ISO 27001 is an international standard for information security management. Implementing ISO 27001 can provide several benefits for IT service users and providers. It establishes a risk-based approach to identify and treat security risks across the entire organization. The standard also aligns well with ITIL best practices for IT service management. Specifically, ISO 27001 requirements map to key ITIL processes like risk management, change management, and incident management. Adopting both frameworks can strengthen an organization's information security posture and improve its ability to deliver reliable and secure IT services. Regular audits are also required to ensure ongoing compliance and continual improvement of the information security system.

1. ITIL Indonesia – “Manfaat Penerapan Sistem Manajemen
Keamanan Informasi”
ITIL Indonesia Jakarta, 28 Oktober 2021

3. MANFAAT PENERAPAN
SISTEM MANAJEMEN
KEAMANAN INFORMASI
BAGI PARA PENGGUNA &
PENYEDIA LAYANAN TI
Febryan Alandiestya
28 Oktober 2021

4. PRESENTATION
OUTLINE
Introduction to InfoSec Management System
 What is InfoSec?
 InfoSec Frameworks
 Why using ISO 27001?
 How to implement ISO 27001?
The Strong Correlation between InfoSec with ITIL
 The Dimensions Modelling
 Some Key Implementations
 Some Important Notes
 The Continual Improvement
It’s the Perfect Combination Ever!
 Have You Aware Enough?
 Can You See the Advantages?
 The Never-ending (Good) Improvements

5. INTRODUCTION TO
INFORMATION
SECURITY
MANAGEMENT
SYSTEM

6. What is Information Security
Management System?
It is a set of policies and controls that manage
security and risks systematically, across the
entire enterprise. Remember, we should
maintain these CIA triads:
Confidentiality
Secret information is protected from unauthorized
disclosure.
Integrity
Information is protected from unauthorized changes
to ensure that it is reliable and correct.
Availability
Protecting the functionality of support systems and
ensuring that information is fully available at the
point in time.
Information
Assets

7. About Information Assets …
“Aset informasi adalah kumpulan data
yang memiliki nilai dan diakui oleh
suatu lembaga untuk keperluan
menjalankan fungsi bisnisnya, serta
memenuhi persyaratan lembaga itu
sendiri.”
(Queensland Government Enterprise Architecture)

8. Information Security Management System Frameworks
01
This Payment Card Industry
Data Security Standard used by
47% of organizations (the
handling of credit and debit card
information).
02
This International Organization
for Standardization used by
35% of organizations (best
practices by many).
03
This Critical Security Controls
used by 32% of organizations
(developed voluntarily).
04
This National Institute of
Standards Technology
Cybersecurity Framework used
by 29% of organizations (many
amandements).
PCI DSS ISO 27001 CIS NIST
Its Headquarter located in Geneva, which was
founded in London (UK) on 23 February 1947.
Nowadays, ISO strives to standardize business
processes and procedures around the world. It has
published more than 22,700 standards.
Among those numerous standards, there is ISO 27001
which is the accepted global benchmark for the
effective management of information assets, enabling
organizations to avoid costly penalties and financial
losses.
What is ISO?
Source: https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks

9. Why do We Need ISO 27001?
Comply with
Regulations
Increasing the
Customers’ Trust
Minimizing Risk & Threats, Incidents,
Unnecessary Expenses, etc.
Comply with PP. 71; Permen.
Kominfo; Perban. BSSN; and
many others.
This standard already
recognized all over the world
which always updated regularly.
Having a risk-based approach so that organization
can detect various potential threats, even planning
how to deal with them.
A Standard which Fits with Chapter
5.1.3 in ITIL v4
Intended to protect the information needed by the
organization to conduct its business, including the
understanding and managing risks to the
confidentiality, integrity, & availability of information,
as well as other aspects.

