009.
[2] S. T. Arnason and K. D. Willett, How to