Academic literature on the topic 'ISO 27001/2'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the lists of relevant articles, books, theses, conference reports, and other scholarly sources on the topic 'ISO 27001/2.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Journal articles on the topic "ISO 27001/2"
1
Setiawan, Ito, Aldistya Riesta Sekarini, Retno Waluyo, and Fiby Nur Afiana. "Manajemen Risiko Sistem Informasi Menggunakan ISO 31000 dan Standar Pengendalian ISO/EIC 27001 di Tripio Purwokerto." MATRIK : Jurnal Manajemen, Teknik Informatika dan Rekayasa Komputer 20, no. 2 (2021): 389–96. http://dx.doi.org/10.30812/matrik.v20i2.1093.
Full textAbstract:
Bertambahnya ketergantungan organisasi terhadap penggunaan sistem informasi dalam rutinan sejalan dengan ancaman dan risiko yang timbul dari penggunaan sistem informasi tersebut. Permasalahan penggunaan sistem informasi juga dialami oleh Tripio Purwokerto. Tripio merupakan perusahaan yang bergerak di bidang teknologi di Purwokerto. Tripio memiliki dua sistem informasi untuk menunjang proses bisnisnya yaitu website dan Point of Sales (POS) systems. Dalam penggunaan sistem informasi mengalami permasalahan seperti server mengalami error, jaringan yang bermasalah, data yang rusak karena terkena virus dan human error. Tujuan penelitian adalah mengetahui risiko dan juga dampak dari penggunaan sistem informasi di Tripio Purwokerto. Metode yang digunakan adalah International Organization for Standardization (ISO) 3100:2018 dan standar pengendalian menggunakan International Organization for Standardization (ISO) 27001:2013. Dari hasil penelitian yang telah dilakukan dapat ditarik kesimpulan bahwa terdapat 15 risiko yang terdiri dari 6 risiko dengan tingkat risiko high, 7 risiko dengan tingkat risiko medium, dan 2 risiko dengan tingkat risiko low. Rekomendasi kontrol yang digunakan mengacu pada ISO 27001:2013 bagian human recource security, access control, physical and environmental security, operations security, protection from malware, communications security, system acquisition, development and maintenance.
2
Woda, Juliet Regina, and Rahadian Bisma. "Manajemen keamanan informasi menggunakan framework COBIT 5 dan ISO 27001:2013 dalam pembuatan dokumen standard operating procedure." Teknologi 11, no. 2 (2021): 59–74. http://dx.doi.org/10.26594/teknologi.v11i2.2154.
Full textAbstract:
This research to improve the quality of public services in accordance with the expectations of the community as service users. According to ISO 27001: 2013, an information security management system is an integrated part of an organizational process and in overall information security management in maintaining confidentiality, integrity and availability of information, managing and controlling security risks. information. To maintain consistency in providing optimal services, internal improvements need to be made to build a management system that will guarantee the quality of the education process according to the set standards. So, one of which is a standard that will become a reference in the form of an SOP (Standard Operating Procedure) on information security management. This research was conducted in Regional Financial and Aset Management Board (BPKAD) East Java Province. Therefore, this study proposes the making of SOP (Standard Operating Procedure) as a standard regarding information management using the Cobit 5 and ISO 27001:2013 framework. This study proposes the making of SOP (Standard Operating Procedure) as a standard regarding information management using the Cobit 5 and ISO 27001:2013 framework. This research will produce SOP documents that refer to Cobit 5 and ISO 27001: 2013 regarding information system security management. This research resulted, (1) document processing problems procedures; (2) aset management procedures; (3) server and network access room management system; (4) facility management procedures; (5) change management procedures; (6) management of capacity management procedures; (7) LOG management procedures; (8) management of service continuity procedures; (9) remote access management procedures; (10) backup management procedures.
3
Pardo, César, Francisco J. Pino, and Félix Garcia. "Towards an Integrated Management System (IMS), harmonizing the ISO/IEC 27001 and ISO/IEC 20000-2 standards." International Journal of Software Engineering and Its Applications 10, no. 9 (2016): 217–30. http://dx.doi.org/10.14257/ijseia.2016.10.9.18.
