Optimizing IT Risk Management through PDCA-Based Continous Improvement Stages

Miftaffudin Yusuf Pratama; I Gde Dharma Nugraha

doi:10.62146/ijecbe.v3i4.128

Authors

Miftaffudin Yusuf Pratama Universitas Indonesia
I Gde Dharma Nugraha Universitas Indonesia

DOI:

https://doi.org/10.62146/ijecbe.v3i4.128

Keywords:

Risk Management, Continous Improvement, PDCA, Hybrid Framework

Abstract

In the face of the evolving dynamics of cyber threats, frameworks with traditional approaches to information technology (IT) risk management are often inadequate because they are less responsive. This research aims to optimize IT risk management through Plan-Do-Check-Act (PDCA) based continuous improvement stages in a hybrid framework based on ISO 27005, NIST SP 800-30, NIST SP 800-39, ISO 27002, and COBIT 2019. The research method includes designing a six-stage framework that includes continuous improvement as a key element, followed by implementation testing at XYZ Institution and validation through expert judgment. Results show that systematically applying PDCA to high-risk assets improves control effectiveness, supports system resilience, and promotes more adaptive governance. The integration of PDCA in the risk management framework proved effective in optimizing IT risk management, especially in the context of non-profit organizations that require a strategic and sustainable approach.

Author Biographies

Miftaffudin Yusuf Pratama, Universitas Indonesia

Department of Electrical Engineering, Faculty of Engineering, Universitas Indonesia, Depok, Indonesia

I Gde Dharma Nugraha, Universitas Indonesia

Department of Electrical Engineering, Faculty of Engineering, Universitas Indonesia, Depok, Indonesia

References

“Information security, cybersecurity and privacy protection-Guidance on managing information security risks,” 2022.

I. M. M. Putra and K. Mutijarsa, “Designing Information Security Risk Management on Bali Regional Police Command Center Based on ISO 27005,” in 3rd 2021 East Indonesia Conference on Computer and Information Technology, EIConCIT 2021, Institute of Electrical and Electronics Engineers Inc., Apr. 2021, pp. 14–19. doi: 10.1109/EIConCIT50028.2021.9431865.

M. L. Herman, G. L. Head, P. M. Jackson, and T. E. Fogarty, “Managing Risk in Nonprofit Organizations : A Comprehensive Guide.”

A. Fitri, K. Dewi, and Y. Suryanto, “Desain Kerangka Kerja Manajemen Risiko Keamanan Informasi Berdasarkan Kajian Risk Profiling pada Sektor Kesehatan.”

M. Al Fikri, A. Putra, Y. Suryanto, and K. Ramli, “ScienceDirect Risk Assessment Using NIST SP 800-30 Revision 1 and ISO 27005 Combination Technique in Profit-Based Organization: Case Study of ZZZ Information System Application in ABC Agency,” Procedia Comput Sci, vol. 161, pp. 1206–1215, 2019, doi: 10.1016/j.procs.2019.11.234.

M. Silaban, “Perancangan Desain Kerangka Kerja Keamanan Informasi untuk Mengukur Tingkat Kapabilitas dan Manajemen Risiko Berdasarkan Cobit 2019 dan NIST SP 800-30: Studi Kasus Instansi XYZ,” 2023. Accessed: Dec. 15, 2023. [Online]. Available: https://lib.ui.ac.id/detail?id=9999920526196&lokasi=lokal

Information Systems Audit and Control Association, COBIT® 2019 Framework : introduction and methodology. 2018.

D. A. Taufik, “PDCA Cycle Method implementation in Industries: A Systematic Literature Review,” 2020. [Online]. Available: http://publikasi.mercubuana.ac.id/index.php/ijiem

R. Fauzi and M. Lubis, “Assessment Framework for Defining the Maturity of Information Technology within Enterprise Risk Management (ERM).” [Online]. Available: www.ijacsa.thesai.org

“Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1,” Gaithersburg, MD, Apr. 2018. doi: 10.6028/NIST.CSWP.04162018.

A. C. Pamungkas, W. S. Hulu, and R. Samihardjo, “Information Security Risk Management Web-Based Final Semester Summative Assessment Application Using ISO 27001:2013,” Journal of Information Systems and Informatics, vol. 6, no. 1, pp. 349–362, Mar. 2024, doi: 10.51519/journalisi.v6i1.668.

L. Arteaga-Romani, V. Huallanca-Gavilan, V. Aramburu-Rojas, and C. Raymundo, “Model of a Safety Management System through Continuous Improvement (PDCA) for Artisanal Mining,” in 2023 9th International Conference on Innovation and Trends in Engineering, CONIITI 2023 - Proceedings, Institute of Electrical and Electronics Engineers Inc., 2023. doi: 10.1109/CONIITI61170.2023.10324037.

F. A. Thani and M. Anshari, “Maximizing smartcard for public usage: PDCA and root cause analysis,” International Journal of Asian Business and Information Management, vol. 11, no. 2, pp. 121–132, 2020, doi: 10.4018/IJABIM.2020040108.

I. Gede, P. Krisna Juliharta, P. Anugrah, C. Dewi, and N. P. Widiari, “ANALYSIS AND DESIGN OF RISK MANAGEMENT SYSTEM OF ELECTRONIC GOVERNMENT (E-GOVERNMENT) (STUDY CASE: XYZ INSTITUTIONS),” P ISSN, 2023.

M. R. Lullah, I. W. W. Pradnyana, and N. T. Hadi, “Design of IT Risk Control in the Computer Laboratory of the Faculty of Computer Science, University Pembangunan Nasional Veteran Jakarta Using the ISO 27001: 2022 Framework,” in 2024 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS), 2024, pp. 1056–1061. doi: 10.1109/ICIMCIS63449.2024.10957330.

W. Dwi Puspitasari and F. Febrinita, “PENGUJIAN VALIDASI ISI (CONTENT VALIDITY) ANGKET PERSEPSI MAHASISWA TERHADAP PEMBELAJARAN DARING MATAKULIAH MATEMATIKA KOMPUTASI,” Focus ACTion Of Research Mathematic, vol. 4, no. 1, p. 2021, doi: 10.30762/factor-m.v4i1.3254.