Impact of Implementation of Information Security Risk Management and Security Controls on Cyber Security Maturity (A Case Study at Data Management Applications of XYZ Institute)

  • Endro Joko Wibowo Universitas Indonesia
  • Kalamullah Ramli
Keywords: Security Risk Management, information security controls, Cyber Security Maturity, ISO/IEC 27005:2018, ISO/IEC 27002:2013


Information security is an important concern for governments and industry due to the increase in cyber attacks during Covid-19. The government is obliged to maintain information security in implementing an Electronic-Based Government System following Presidential Regulation of the Republic of Indonesia Number 95 of 2018. To overcome this problem, the XYZ Institute needs an approach to implementing information security risk management and information security controls. This study aims to risk identification, risk analysis, risk evaluation, risk treatment, risk acceptance, risk control, and analysis of cyber security maturity gaps in the domain of governance, identification, protection, detection, and response. ISO/IEC 27005:2018 as guidance for conducting risk assessments. The code of practice for information security control uses the ISO/IEC 27002:2013 standard and assessing maturity using the cyber security maturity model version 1.10 developed by the National Cyber and Crypto Agency of the Republic of Indonesia. The results show that the cyber maturity value increased from 3.19 to 4.06 after implementing 12 new security controls.


Download data is not yet available.


Bergström, E., Lundgren, M., and Ericson, Å. 2019. “Revisiting Information Security Risk Management Challenges: A Practice Perspective,” Information and Computer Security (27:3), Emerald Group Holdings Ltd., pp. 358–372. (
Fahrurozi, M., Tarigan, S. A., Tanjung, M. A., and Mutijarsa, K. 2020. “The Use of ISO/IEC 27005: 2018 for Strengthening Information Security Management (A Case Study at Data and Information Center of Ministry of Defence),” in ICITEE 2020 - Proceedings of the 12th International Conference on Information Technology and Electrical Engineering, Institute of Electrical and Electronics Engineers Inc., October 6, pp. 86–91. (
Fenz, S., Plieschnegger, S., and Hobel, H. 2016. “Mapping Information Security Standard ISO 27002 to an Ontological Structure,” Information and Computer Security (24:5), Emerald Group Publishing Ltd., pp. 452–473. (
García-Porras, C., Huamani-Pastor, S., and Armas-Aguirre, J. 2018. “Information Security Risk Management Model for Peruvian SMEs,” in Proceedings of the 2018 IEEE Sciences and Humanities International Research Conference (SHIRCON) : Lima, Peru, 20-22 November 2018. (
Ghazouani, M., Medromi, H., and Moussaid, L. 2017. “Design and Implementation of a Comprehensive Information Security Risk Management Tool Based on Multi-Agents Systems,” International Journal of Applied Information Systems (12:7), Foundation of Computer Science, pp. 1–8. (
International Standard ISO/IEC 27002. 2013. “Code of Practice for Information Security Controls, ISO/IEC 27002:2013(E).”
International Standard ISO/IEC 27005. 2018. “Information Security Risk Management, ISO/IEC 27005:2018(E).”
INTERPOL. (n.d.). “ASEAN Cyberthreat Assessment 2021 Key Cyberthreat Trends Outlook From The Asean Cybercrime Operations Desk.” (
Karabacak, B., Yildirim, S. O., and Baykal, N. 2016. “A Vulnerability-Driven Cyber Security Maturity Model for Measuring National Critical Infrastructure Protection Preparedness,” International Journal of Critical Infrastructure Protection (15), Elsevier B.V., pp. 47–59. (
Presidential Regulation. (n.d.). “Regulation Of The President Of The Republic Of Indonesia Number 95 Of 2018 Concerning Electronic-Based Government Systems.” (
Kure, H. I., and Islam, S. 2019. “Assets Focus Risk Management Framework for Critical Infrastructure Cybersecurity Risk Management,” IET Cyber-Physical Systems: Theory and Applications (4:4), Institution of Engineering and Technology, pp. 332–340. (
Mayer, J., and Fagundes, L. L. 2009. “A Model to Assess the Maturity Level of the Risk Management Process in Information Security,” in 2009 IFIP/IEEE International Symposium on Integrated Network Management-Workshops, IM 2009, pp. 61–70. (
Monev, V. 2020. “Organisational Information Security Maturity Assessment Based on ISO 27001 and ISO 27002,” in International Conference on Information Technologies (InfoTech-2020) : Proceedings of the 34th Edition of the InfoTech Conference : 17th-18th September 2020, St. St. Constantine and Elena Resort, Varna, Bulgaria.
Patino, S., Solis, E. F., Yoo, S. G., and Arroyo, R. 2018. “ICT Risk Management Methodology Proposal for Governmental Entities Based on ISO/IEC 27005,” in 2018 5th International Conference on EDemocracy and EGovernment, ICEDEG 2018, Institute of Electrical and Electronics Engineers Inc., June 4, pp. 75–82. (
Payette, J., Anegbe, E., Caceres, E., and Muegge, S. 2015. “Secure by Design: Cybersecurity Extensions to Project Management Maturity Models for Critical Infrastructure Projects,” Technology Innovation Management Review (Vol. 5). (
Putra, I. M. M., and Mutijarsa, K. 2021. “Designing Information Security Risk Management on Bali Regional Police Command Center Based on ISO 27005,” in 3rd 2021 East Indonesia Conference on Computer and Information Technology, EIConCIT 2021, Institute of Electrical and Electronics Engineers Inc., April 9, pp. 14–19. (
Rabii, A., Assoul, S., Ouazzani Touhami, K., and Roudies, O. 2020. “Information and Cyber Security Maturity Models: A Systematic Literature Review,” Information and Computer Security, Emerald Group Holdings Ltd., pp. 627–644. (
Sensuse, D. I., Syahrizal, A., Aditya, F., and Nazri, M. 2020. “Information Security Risk Management Planning of Digital Certificate Management Case Study: Balai Sertifikasi Elektronik,” in 2020 5th International Conference on Informatics and Computing, ICIC 2020, Institute of Electrical and Electronics Engineers Inc., November 3. (
Wheeler, E. 2011. Security Risk Management: Building an Information Security Risk Management Program from the Ground Up, (1st ed.).
XYZ Institute. (n.d.). “The Application of Data Management.” (https://sub.xyzinstitute, accessed September 5, 2021).
How to Cite
Joko Wibowo, E., & Kalamullah Ramli. (2022). Impact of Implementation of Information Security Risk Management and Security Controls on Cyber Security Maturity (A Case Study at Data Management Applications of XYZ Institute). Jurnal Sistem Informasi, 18(2), 1-17.