Full text
4
Mantra, IGN, Aedah Abd. Rahman, and Hoga Saragih. "Maturity Framework Analysis ISO 27001: 2013 on Indonesian Higher Education." International Journal of Engineering & Technology 9, no. 2 (2020): 429. http://dx.doi.org/10.14419/ijet.v9i2.30581.
Full textAbstract:
Information Security Management System (ISMS) implementation in Institution is an effort to minimize information security risks and threats such as information leakage, application damage, data loss and declining IT network performance. The several incidents related to information security have occurred in the implementation of the Academic System application in Indonesian higher education. This research was conducted to determine the maturity level of information security practices in Academic Information Systems at universities in Indonesia. The number of universities used as research samples were 35 institutions. Compliance with the application of ISO 27001:2013 standard is used as a reference to determine the maturity level of information system security practices. Meanwhile, to measure and calculate the level of maturity using the SSE-CMM model. In this research, the Information System Security Index obtained from the analysis results can be used as a tool to measure the maturity of information security that has been applied. There are six key areas examined in this study, namely the role and importance of ICT, information security governance, information security risk management, information security management framework, information asset management, and information security technology. The results showed the level of information security maturity at 35 universities was at level 2 Managed Process and level 3 Established Process. The composition is that 40% of universities are at level 3, and 60% are out of level 3. The value of the gap between the value of the current maturity level and the expected level of maturity is varied for each clause (domain). The smallest gap (1 level) is in clause A5: Information Security Policy, clause A9: Access Control, and clause A11: Physical and environmental security. The biggest gap (4 levels) is in clause A14: System acquisition, development and maintenance and clause A18: compliance.
5
Raweni, Abuajila M. S., and Vidosav D. Majstorović. "ISO CERTIFICATIONS DIFFUSION IN EUROPEAN COUNTRIES 2007-2014 AND FORECASTINNG FOR 2022-STARE OF THE ART." International Journal "Advanced Quality" 44, no. 1 (2017): 53. http://dx.doi.org/10.25137/ijaq.n1.v44.y2016.p53-58.
Full textAbstract:
Since 1987, when first certification issuing, ISO has been considered as the leader of development of business standardization process and numbe r of certifications speedy grows in all over the planet. In this article, quantitative analysis, we displays the diffusion of ISO certifications in European countries among the recording data for seven common models of ISO (ISO 9001, 13485, 14001, 16949, 2 2000, 27001, 50001) in the European countries in the past eight years 2007 -2014. Italy leads European countries with 26% from total number of certificates, and ISO 90001 ISO 9001 comprises 78% from the total number of certificate in this period. Forecast o f new certifications growth, number of certifications will issue in the future for all ISO models (after eight years) increasable and will not reach the saturation level in general. In qualitative analysis, we use statistical analysis of collected data to provide the effect of the number of certificates on the economic development for each country (relationship between number of certificates, number of inhabitant, and gross domestic product GDP).
6
Yuze, Yuni Cintia, Yudi Priyadi, and Candiwan . "Analisis Sistem Manajemen Keamanan Informasi Menggunakan ISO/IEC 27001 : 2013 Serta Rekomendasi Model Sistem Menggunakan Data Flow Diagram pada Direktorat Sistem Informasi Perguruan Tinggi." JURNAL SISTEM INFORMASI BISNIS 6, no. 1 (2016): 38. http://dx.doi.org/10.21456/vol6iss1pp38-45.
Full textAbstract:
The importance of information and the possible risk of disruption, therefore the universities need to designed and implemented of the information security. One of the standards that can be used to analyze the level of information security in the organization is ISO/IEC 27001 : 2013 and this standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The objective of this research is to measure the level of information security based on standard ISO/IEC 27001: 2013 and modeling systems for information security management. This research uses descriptive qualitative approach, data collection and validation techniques with tringulasi (interview, observation and documentation). Data was analyzed using gap analysis and to measure the level of maturity this research uses SSE-CMM (Systems Security Engineering Capability Maturity Model). Based on the research results, Maturity level clause Information Security Policy reaches level 1 (Performed-Informally), clause Asset Management reaches level 3 (Well-Defined), clause Access Control reaches level 3 (Well-Defined), clause Physical and Environmental Security reaches level 3 (Well-Defined), clause Operational Security reaches level 3 (Well-Defined), Communication Security clause reaches the level 2 (Planned and Tracked). Based on the results of maturity level discovery of some weakness in asset management in implementing the policy. Therefore, the modeling system using the flow map and CD / DFD focused on Asset Management System.
