Design and Analysis of Information Security Risk Management Based on ISO 27005: Case Study on Audit Management System (AMS) XYZ Internal Audit Department

Authors

  • Diar Eka Risqi Hidayatullah Universitas Indonesia
  • Raisiffah Kunthi Universitas Indonesia
  • Ruki Harwahyu Universitas Indonesia

DOI:

https://doi.org/10.62146/ijecbe.v2i3.81

Keywords:

Audit Management System, Risk Assessment, Information Security Risk, ISO 27005

Abstract

Information security is an important aspect and supported by a report issued by the Internal Audit Foundation entitled Risk in Focus 2024 Global Summary. Biggest risk that will be faced in 2024 is Cybersecurity and Data Security with a score of 73% for the global average. Based on a report issued by International Business Machine (IBM) entitled Cost of a Data Breach Report 2023, takes an average of 204 days to find out about a data leak by an affected agency or organization, and takes 73 days to overcome the data leak. To realize this digitalization, an Audit Management System (AMS) system was implemented which can accommodate the audit process starting from the Planning, Execution and Reporting stages as well as follow-up process for recommendations process. Using AMS is not without risks, access to AMS can be done without a Virtual Private Network (VPN). In this research, a risk assessment was carried out based on the ISO/IEC 27005:2022 standard by proposing a method for calculating consequences based on the classification of data in the system and a method for calculating possibilities based on business processes that have an impact on system vulnerabilities and risks that need to be mitigated. ISO/IEC 27002:2022 will be used to anticipate risks. Results of the risk examination revealed that there were 24 risks with 1 very high-level risk, 3 high level risks, 8 medium level risks, 11 low level risks, and 1 very low-level risk in the XYZ internal audit department.

Author Biographies

Diar Eka Risqi Hidayatullah, Universitas Indonesia

Department of Electrical Engineering, Faculty of Engineering, Universitas Indonesia, Depok, Indonesia

Raisiffah Kunthi, Universitas Indonesia

Fakultas Ilmu Komputer, Universitas Indonesia, Depok, Indonesia

Ruki Harwahyu, Universitas Indonesia

Department of Electrical Engineering, Faculty of Engineering, Universitas Indonesia, Depok, Indonesia

References

Internal Audit Foundation. Global Summary- 2024 Risk In Focus Survey Result. 2023.

Undang-Undang Republik Indonesia Nomor 27 Tahun 2022 Tentang Perlindungan Data Pribadi. Republik Indonesia, 2022.

Yulandi. Pengembangan Disain Mitigasi Risiko Pada Otoritas Sertifikat Digital Pengadaan Barang/Jasa Secara Elektronik (OSD PSE) Berbasis COBIT 5 For Risk dan NIST SP 800-30 Revisi 1: Studi Kasus Balai Sertifikasi Elektronik. 2019.

National Institute of Standards and Technology (NIST). NIST SP 800-30 Guide for Conducting Risk Assessments. Tech. rep. Gaithersburg, MD: National Institute of Standards and Technology, 2012. DOI: 10.6028/NIST.SP.800-30r1.

N. M. T. Nugraheni. Analisis Penerapan Risk Based Audit dan Penyusunan Program Pemeriksaan Pada Kementerian Desa, Pembangunan Daerah Tertinggal dan Transmigrasi. 2020.

Sudarmono. Perancangan Risk Based Internal Audit Plan Pada Divisi Internal Audit (Studi Kasus PT.XY). 2021.

International Organization for Standardization (ISO) and International Electronical Commision (IEC). ISO/IEC 31000:2018 Risk management- Guidelines. 2018.

I. Baehaki. Desain Kerangka Kerja Manajemen Risiko Keamanan Informasi Berdasarkan Integrasi ISO/IEC 27005:2018, NIST SP 800-39, Octave Allegro dan COBIT 2019: Studi Penerapan Awal di Pusat Pendidikan dan Pelatihan Badan XYZ. 2020.

M. L. Ismail. Penilaian Risiko Keamanan Informasi Menggunakan ISO/IEC 27005 Studi Kasus: Sistem Informasi Kepegawaian XYZ. 2022.

F.A.Shaikhand and M.Siponen. “Information security risk assessments following cybersecurity breaches : The mediating role of top management attention to cybersecurity”. In: Computers Security 124 (2023), p. 102974. DOI: https://doi.org/10.1016/j.cose.2022.102974.

International Organization for Standardization (ISO) and International Electronical Commision (IEC). ISO/IEC 27005:2022 Information Security, Cybersecurity and Privacy Protection — Guidance on Managing Information Security Risks. 2018.

M. Al Fikri et al. “Risk assessment using NIST SP 800-30 revision 1 and ISO 27005 combination technique in profit-based organization: Case study of ZZZ information system application in ABC agency”. In: Procedia Computer Science. Elsevier B.V., 2019, pp. 1206–1215. DOI: 10.1016/j.procs. 2019.11.234.

F. A. Putra, A. R. Pradana, and H. Setiawan. “Design of Information Security Risk Management Using ISO/IEC 27005 and NIST SP 800-30 Revision 1: A Case Study at Communication Data Applications of XYZ Institute”. In: International Conference on Information Technology Systems and Innovation (ICITSI). 2017.

National Institute of Standards and Technology (NIST). Guide for Conducting Risk Assessments. Tech. rep. Gaithersburg, MD: National Institute of Standards and Technology, 2012. DOI: 10. 6028/NIST.SP.800-30r1.

International Organization for Standardization (ISO) and International Electronical Commision (IEC). ISO/IEC 27002:2022 Information Security, Cybersecurity and Privacy Protection — Information Security Controls. 2022.

M.Fitrah and Luthfiyah. Metode Penelitian, Penelitian Kualitatif, Tindakan Kelas dan Studi Kasus. CV Jejak Publisher, 2017.

J. Recker. Scientific Research in Information Systems Second Edition [Online]. Available: http://www.springer.com/series/10440. 2021

Published

2024-09-30

How to Cite

Hidayatullah, D. E. R., Kunthi, R., & Harwahyu, R. (2024). Design and Analysis of Information Security Risk Management Based on ISO 27005: Case Study on Audit Management System (AMS) XYZ Internal Audit Department. International Journal of Electrical, Computer, and Biomedical Engineering, 2(3), 395–413. https://doi.org/10.62146/ijecbe.v2i3.81

Issue

Section

Computer Engineering