Abstract
Most of the IT risk management framework/standard has not been given the tools to assess the maturity level. In fact, this information provides the basis for evaluation, repair and improvement of IT risk management of the Organization. This research objective is to design a framework that can be used to assess the maturity level of PDCA Cycle in ISO/IEC 27005. The PDCA Cycle is the managerial approach of this standard. Therefore, PDCA Cycle can represent the IT risk management based on ISO/IEC 27005. The assessment framework consists of a model, method and assessment worksheet. The model covers four assessment area (Plan, Do, Check, and Act), detail of the assessment area (8 domains, 35 subdomains and 82 elements), metric and assessment criteria which are supported by the method and worksheet assessment. The model represents the maturity of all processes (Plan, Do, Check, and Act) based on the clauses of ISO/IEC 27005. This Framework gives an enhancement of the existing model of; (1) all processes representation, (2) metric definition, (3) method for identifying evidences and (4) detail elements to repair and improve.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abram, T.: The hidden values of IT risk management. ISACA J. 2, 10–11 (2009)
AIRMIC - ALARM - IRM: Risk Management Standard (2002)
Al Aboodi, S.S.: A new approach for assessing the maturity of information security. ISACA J. Online 3, 36–43 (2006)
Alberts, D.: Managing Information Security Risks: The OCTAVESM Approach. Addison Wesley, Boston (2002)
Arnasson, S.T., Willet, K.D.: How to Achieve 27001 Certification. Auerbach Pub., Boca Raton (2007)
AS/NZS: Risk Management Guidelines-Companion to AS/NZS 4360:2004 (2005). http://bch.cbd.int/database/attachment/?id=12285
Bank Indonesia: Pedoman Penerapan Manajemen Risiko Dalam Penggunaan TI oleh Bank Umum, Lampiran Surat Edaran Bank Indonesia Nomor: 9/30/DPNP Tgl, 12 December 2007
Bornmann, W.G., Labuschagne, L.: A comparative framework for evaluating information security risk management methods. RAU - Standard Bank Academy for Information Technology, Rand Afrikaans University, South Africa (2004)
Ciorciari, M., Blattner, P.: Enterprise risk management maturity-level assessment tool. In: ERM Symposium 14–16 April, Chicago (2008)
CISSP Forum: Top Information Security Risk for 2008 (2008)
CRAMM: How CRAMM Works. Siemens Enterprise Communication (2008)
De Bruin, T., et al.: Understanding the main phases of developing a maturity assessment model. In: 16th Australasian Conference on Information Systems 29 November–2 December, Sidney (2005)
ENISA: Risk management: implementation principles and inventories for risk management/risk assessment methods and tools. In: European Network and Security Agency (2006)
Ernst & Young: Strategic Business Risk - Top 10 Risks for Business (2008)
FIPS PUB 199. Federal Information Processing Standards Publication—Standard for Federal Information and Information Systems, February 2004. www.nist.gov
Senft, S., Gallegos, F.: Information Technology Control and Audit, 3rd edn. Auerbach Publications/Taylor & Francis Group, Auerbach (2008)
Hillson, D.A.: Towards a risk maturity model. Int. J. Proj. Bus. Risk Manag. 1(1), 35–45 (1997)
ISACA: Top Business/Technology Issues Survey Results (2008)
ISO: ISO/IEC 27001:2005, ISO/IEC 27002:2005, ISO/IEC 27005:2008, Information technology—Security techniques—Information security risk management (2008)
ISO: ISO/IEC Guide 73:2009, Risk Management—Vocabulary—Guidelines for Use in Standards (2009)
ITGI: IG Measurement tools. Information Technology Governance Institute (2005)
ITGI: Information Risks: Whose Business Are They? Information Technology Governance Institute (2005)