7
Mentel, Urszula, and Marzena Hajduk-Stelmachowicz. "Does standardization have an impact on innovation activity in different countries?" Problems and Perspectives in Management 18, no. 4 (2020): 486–503. http://dx.doi.org/10.21511/ppm.18(4).2020.39.
Full textAbstract:
Nowadays, innovation and standardization are very important issues. The aim of this paper was to review the relationship between the components of the Summary Innovation Index (SII) according to the European Innovation Scoreboard and the features that determine the innovation level in 35 countries (taking into account the number of the following certificates: ISO 9001, ISO 14001, ISO 27001, ISO 50001, ISO 22000, ISO 13485) in 2017. The innovation ranking was created for these countries, considering the fact of certification for compliance with the ISO requirements. In this paper, an attempt was made to determine whether countries with very low innovation activity (performance) are at the same time characterized by a very low level of saturation with globally recognized ISO certificates, which confirm the implementation, functioning and improvement of selected types of management systems. The conclusions from the study are as follows: 1) standardization can be seen as an innovation tool; 2) as the number of ISO 9001 certificates increases, the number of ISO 14001 certificates (per the population of 100,000 people) also increases; 3) as the number of ISO 13485 certificates increases, the value of the SII also becomes higher. The features are modelled at 70%; 4) the weakest relationship can be observed between the SII and the ISO 9001 certification; 5) Switzerland obtained the highest mean value set for the innovation index proposed in the study, suggesting that the country can be considered the innovation leader of 2017 from among the countries investigated. The last (35th) place in the ranking was occupied by Ukraine. Acknowledgement(s)The authors are thankful to The Ministry of Science and Higher Education in Poland for financial support to carry out this research.
8
Martins, José, Henrique dos Santos, António Rosinha, and Agostinho Valente. "Information Security Management." International Journal of Cyber Warfare and Terrorism 3, no. 3 (2013): 32–48. http://dx.doi.org/10.4018/ijcwt.2013070103.
Full textAbstract:
The authors present a Case Study conducted in a Portuguese military organization, to answer the following research questions: (1) what are the most relevant dimensions and categories of information security controls applied in military organizations? (2) What are the main scenarios of information security incidents that are expected to occur? (3) What is the decision process used for planning and selection information security controls? This study reveals that: (1) information security within the military organization is built on the basis of physical and human attack vectors, and targeting the infrastructure that supports the flow of information in the organization; (2) the information security controls applied in the military organization are included in ISO/IEC 27001; (3) planning and selection of applied information security controls are made by decision makers and information security specialists. It appears that specialists impose their planning options essentially seeking to select and retrieve past successful information security cases.
9
Ibrahim, Ibrahim, and Rahmat Hidayat. "EVALUASI PENERAPAN IT GOVERNANCE DENGAN MENGGUNAKAN KERANGKA KERJA COBIT 5 PADA LAYANAN PUBLIK." Barometer 6, no. 2 (2021): 360–67. http://dx.doi.org/10.35261/barometer.v6i2.5204.
Full textAbstract:
Telah dilakukan penelitian tentang evaluasi penerapan Information Technology (IT) governance pada salah sektor layanan publik, dengan menggunakan kerangka kerja COBIT 5. Evaluasi ini dilakukan untuk memastikan kinerja implementasi teknologi informasi (TI) dapat dirasakan manfaatnya oleh pemangku kepentingan dalam rangka penyediaan informasi yang cepat, akurat dan efektif dan efisien untuk mendukung pengambilan keputusan. Penelitian ini menggunakan COBIT 5 khususnya terkait dengan proses-proses delivery, service and support (DSS). Hasil penelitian menunjukkan bahwa nilai process capability level domain DSS adalah 3,3 (established), yang terdiri dari DSS1=4, DSS2=4, DSS3=4, DSS4=3, DSS5=3 dan DSS6=2. Tiga proses telah menuhi target kinerja yakni DSS01, DSS02, DSS03 dan DSS04. Sedangkan tiga proses lainnya masih dibawah target kinerja yakni DSS04, DSS05 dan DSS06, sehingga perlu dilakukan perbaikan. Rekomendasi perbaikan secara umum meliputi penyusunan dokumen BCP dan DRP, pengendalian informasi dan data bisnis , audit dan sertifikasi berdasarkan sistem manajemen keamanan informasi (ISMS)ISO/IEC 27001:2017.