10. 1. Regulations by Indonesian Government Regulation
Kewajiban
Penyelenggara Sistem Elektronik wajib melakukan pengamanan terhadap komponen Sistem
Elektronik.
(Peraturan Pemerintah No. 71 Tahun 2019 – Pasal 23)
Sanksi Administratif
a. teguran tertulis;
b. denda administratif;
c. penghentian sementara;
d. pemutusan Akses; dan/atau
e. dikeluarkan dari daftar.
(Peraturan Pemerintah No. 71 Tahun 2019 – Pasal 100 ayat 2)

11. Let’s Check the Chapter 1 of PP No. 71 Year 2019
About the “General Requirements”

12. Chapter 1 of PP No. 71 Year 2019 (Continued)
About the “General Requirements”

13. 2. Regulations by the Minister of Communication and Information
Kewajiban
PSE Strategis dan Tinggi wajib memiliki sertifikat pengamanan/keamanan informasi.
PSE Rendah dapat memiliki sertifikat pengamanan/keamanan informasi.
(Peraturan Menteri Kominfo No. 4 Tahun 2016 – Bab IV pasal 10 & 11)
Sanksi Administratif
a. Teguran tertulis; dan
b. Pemberhentian sementara Nama Domain Indonesia.
(Peraturan Menteri Kominfo No. 4 Tahun 2016 – Bab X pasal 25 ayat 2)

14. 3. Regulations by National Cyber ​​& Crypto Agency (BSSN):
Kewajiban
PSE Strategis: ISO 27001 + Indeks KAMI + Standar Keamanan lain yang ditetapkan oleh
Kementerian/Lembaga terkait.
PSE Tinggi: ISO 27001 dan/atau Indeks KAMI + Standar Keamanan lain yang ditetapkan oleh
Kementerian/Lembaga terkait.
PSE Rendah: ISO 27001 atau Indeks KAMI
(Peraturan Badan BSSN No. 8 Tahun 2020 – Bab IV Pasal 9)
Sanksi
Teguran tertulis, setelah bila ditemukan adanya pelanggaran.
(Peraturan Badan BSSN No. 8 Tahun 2020 – Bab VI Pasal 37)

15. How to Implement ISO 27001?
The organization
shall determine the
boundaries and
applicability of the
ISMS to establish its
scope. Don’t forget to
refer to the
regulations.
Identify the
Scope
Which aspect(s)? Top-tier direction Fulfill requirements Review & improve!
Top Management
shall demonstrate
leadership and
commitment with
respect to the ISMS
by doing 8 points of
activities.
Top
Management
Commitment
There are 26
Requirements plus
114 Clauses/Annex
shall be followed
(implemented), which
most of them are
mandatory
requirements.
Implement
Requirements &
Clauses/Annex
Check/recheck
implementation and
practice using
activities called
audits (regular or
annual) that lead to a
stronger ISMS
practices.
Audits & Get
Certified

17. The Dimensions Modelling
This includes the information created,
managed and used in the course of
organization’s needs, also the use of
technologies that support and enable that
system.
Information & Technology
This ranges from formal contracts with
clear separation of responsibilities, to
flexible partnerships where they share
common goals and risks and collaborate
to achieve desired outcomes.
Partners & Suppliers
The organization also needs a culture
that supports its objectives, and the right
level of capacity and competency among
its workforce also motivate people to
work in desirable ways.
Organizations & People
It refers to the daily activities, workflows,
controls, and procedures needed to
achieve organization’s objectives.
Value Streams & Processes

18. Some Existing Key Implementations
1. The Risk Assessment & Register
InfoSec
Annex 6.1.2 & 6.1.3
Req. 4.1
Req. 5.1 & 5.2
Req. 5.3
Annex 12.1.3
Annex 12.1.2
Annex 16.1.1 & 16.1.5
IT Service
Chapter 2.5.3 & 5.1.10
Chapter 3.5
Chapter 4.3.4
Chapter 4.4.1
Chapter 5.2.3
Chapter 5.2.4
Chapter 5.2.5
2. Internal & External Factors
3. Top Management Leadership and Commitment
4. Organizational Roles, Responsibilities and Authorities
5. Capacity Management
6. Change Management
7. Incident Management
Part I

19. Some Existing Key Implementations
8. Asset Register
InfoSec
Annex 8.1.1 & 8.1.2
Annex 12.4.1 – 12.4.3
Annex 16.1.2 & 16.1.4
Annex 14.2.1 – 14.2.9
IT Service
Chapter 5.2.6
Chapter 5.2.7
Chapter 5.2.7
Chapter 5.3.3
9. Logs Monitoring
10. Event Management
11. Software Development
Part II

20. Some ISMS Important Notes for ITSM
1. Deploy Information Security Policies, Targets and How to Achieve Them
2. Register their assets, risks & their treatments thoroughly
3. Define the needed human resources, their competencies & integrity agreements
4. Raise and monitor the employees’ awareness on securing information & its assets
5. Deploy the Information Classification as well as Documented Information Handling
6. Define & conduct the audit or review regularly
Fundamentally, based on ISO 27001 Requirements, it will be better for your organization to:
7. Define regulations to the Physical Security, Removable Media Usage, etc.