ITGI: COBIT 4.0/COBIT 4.1. Information Technology Governance Institute (2007). https://www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf
ITGI: Enterprise Risk: Identify, Govern and Manage IT Risk, The Risk IT Framework Exposure Draft (2009)
Jordan, E., Silcock, L.: Beating IT Risks. Wiley, England (2005)
Luftman, J.: Assesing business-IT alignment maturity. Commun. AIS 4, 99 (2000). Article 14
Malette, D.: IT Performance Improvement with COBIT and the SEI CMM. ISACA J. 3, 46–50 (2005)
Mayer, J., Fagundes, L.: A model to assess the maturity level of the risk management process in information security. IFIP/IEEE (2009)
NIST: Risk Management Guide for Information Technology Systems—Recommendations of the NIST, SP 800-30, USA, p. 4 (2002). http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
NIST: Directions in Security Metrics Research (2009)
Object Management Group: Business Process Maturity Model v1.0. Standard document (2007). http://www.omg.org/spec/BPMM/1.0/PDF
Persse, J.: The Capability Maturity Model. An Executive Overview of the Software Engineering Institute’s Software Process Improvement Program (2001)
Pironti, J.P.: Key elements of an information risk management program. ISACA J. 2, 42–47 (2008)
Singh, A.: Improving Information Security Risk Management. University of Minnesota (2009)
Symantec: IT Risk Management Report, vol. 2 (2008)
The IACCM Risk Management Working Group: Organizational Maturity in Business Risk Management (2003)
Tucci, L.: Governance, risk and compliance spending to grow in 2010. SearchCompliance.com (2009)
Vaish, A., Varma, S.: Proposed Next Generation Information Security Management Effectiveness Measurement Model (2009)
Lubis, M., Kartiwi, M., Zulhuda, S.: Privacy and personal data protection in electronic voting: factors and measures. Telkomnika 15(1), 512–521 (2017)
Leedy, P.D., Ormrod, L.E.: Practical Research: Planning and Design, 8th edn. Pearson Education, Upper Saddle River (2010)
Lubis, M., Kusumasari, T.F., Hakim, L.: The Indonesia public information disclosure act (UU-KIP): its challenges and responses. IJECE 8(1), 94–103 (2018)
Ahlan, A.R., Lubis, M., Lubis, A.R.: Information security awareness at the knowledge-based institution: its antecedennts and measures. Procedia Comput. Sci. 72, 361–373 (2015)
Lubis, M., Kartiwi, M., Durachman, Y.: Assessing privacy and readiness of electronic voting system in Indonesia. In: Proceedings IEEE CITSM (2017)
Lubis, M., Kartiwi, M., Zulhuda, S.: Election fraud and privacy related issues: addressing electoral integrity. In: Proceedings IEEE ICIC, pp. 227–232 (2017)
Rosmaini, E., Kusumasari, T.F., Lubis, M., Lubis, A.R.: Insights to develop privacy policy for organization in Indonesia. J. Phys.: Conf. Ser. 978(1), 012042 (2018)
Rosmaini, E., Kusumasari, T.F., Lubis, M., Lubis, A.R.: Study to the current protection of personal data in the educational sector in Indonesia. J. Phys.: Conf. Ser. 978(1), 012037 (2018)
Ahlan, A.R., Lubis, M.: Information security awareness in university: maintaining learnability, performance and adaptability through roles of responsibility. In: IAS (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Fauzi, R., Supangkat, S.H., Lubis, M. (2018). The PDCA Cycle of ISO/IEC 27005:2008 Maturity Assessment Framework. In: Abdullah, N., Wan Adnan, W., Foth, M. (eds) User Science and Engineering. i-USEr 2018. Communications in Computer and Information Science, vol 886. Springer, Singapore. https://doi.org/10.1007/978-981-13-1628-9_30
Download citation
DOI: https://doi.org/10.1007/978-981-13-1628-9_30
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-1627-2
Online ISBN: 978-981-13-1628-9
eBook Packages: Computer ScienceComputer Science (R0)