 
 Kata Kunci :
 IT Governance, COBIT 5, Process Capability Level
10
Simion, Cristina Petronela, Traian Valeriu Popescu, Mirona Ana Maria Popescu, and Andreea Maria G. Militaru. "Research on the Use of Integrated Management Systems." Advances in Science and Technology 110 (September 27, 2021): 31–36. http://dx.doi.org/10.4028/www.scientific.net/ast.110.31.
Full textAbstract:
Many organizations have adopted or are adopting standards and / or specifications of management systems, such as ISO 9001, ISO 14001, OHSAS 18001, ISO / IEC 27001, ISO 22000, and ISO / IEC 20000, out of necessity or to align with trends. Unfortunately, it often results in a set of independent systems, with different goals and objectives. These fragmented systems are often documented in non-uniform styles, are under the control of different people and are audited separately. Integrated management systems (IMS) allow management to establish directions for the effective and efficient fulfillment of the organization's objectives. From managing employee needs to study the performance of competitors, encouraging good practice, and minimizing risk and maximizing resource utilization, the integrated management system approach can help the organization meet its strategic business objectives. Integration must be planned and implemented in a structured way. Many organizations have adopted the standards of the management system due to external pressures, following customer requests to implement a quality standard or external requirements to introduce an environmental system, and / or occupational health and safety [2]. On the other hand, the integration of management systems has beneficial effects on the whole business. Therefore, the first concern must be to understand the needs of the business, correlated with the mission and vision of the organization. In order to respond to the growing interest in an integrated approach to management systems and organizational risk management, the first step an organization must take is to define the common requirements of management systems. The authors aim in this article to present the advantages brought by IMS by their correct implementation within organizations. A review of the current integrated management systems is carried out and the problems that arise during use are exposed. The research includes a guide of good practices from the start to the end of an IMS implementation. Thus, the use of synergies and the integration of resources allows the creation of an efficient and simplified management system. Processes and procedures are viewed from several angles, in order to identify and optimize the IMS implementation process in order to obtain positive results.
Dissertations / Theses on the topic "ISO 27001/2"
1
Mahopo, Ntombizodwa Bessy. "A risk based approach for managing information technology security risk within a dynamic environment." Diss., 2015. http://hdl.handle.net/10500/21925.
Full textAbstract:
Information technology (IT) security, which is concerned with protecting the confidentiality, integrity and availability of information technology assets, inherently possesses a significant amount of known and unknown risks. The need to manage IT security risk is regarded as an important aspect in the daily operations within organisations. IT security risk management has gained considerable attention over the past decade due to the collapse of some large organisations in the world.
Previous investigative research in the field of IT security has indicated that despite the efforts that organisations use to reduce IT security risks, the trend of IT security attacks is still increasing. One of the contributing factors to poor management of IT security risk is attributed to the fact that IT security risk management is often left to the technical security technologists who do not necessarily employ formal risk management tools and reasoning. For this reason, organisations find themselves in a position where they do not have the correct approach to identify, assess and treat IT security risks.
The IT security discipline is complex in nature and requires specialised skills. Organisations generally struggle to find a combination of IT security and risk management skills in corporate markets. The scarcity of skills leaves organisations with either IT security technologists who do not apply risk management principles to manage IT security risk or risk management specialists who do not understand IT security in order to manage IT security risk.
Furthermore, IT is dynamic in nature and introduces new threats and vulnerabilities as it evolves. Taking a look at the development of personal computers over the past 20 years is indicative of how change has been constant in this field, from big desktop computers to small mobile computing devices found today. The requirement to protect IT against threats associated with desktops was far less than the requirement associated with protecting mobile devices. There is pressure for organisations to ensure that they stay abreast with the current technology and associated risks.
Failure to understand and manage IT security risk is often cited as a major cause of concern within most organisations’ IT environments because comprehensive approaches to identify, assess and treat IT security risk are not consistently applied. This is due to the fact that the trend of IT security attacks across the globe is on the increase, resulting in gaps when managing IT security risk.
Employing a formal risk based approach in managing IT security risk ensures that risks of importance to an organisation are accounted for and receive the correct level of attention. Defining an approach of how IT security risk is managed should be seen as a fundamental task and is the basis of this research. This study aims to contribute to the field of IT security by developing an approach that assists organisations in treating IT security risk more effectively. This is achieved through the use of a combination of existing best practice IT security frameworks and standards principles, basic risk management principles, as well as existing threat modelling processes.
The approach developed in this study serves to encourage formal IT security risk management practices within organisations to ensure that IT security risk is accounted for by senior leadership. Furthermore, the approach is anticipated to be more proactive and iterative in nature to ensure that external factors that influence the increasing trend of IT security threats within the IT environment are acknowledged by organisations as technology evolves.<br>Computing<br>M. Sc. (Computing)
Book chapters on the topic "ISO 27001/2"
1
"APPENDIX 2:." In Information Security Risk Management for ISO 27001/ISO 27002, third edition. IT Governance Publishing, 2019. http://dx.doi.org/10.2307/j.ctvndv9kx.23.
Full text
2
"ABOUT THE AUTHORS." In Information Security Risk Management for ISO 27001/ISO 27002, third edition. IT Governance Publishing, 2019. http://dx.doi.org/10.2307/j.ctvndv9kx.2.
Full text
3
Kenyon, Bridget. "FOREWORD." In ISO 27001 controls – A guide to implementing and auditing. IT Governance Publishing, 2019. http://dx.doi.org/10.2307/j.ctvj4sxjm.2.
Full text
4
Hentea, Mariana. "Information Security Management." In Encyclopedia of Multimedia Technology and Networking, Second Edition. IGI Global, 2009. http://dx.doi.org/10.4018/978-1-60566-014-1.ch091.
Full textAbstract:
Information assurance is a continuous crisis in the digital world. The attackers are winning and efforts to create and maintain a secure environment are proving not very effective. Information assurance is challenged by the application of information security management which is the framework for ensuring the effectiveness of information security controls over information resources. Information security management should “begin with the creation and validation of a security framework, followed by the development of an information security blueprint” (Whitman & Mattord, 2004, p. 210). The framework is the result of the design and validation of a working security plan which is then implemented and maintained using a management model. The framework serves as the basis for the design, selection, and implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. A blueprint can be designed using established security models and practices. The model could be proprietary or based on open standards. The most popular security management model is based on the British Standard 7999 which addresses areas of security management practice. The recent standards, called ISO/IEC 27000 family, include documents such as 27001 IMS Requirements (replaces BS7799:2); 27002, Code of Practice for Information Security Management (new standard number for ISO 17799); and 27006, Guidelines for the accreditation of organizations offering ISMS certification, and several more in development. Similar security models are supported by organizations such as NIST, IETF, and VISA. From one point of view, information security management evolved on an application of published standards, using various security technologies promoted by the security industry. Quite often, these guidelines conflict with each other or they target only a specific type of organization (e.g., NIST standards are better suited to government organizations). However, building a security control framework focused only on compliance to standards does not allow an organization “to achieve the appropriate security controls to manage risk” (ISM-Community, 2007, p. 27). Besides technical security controls (firewalls, passwords, intrusion detection systems, disaster recovery plans, encryption, virtual private networks, etc.), security of an organization includes other issues that are typically process and people issues such as policies, training, habits, awareness, procedures, and a variety of other less technical and nontechnical issues (Heimerl & Voight, 2005; Tassabehji, 2005). All these factors make security a complex system (Volonino & Robinson, 2004) and a process which is based on interdisciplinary techniques (Maiwald, 2004; Mena, 2004). While some aspects of information security management changed since the first edition of the chapter (Hentea, 2005), the emerging trends became more prevalent. Therefore, the content of this chapter is organized on providing an update of the security threats and impacts on users and organizations, followed by a discussion on global challenges and standardization impacts, continued with information security management infrastructure needs in another section, followed with a discussion of emerging trends and future research needs for the information security management in the 21st century. The conclusion section is a perspective on the future of the information security management.
