The assessment of information security management process capability using ISO/IEC 33072:2016 (Case study in Statistics Indonesia)

Abstract

The objective of information security is assuring the organization's goals instead of preserving information's confidentiality, integrity and availability. An information security management should be integrated with the overall organization's processes. Statistics Indonesia is a government agency which is accountable for providing official statistical data. The information derived from the data then is used as the basis for taking any national public policies. As a matter of fact, this organization has not implemented an information security management. The arising problems then are how well it performs its business process in the context of information security and how to formulate the information security improvement. This study aims to perform the capability assessment of information security management that reflect the requirements of standard ISO/IEC 27001:2013, the most adopted benchmark for information security management systems. We adopt the process of assessment model of standard ISO/IEC 33072:2016, which is published in July 2016. The process of reference model in this new standard consists of 26 domain processes, 6 capability levels and 9 process attributes (PA). Finally, we designed steps performing the assessment and proposed an improvement roadmap since the preliminary assessment results remain at level 0 and 1.