Implementation of ISO/IEC 27001:2013 for Information Security Management System at Information System Unit of PT. KAI Divre III Palembang

Irvan Ramadhan; Nyimas Sopiah

doi:10.53697/jkomitek.v6i1.3749

Authors

Irvan Ramadhan Universitas Bina Darma
Nyimas Sopiah Universitas Bina Darma

DOI:

https://doi.org/10.53697/jkomitek.v6i1.3749

Keywords:

Information Security, Iso 27001, Pdca Cycle, Risk Assessment, Smki

Abstract

The background of this research is the vulnerability of the Information System Unit of PT KAI Divre III Palembang to cyber threats such as malware, saved browser passwords, and weak physical asset management, amidst high dependence on IT for transportation operations. The purpose of the research is to analyze the condition of the ISO/IEC 27001:2013-based ISMS, identify gaps, and recommend controls through the PDCA cycle. This type of research is a qualitative descriptive study with a case study approach. The population is all unit personnel (15 people), a sample of 10 key informants via purposive sampling. Instruments include semi-structured interviews, checklist observations, and document analysis) (analysis techniques use the Miles and Huberman model with a gap and risk matrix. The results show that the implementation of PDCA is effective: high risks (malware, fire extinguishers) and medium risks are reduced to low through antivirus, device locking, inventory updates, and time synchronization audit corrections. The conclusion is that the ISMS has been structured, increasing operational resilience, although further quantitative evaluation is needed.

References

Alreemy, Z., Chang, V., Walters, R., & Wills, G. (2022). Critical success factors of information security management and their impact on information security effectiveness and maturity: A fuzzy TISM approach. Journal of Information Security and Applications, 61, Article 103287. https://doi.org/10.1016/j.jisa.2021.103287

Calder, A., & Watkins, S. (2015). IT governance: An international guide to data security and ISO27001/ISO27002 (6th ed.). Kogan Page.

Creswell, J. W., & Poth, C. N. (2022). Qualitative inquiry and research design: Choosing among five approaches (5th ed.). SAGE Publications.

Damanik, R., Zaki, A., & Fiddarain, M. (2023). Implementation of ISO 27001:2013 in securing information systems at the ANNUR PRIMA Islamic Education Foundation. Information Security Journal, 8(2), 101–110.

Deming, W.E. (1986). Out of the crisis. MIT Press.

Emzir. (2021). Qualitative research methodology: Qualitative data analysis. Student Library.

Fernandez, E. B., Monge, R., & Hashizume, K. (2024). Building a security reference architecture for cloud systems. Requirements Engineering, 29(1), 1–25. https://doi.org/10.1007/s00766-023-00415-2

Goel, S., & Shawky, H. A. (2021). Cybersecurity for transportation systems. Journal of Transportation Security, 14(3-4), 145–167. https://doi.org/10.1007/s12198-021-00234-5

Goetsch, D. L., & Davis, S. B. (2016). Quality management for organizational excellence: Introduction to total quality (8th ed.). Pearson.

Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. BSI Publishing.

Intan Mafiana, A., Hanum, L., Ilmi, HM, & Febriliani, S. (2023). Implementation of ISO 27001-based information security management in academic information systems. Journal of Digital Business and Innovation Management, 2(2), 139–163.

ISO/IEC. (2013). ISO/IEC 27001:2013. Information technology — Security techniques — Information security management systems — Requirements. International Organization for Standardization.

ISO/IEC. (2022). ISO/IEC 27001:2022. Information security, cybersecurity and privacy protection — Information security management systems — Requirements. International Organization for Standardization.

Kalaimannan, E., Nguyen, H., & Periga, M. (2021). Password management practices and perceptions. Computers & Security, 105, Article 102241. https://doi.org/10.1016/j.cose.2021.102241

Mesquida, A.-L., Mas, A., & O Connor, R.V. (2021). Integrating cybersecurity in software engineering processes. Journal of Software: Evolution and Process, 33(5), e2325. https://doi.org/10.1002/smr.2325

Nugroho, E., Pratama, R., & Sari, DP (2023). Risk assessment in information security management systems: A case study in Indonesian state-owned enterprises. Journal of Information Technology, 17(1), 20–35.

Peltier, T.R. (2016). Information security policies, procedures, and standards: Guidelines for effective information security management. CRC Press.

Pratama, R., & Nugroho, E. (2018). Evaluation of the level of compliance of information security management systems using ISO/IEC 27001:2013. Journal of Information Technology, 12(1), 45–54.

Rahman, F., & Putra, A. (2017). Designing an information security management system using ISO/IEC 27001:2013. Journal of Computer Science and Information Security, 9(2), 60–68.

Riana, N., Sulistyawati, E., & Putra, A. (2023). Analysis of maturity level and PDCA (plan-do-check-act) in the implementation of information security management system audit at PT Indonesia Game using the ISO 27001:2013 method. Journal of Information Systems and Security, 11(1), 55–64.

Ritzkal, Goeritno, A., & Hendrawan, AH (2019). Implementation of ISO/IEC 27001:2013 for information security management systems (ISMS) at the Faculty of Engineering, UIKA-BOGOR. Information Systems Journal, 15(2), 85–95.

Sari, DP, Winarno, WW, & Hidayat, R. (2020). Analysis of the implementation of an ISO/IEC 27001:2013-based information security management system in academic information systems. Informatics Journal, 14(3), 210–220.

Siponen, M., Vance, A., & Willison, R. (2022). New insights into theorizing information security behavior. MIS Quarterly, 46(1), 1–28. https://doi.org/10.25300/MISQ/2022/16200

Stallings, W. (2017). Effective cybersecurity: A guide to using best practices and standards. Pearson.

Sudaryono. (2022). Educational research methodology. Rineka Cipta.

Sugiyono. (2021). Quantitative, qualitative, and R&D research methods. Alfabeta.

Susanto, H., & Almunawar, MN (2021). Information security management systems: A novel framework and software as a tool for compliance with information security standards. Journal of King Saud University - Computer and Information Sciences, 33(7), 819–831. https://doi.org/10.1016/j.jksuci.2019.04.006

Utami, N., & Kurniawan, Y. (2021). Analysis of the level of readiness for implementing ISO/IEC 27001:2013 in educational organizations. Journal of Informatics Management, 16(1), 33–42.

Whitman, M. E., & Mattord, H. J. (2018). Principles of information security (6th ed.). Cengage Learning.