5
Tong, Carrison K. S., and Eric T. T. Wong. "Information Security Management in Picture Archiving and Communication Systems for the Healthcare Industry." In Encyclopedia of Multimedia Technology and Networking, Second Edition. IGI Global, 2009. http://dx.doi.org/10.4018/978-1-60566-014-1.ch092.
Full textAbstract:
Like other information systems in banking and commercial companies, information security is also an important issue in the health care industry. It is a common problem to have security incidences in an information system. Such security incidences include physical attacks, viruses, intrusions, and hacking. For instance, in the USA, more than 10 million security incidences occurred in the year 2003. The total loss was over $2 billion. In the health care industry, damages caused by security incidences could not be measured only by monetary cost. The trouble with inaccurate information in health care systems is that it is possible that someone might believe it and do something that might damage the patient. In a security event in which an unauthorized modification to the drug regime system at Arrowe Park Hospital proved to be a deliberate modification, the perpetrator received a jail sentence under the Computer Misuse Act of 1990. In another security event (The Institute of Physics and Engineering in Medicine, 2003), six patients received severe overdoses of radiation while being treated for cancer on a computerized medical linear accelerator between June 1985 and January 1987. Owing to the misuse of untested software in the control, the patients received radiation doses of about 25,000 rads while the normal therapeutic dose is 200 rads. Some of the patients reported immediate symptoms of burning and electric shock. Two died shortly afterward and others suffered scarring and permanent disability. BS7799 is an information security management standard developed by the British Standards Institution (BSI) for an information security management system (ISMS). The first part of BS7799, which is the code of practice for information security, was later adopted by the International Organization for Standardization (ISO) as ISO17799. The ISO 27002 standard is the rename of the existing ISO 17799 standard. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented. The second part of BS7799 states the specification for ISMS which was replaced by The ISO 27001 standard published in October 2005. The Picture Archiving and Communication System (PACS; Huang, 2004) is a clinical information system tailored for the management of radiological and other medical images for patient care in hospitals and clinics. It was the first time in the world to implement both standards to a clinical information system for the improvement of data security.
6
"ABOUT THE AUTHORS." In ISO/IEC 27701:2019: An introduction to privacy information management. IT Governance Publishing, 2020. http://dx.doi.org/10.2307/j.ctvsn3pnr.2.
Full textConference papers on the topic "ISO 27001/2"
1
Mayer, Janice, and Leonardo Lemes Fagundes. "Modelo para Avaliar o Nível de Maturidade do Processo de Gestão de Riscos em Segurança da Informação." In VI Simpósio Brasileiro de Sistemas de Informação. Sociedade Brasileira de Computação, 2010. http://dx.doi.org/10.5753/sbsi.2010.14696.
Full textAbstract:
O processo de Gestão de Riscos (GR) compreende atividades coordenadas para direcionar e controlar uma organização no que se refere a riscos, isso inclui a definição de contexto, análise, avaliação, tratamento, aceitação, comunicação e monitoramento dos riscos de segurança da informação. As organizações precisam implementar GR de forma consistente e sistemática, para buscar conformidades com leis, normas e regulamentações vigentes, bem como atender a requisitos obrigatórios para certificação de um Sistema de Gestão de Segurança da Informação. No entanto, não se identificou na literatura um modelo para avaliação do nível de maturidade desse processo no contexto de segurança da informação. Para contornar este problema neste trabalho descreve-se a estrutura de um modelo para avaliar o nível de maturidade do processo de GR em Segurança da Informação. O modelo desenvolvido consiste basicamente de um conjunto de boas práticas, totalmente alinhado a norma ISO/IEC 27005 e constituído por: (1) três estágios; (2) cinco níveis de maturidade; (3) quarenta e três objetivos de controles; (4) mapa de controles; (5) perspectiva de avaliação; (6) RACI Chart; (7) risk scorecard e, ainda, (8) instrumento de avaliação.