21. The Continual Improvement
[ISO 27001] Requirements 8
[ITIL] 6 Improvement Steps
“Do” Phase
[ISO 27001] Requirements 9
[ITIL] 6 Improvement Steps
“Check” Phase
[ISO 27001] Requirements 4 – 7
[ITIL] 6 Improvement Steps
“Plan” Phase
[ISO 27001] Requirements 10
[ITIL] 6 Improvement Steps
“Act” Phase

22. IT’S THE PERFECT
COMBINATION EVER!

23. Let’s Rewind to Chapter 1 of PP No. 71 Year 2019
About the “General Requirements”

24. Which Thought that Never Come in Your Mind?
Shut your mouth,
our data is not
that important!
Confidentiality
Don't worry, nothing
will happen, don't
overthink about it!
Integrity
Hey listen, our
system is very
sophisticated
and safe!
Availability
ISO is a risk-based thinking. So please, minimize those low-awareness thoughts!!!

25. These Are the Real Advantages
ISO 20000-1 (IT Service Management)
ISO 27701 (Personal Information MS);
ISO 27032 (Cybersecurity);
ISO 27017 (InfoSec for Cloud Computing)
ISO 27018 (Privacy in Cloud Computing);
ISO 27033 (IT Network Security);
ISO 27045 (Big Data Security & Privacy);
ISO 27400 (Security & Privacy for IoT).
Extending the Compliances &
Protections
Obey and comply with state regulations that
have important impacts on maintaining
information security on a national scale.
Upholding Our Country’s
Nationalism
Having an ISMS certified by an accredited
certification body is concrete evidence that
your organization is in a strong position for
paying attention their internal/external needs.
Strengthen the Confidence of IT
Service Users
Organizations & people, information &
technology, value stream & processes,
partners & suppliers will be encapsuled with
ISMS mindset.
Strengthen the 4-dimension
Modelling

26. Wait, There Are Some Hidden Advantages!
It is about the
continual processes
of delivering fast and
reliable IT service
Information
Technology
Infrastructure
Library (ITIL)
IT Service
It is about the
continual processes
of securing the
information assets
International
Organization for
Standardization
(ISO) 27001
Information Security
+
(Pasal 3 PP. No. 71 year 2019)
=
Reliable + Secure

27. The Never-ending (Good) Improvements
Strive to be diligent in reviewing your
password and PIN usage, is it strong
enough?
Avoid spreading sensitive and
confidential information/data without
control, especially on social media.
For You, Your Family, and Your Organization
Use the appropriate method when
destroying unused document or
information.
Pay attention to your surroundings
when processing important or
sensitive information.
Be patient, don’t be easily attracted by
tempting and suspicious offers.
Strive to be diligent in reviewing any
kind of transactions, as well as login or
logout history.
Strive diligently to review the availability
and security status of your valuable
information assets.
Strive to be diligent in educating
yourself related to information security.
Learn, then implement improvements every time you faced information security incidents

28. “A person who constantly care about any possible
information security threats & risks in order to maintain
the reputation of you or your organization, don’t mock
them!”
Febryan Alandiestya

29. “Security is a process, not a product”
Bruce Schneier
(A famous American cryptographer, computer security professional, privacy specialist, and writer)

30. TERIMA KASIH
matur suwun | ‫شكرا‬ | thank you | 謝謝 | hatur nuhun | merci
Febryan A. A.

31. Stay Connected With Us!
t.me/itil_id
ITIL Indonesia
ITIL Indonesia
ITIL Indonesia
@itil_indonesia
@itil_id
ITIL Indonesia
Scan here!

32. Thank You!