Skip to main content
SpringerLink
Log in

The PDCA Cycle of ISO/IEC 27005:2008 Maturity Assessment Framework

  • Conference paper
  • First Online:
User Science and Engineering (i-USEr 2018)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 886))

Included in the following conference series:

Abstract

Most of the IT risk management framework/standard has not been given the tools to assess the maturity level. In fact, this information provides the basis for evaluation, repair and improvement of IT risk management of the Organization. This research objective is to design a framework that can be used to assess the maturity level of PDCA Cycle in ISO/IEC 27005. The PDCA Cycle is the managerial approach of this standard. Therefore, PDCA Cycle can represent the IT risk management based on ISO/IEC 27005. The assessment framework consists of a model, method and assessment worksheet. The model covers four assessment area (Plan, Do, Check, and Act), detail of the assessment area (8 domains, 35 subdomains and 82 elements), metric and assessment criteria which are supported by the method and worksheet assessment. The model represents the maturity of all processes (Plan, Do, Check, and Act) based on the clauses of ISO/IEC 27005. This Framework gives an enhancement of the existing model of; (1) all processes representation, (2) metric definition, (3) method for identifying evidences and (4) detail elements to repair and improve.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abram, T.: The hidden values of IT risk management. ISACA J. 2, 10–11 (2009)

    Google Scholar 

  2. AIRMIC - ALARM - IRM: Risk Management Standard (2002)

    Google Scholar 

  3. Al Aboodi, S.S.: A new approach for assessing the maturity of information security. ISACA J. Online 3, 36–43 (2006)

    Google Scholar 

  4. Alberts, D.: Managing Information Security Risks: The OCTAVESM Approach. Addison Wesley, Boston (2002)

    Google Scholar 

  5. Arnasson, S.T., Willet, K.D.: How to Achieve 27001 Certification. Auerbach Pub., Boca Raton (2007)

    Google Scholar 

  6. AS/NZS: Risk Management Guidelines-Companion to AS/NZS 4360:2004 (2005). http://bch.cbd.int/database/attachment/?id=12285

  7. Bank Indonesia: Pedoman Penerapan Manajemen Risiko Dalam Penggunaan TI oleh Bank Umum, Lampiran Surat Edaran Bank Indonesia Nomor: 9/30/DPNP Tgl, 12 December 2007

    Google Scholar 

  8. Bornmann, W.G., Labuschagne, L.: A comparative framework for evaluating information security risk management methods. RAU - Standard Bank Academy for Information Technology, Rand Afrikaans University, South Africa (2004)

    Google Scholar 

  9. Ciorciari, M., Blattner, P.: Enterprise risk management maturity-level assessment tool. In: ERM Symposium 14–16 April, Chicago (2008)

    Google Scholar 

  10. CISSP Forum: Top Information Security Risk for 2008 (2008)

    Google Scholar 

  11. CRAMM: How CRAMM Works. Siemens Enterprise Communication (2008)

    Google Scholar 

  12. De Bruin, T., et al.: Understanding the main phases of developing a maturity assessment model. In: 16th Australasian Conference on Information Systems 29 November–2 December, Sidney (2005)

    Google Scholar 

  13. ENISA: Risk management: implementation principles and inventories for risk management/risk assessment methods and tools. In: European Network and Security Agency (2006)

    Google Scholar 

  14. Ernst & Young: Strategic Business Risk - Top 10 Risks for Business (2008)

    Google Scholar 

  15. FIPS PUB 199. Federal Information Processing Standards Publication—Standard for Federal Information and Information Systems, February 2004. www.nist.gov

  16. Senft, S., Gallegos, F.: Information Technology Control and Audit, 3rd edn. Auerbach Publications/Taylor & Francis Group, Auerbach (2008)

    Book  Google Scholar 

  17. Hillson, D.A.: Towards a risk maturity model. Int. J. Proj. Bus. Risk Manag. 1(1), 35–45 (1997)

    Google Scholar 

  18. ISACA: Top Business/Technology Issues Survey Results (2008)

    Google Scholar 

  19. ISO: ISO/IEC 27001:2005, ISO/IEC 27002:2005, ISO/IEC 27005:2008, Information technology—Security techniques—Information security risk management (2008)

    Google Scholar 

  20. ISO: ISO/IEC Guide 73:2009, Risk Management—Vocabulary—Guidelines for Use in Standards (2009)

    Google Scholar 

  21. ITGI: IG Measurement tools. Information Technology Governance Institute (2005)

    Google Scholar 

  22. ITGI: Information Risks: Whose Business Are They? Information Technology Governance Institute (2005)

    Google Scholar 

  23. ITGI: COBIT 4.0/COBIT 4.1. Information Technology Governance Institute (2007). https://www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf

  24. ITGI: Enterprise Risk: Identify, Govern and Manage IT Risk, The Risk IT Framework Exposure Draft (2009)

    Google Scholar 

  25. Jordan, E., Silcock, L.: Beating IT Risks. Wiley, England (2005)

    Google Scholar 

  26. Luftman, J.: Assesing business-IT alignment maturity. Commun. AIS 4, 99 (2000). Article 14

    Google Scholar 

  27. Malette, D.: IT Performance Improvement with COBIT and the SEI CMM. ISACA J. 3, 46–50 (2005)

    Google Scholar 

  28. Mayer, J., Fagundes, L.: A model to assess the maturity level of the risk management process in information security. IFIP/IEEE (2009)

    Google Scholar 

  29. NIST: Risk Management Guide for Information Technology Systems—Recommendations of the NIST, SP 800-30, USA, p. 4 (2002). http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

  30. NIST: Directions in Security Metrics Research (2009)

    Google Scholar 

  31. Object Management Group: Business Process Maturity Model v1.0. Standard document (2007). http://www.omg.org/spec/BPMM/1.0/PDF

  32. Persse, J.: The Capability Maturity Model. An Executive Overview of the Software Engineering Institute’s Software Process Improvement Program (2001)

    Google Scholar 

  33. Pironti, J.P.: Key elements of an information risk management program. ISACA J. 2, 42–47 (2008)

    Google Scholar 

  34. Singh, A.: Improving Information Security Risk Management. University of Minnesota (2009)

    Google Scholar 

  35. Symantec: IT Risk Management Report, vol. 2 (2008)

    Google Scholar 

  36. The IACCM Risk Management Working Group: Organizational Maturity in Business Risk Management (2003)

    Google Scholar 

  37. Tucci, L.: Governance, risk and compliance spending to grow in 2010. SearchCompliance.com (2009)

    Google Scholar 

  38. Vaish, A., Varma, S.: Proposed Next Generation Information Security Management Effectiveness Measurement Model (2009)

    Google Scholar 

  39. Lubis, M., Kartiwi, M., Zulhuda, S.: Privacy and personal data protection in electronic voting: factors and measures. Telkomnika 15(1), 512–521 (2017)

    Article  Google Scholar 

  40. Leedy, P.D., Ormrod, L.E.: Practical Research: Planning and Design, 8th edn. Pearson Education, Upper Saddle River (2010)

    Google Scholar 

  41. Lubis, M., Kusumasari, T.F., Hakim, L.: The Indonesia public information disclosure act (UU-KIP): its challenges and responses. IJECE 8(1), 94–103 (2018)

    Article  Google Scholar 

  42. Ahlan, A.R., Lubis, M., Lubis, A.R.: Information security awareness at the knowledge-based institution: its antecedennts and measures. Procedia Comput. Sci. 72, 361–373 (2015)

    Article  Google Scholar 

  43. Lubis, M., Kartiwi, M., Durachman, Y.: Assessing privacy and readiness of electronic voting system in Indonesia. In: Proceedings IEEE CITSM (2017)

    Google Scholar 

  44. Lubis, M., Kartiwi, M., Zulhuda, S.: Election fraud and privacy related issues: addressing electoral integrity. In: Proceedings IEEE ICIC, pp. 227–232 (2017)

    Google Scholar 

  45. Rosmaini, E., Kusumasari, T.F., Lubis, M., Lubis, A.R.: Insights to develop privacy policy for organization in Indonesia. J. Phys.: Conf. Ser. 978(1), 012042 (2018)

    Google Scholar 

  46. Rosmaini, E., Kusumasari, T.F., Lubis, M., Lubis, A.R.: Study to the current protection of personal data in the educational sector in Indonesia. J. Phys.: Conf. Ser. 978(1), 012037 (2018)

    Google Scholar 

  47. Ahlan, A.R., Lubis, M.: Information security awareness in university: maintaining learnability, performance and adaptability through roles of responsibility. In: IAS (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Telkom University, Telekomunikasi 1, Bandung, 40257, Indonesia

    Rokhman Fauzi & Muharman Lubis

  2. Institut Teknologi Bandung, Ganesha 10, Bandung, 40132, Indonesia

    Suhono H. Supangkat

Authors
  1. Rokhman Fauzi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Suhono H. Supangkat
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Muharman Lubis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Muharman Lubis .

Editor information

Editors and Affiliations

  1. Universiti Teknologi MARA, Shah Alam, Malaysia

    Natrah Abdullah

  2. Universiti Teknologi MARA, Shah Alam, Malaysia

    Wan Adilah Wan Adnan

  3. Queensland University of Technology, Brisbane, Queensland, Australia

    Marcus Foth

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fauzi, R., Supangkat, S.H., Lubis, M. (2018). The PDCA Cycle of ISO/IEC 27005:2008 Maturity Assessment Framework. In: Abdullah, N., Wan Adnan, W., Foth, M. (eds) User Science and Engineering. i-USEr 2018. Communications in Computer and Information Science, vol 886. Springer, Singapore. https://doi.org/10.1007/978-981-13-1628-9_30

Download citation

  • DOI: https://doi.org/10.1007/978-981-13-1628-9_30

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-13-1627-2

  • Online ISBN: 978-981-13-1628-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation