573
Progresif: Jurnal Ilmiah Komputer https://ojs.
stmik-banjarbaru.
id/index.
php/progresif/index Jl.
Ahmad Yani.
33,5 - Kampus STMIK Banjarbaru Loktabat - Banjarbaru (Tlp.
, e-mail: puslit.
stmikbjb@gmail.
e-ISSN: 2685-0877 Evaluation of Information Security Readiness Using the KAMI Index 5.
0 and ISO/IEC 27001:2022 DOI: http://dx.
org/10.
35889/progresif.
Creative Commons License 4.
0 (CC BY Ae NC) Beri Novriyadi1*.
Muhammad Jazman2.
Megawati3.
Afdal4 Information System.
Universitas Islam Negeri Sultan Syarif Kasim Riau.
Pekanbaru.
Indonesia *e-mail Corresponding: 11950311543@students.
uin-suska.
Abstract Information security evaluation is a crucial process for organizations to assess their level of readiness and to establish clear security management roles and responsibilities.
Higher education institutions, such as Tuanku Tambusai University of Heroes, have significant responsibilities in safeguarding sensitive data.
The institution maintains extensive records that include students' personal information, academic transcripts, financial data, and information relating to faculty and staff.
Given that multiple organizational units access this information, ensuring data protection and compliance with privacy regulations is paramount.
This research purposes to assess the readiness and maturity of information security at Tuanku Tambusai Heroes University using the KAMI Index version 5.
0, using the ISO/IEC 27001:2022 standard.
This assessment covers six information security domains and shows maturity levels ranging from I to II, which indicates that the institution is at an early stage of development, with only the fundamental framework established.
In addition, the completeness of the ISO/IEC 27001 implementation was assessed as AuUnqualifiedAy, with a score of 379, corresponding to maturity levels I to II.
These findings highlight the need for targeted improvements to meet the requirements for ISO/IEC 27001:2022 certification.
Key word: Evaluation.
ISO/IEC 27001:2022.
Information Security.
KAMI Index Abstrak Mengevaluasi keamanan informasi sangat penting bagi organisasi karena membantu menilai tingkat kesiapan keamanan informasi dan menentukan peran dan tanggung jawab manajer Institusi pendidikan tinggi, seperti Universitas Pahlawan Tuanku Tambusai, bertanggung jawab untuk menjaga informasi sensitif.
Institusi ini menyimpan sejumlah besar data mahasiswa, termasuk rincian pribadi, catatan akademis, informasi keuangan, dan data mengenai dosen dan staf.
Karena banyak unit mengakses data ini, sangat penting untuk memastikan perlindungan dan kepatuhannya terhadap peraturan privasi.
Studi ini bertujuan untuk menilai kesiapan dan kematangan keamanan informasi di Universitas Pahlawan Tuanku Tambusai menggunakan Indeks KAMI versi 5.
0 dan standar ISO/IEC 27001:2022.
Evaluasi, yang mencakup enam area keamanan informasi, mengungkapkan tingkat kematangan mulai dari I hingga II, yang menandakan bahwa institusi tersebut berada pada tahap awal, dengan hanya kerangka dasar yang tersedia.
Lebih jauh, kelengkapan implementasi ISO/IEC 27001 dinilai sebagai "Tidak Memenuhi Syarat," dengan skor 379, juga dalam level I hingga II.
Hasil ini menunjukkan perlunya perbaikan signifikan dalam tata kelola keamanan informasi untuk memenuhi persyaratan sertifikasi ISO/IEC 27001:2022.
Kata kunci: Evaluasi.
Indeks KAMI.
ISO/IEC 27001:2022.
Keamanan Informasi Introduction Information and communication technology (ICT), such as E-Government, is a form of data that is easily accessible and vulnerable to hacking on web portals.
Information security challenges continue to grow along with technological developments, and cyber attacks are becoming increasingly sophisticated and detrimental .
The information security in question is Evaluation of Information Security Readinessa.
Novriyadi 574 e-ISSN: 2685-0877 about confidentiality, integrity, and availability.
In protecting information, an information security assessment must be carried out to identify information security gaps and deficiencies, and prevent the misuse of the information .
, .
Universities are one of the entities that have a great responsibility in maintaining their information security .
Maintaining information system security is very important for universities in carrying out their operations or activities effectively and protecting valuable information assets .
Pahlawan Tuanku Tambusai University stores a significant amount of sensitive information, including students' data, academic records, financial details, as well as information related to lecturers and employees.
With access to this data spread across various units, it is crucial to ensure strong protection and compliance with privacy regulations.
This is in line with Indonesian Personal Data Protection Law (UU Personal Data Protectio.
Article 35, which states that processors of personal data shall ensure the protection and safety of legitimate personal information by applying appropriate administrative and procedural steps to protect personal data and prevent any form of interference .
Currently.
Pahlawan Tuanku Tambusai University faces not only the risk of losing sensitive data, but also increasingly complex and often far-reaching cyberattacks.
In addition, each university has unique characteristics, both academically and in terms of the academic community, including the environment, such as a complex IT infrastructure comprising networks, database systems, and widely accessible These unique characteristics can impact the security needs and risks associated with higher education information systems.
Therefore, college information system security governance needs to be tailored to the unique characteristics of each college, and this requires universities to have standards to help manage security risks, including Pahlawan Tuanku Tambusai University .
Pahlawan Tuanku Tambusai University collaborates with external service providers, including cloud vendors, which requires strong information security management.
By KOMINFO Regulation No.
4 of 2016 and BSSN Regulation No.
8 of 2020, institutions are encouraged to implement the SNI ISO/IEC 27001 standard to manage security risks related to external partnerships .
, .
Compliance with ISO/IEC 27001:2022 also demonstrates a universityAos commitment to information security, which can positively impact its reputation both publicly and in regulatory contexts .
Furthermore, based on BSSN Regulation No.
8 of 2021.
Electronic System Operators are permitted to conduct self-assessments using the Information Security Index (Indeks KAMI) as a standardized tool to evaluate their level of security readiness .
Although the KAMI Index is not designed to measure the effectiveness of specific controls, it provides organizational leaders with an overall picture of their institutionAos security posture.
The latest version.
KAMI Index 5.
0, aligns with ISO/IEC 27001:2022 and offers a more comprehensive and structured approach for assessing and improving information security in higher education institutions .
Based on research, evaluated information system security using the KAMI Index 5.
0 and ISO/IEC 27001 standards.
Fauzia et al.
assessed university information systems based on KAMI elements aligned with SNI ISO 27001 .
Lucia and her team applied the KAMI Index 5.
0 and ISO/IEC 27001:2022, resulting in a score of 674 ("Fairly Good") with maturity levels ranging from Level II to IV .
I Nyoman Adi Artha Wibawa evaluated hospital information security with a score of 177 ("Not Qualified"), recommending improvements in governance, risk management, asset inventory, and data protection .
Rafii Nur Akmal found strong incident management in SIMRS using ISO 27001, but suggested regular evaluations .
Evariani reported low security maturity at STIK Bina Husada .
, highlighting the need for better policies and governance .
Rudolf Sinaga developed a compliance model for ISO 27001:2022 in a university, showing good physical security, but areas like policy, risk management, and access control still required improvement .
Based on the background previously discussed, this research aims to evaluate the information security readiness of a higher education institution by utilizing the KAMI Index 0 by the ISO/IEC 27001:2022 standard.
The assessment is intended to measure the maturity level of existing information security practices, identify critical gaps, and provide recommendations for improvement.
By integrating national regulatory frameworks with internationally recognized standards, the research facilitates the development of more effective information security governance, risk management, and policy implementation.
The findings are expected to serve as a strategic foundation for enhancing institutional efforts in securing information assets.
Furthermore, the study contributes to the universityAos preparedness in Progresif: Vol.
No.
Agustus 2025: 573-585 Progresif e-ISSN: 2685-0877 achieving compliance with ISO/IEC 27001:2022 and strengthening its overall information security posture.
Literature Review Previous research by .
analyzed the security of information systems in universities based on the KAMI Index, which is aligned with the standard elements of SNI ISO 27001.
The analysis results show significant differences between the two private universities.
College A obtained a score of 713, which was categorized as AuGood EnoughAy, with excellence in governance, personal data protection, and technological aspects.
In contrast.
College B only achieved a score of 321, indicating an AuInadequateAy security level, although it still has strengths in the personal data protection aspect.
Meanwhile, .
evaluated information technology security using the KAMI 5.
0 Index and ISO/IEC 27001:2022, with the results of an electronic system score of 19 .
igh categor.
and a final score of 674 .
ategory AuGood enoughA.
The maturity level of the ISO 27001 standard implementation is at Levels II to IV.
Another research was conducted by .
, who developed a model for assessing compliance with the ISO / IEC 27001: 2022 standard in a university environment.
The results show a high level of compliance with physical and environmental security aspects, but there are still deficiencies in information security policies, risk management, asset management, access control, network security, and incident management.
Through this model, a comprehensive picture of the level of compliance is obtained as well as recommendations for improving information system security.
In addition, .
evaluated information technology security governance at STMIK Mardira Indonesia using the KAMI Index.
The electronic sector score reaches a high value .
, but the overall governance score is only 117, which is categorized as AuNot FeasibleAy, so significant improvements are needed in information technology security governance at the institution.
Previous research has used the KAMI Index and ISO/IEC 27001 to assess information security in higher education, but as in the research of .
have not integrated the two in depth, while .
emphasize aspects of compliance or governance without aligning with the latest version of international standards.
So this study utilizes the KAMI Index version 5.
0 which has been adapted to ISO/IEC 27001:2022, to provide an assessment that is more relevant to modern information security challenges.
This research also reinforces this direction by presenting a comprehensive evaluation model to assess information security readiness, especially in the context of institutional cooperation with third parties.
This integration provides a more complete and strategic picture for improving information security governance and compliance in higher education.
Methodology The research stages are illustrated in the flow chart in Figure 1.
This research was conducted through several main stages, namely planning, data collection, validation, and Figure 1.
Methodology Research Evaluation of Information Security Readinessa.
Novriyadi e-ISSN: 2685-0877 This research begins with a planning stage, which includes identifying problems through observations at Pahlawan Tuanku Tambusai University to understand the running business processes, determining objectives to determine the level of integrity and maturity of information security, and determining problem boundaries so that the research focus remains directed.
The required data is determined based on relevant literature and information security data.
At the data collection stage, field observations, interviews with IT parties, and literature studies of relevant references and previous research were carried out, to select the right evaluation method, namely the KAMI Index version 5.
0 and ISO / IEC 27001: 2022.
Furthermore, at the data validation and analysis stage, a checklist is carried out on the questionnaire that has been filled out to ensure the validity of the data based on real conditions.
The results of the questionnaire were then calculated to determine the completeness and maturity scores of information security, then compared with the controls in ISO/IEC 27001: 2022.
Based on the evaluation results, recommendations are made for improvements in each area that has not met the standards, so as to improve the readiness and effectiveness of the information security system at Pahlawan Tuanku Tambusai University.
Information Security Information security encompasses measures designed to protect the confidentiality, integrity, and availability of information .
, .
According to ISO/IEC 27002 .
, this standard provides guidelines for protecting information from various threats, aiming to ensure business continuity, mitigate risks, and improve both investment returns and business Consequently, information security indirectly supports the sustainable operation of businesses over the long term .
, .
This field involves managing access, usage, modification, distribution, and disposal of information to guard against fraudulent activities .
Additionally, information security is commonly divided into multiple domains, including physical security, personnel security, operational security, communication security, and network security .
KAMI Index The Information Security Index (ISI) functions as an instrument to measure and evaluate the maturity and preparedness of an ISMS .
Likewise, the KAMI Index acts as a strategic tool offering organizational leaders a detailed insight into the current state of information security readiness within the organization .
, .
The KAMI Index version 5.
0 represents the latest update from version 4.
2 and was officially released in March 2023.
This version incorporates new controls introduced in the SNI ISO/IEC 27001:2022 standard.
Notable updates in the annex of SNI ISO/IEC 27001:2022 include a restructuring of control categories, the addition of 11 new controls, and modifications to existing ones.
In alignment with these updates, the KAMI Index has also been revised and updated from version 4.
2 to version 5.
0 to reflect the latest changes in the standard .
SNI ISO/IEC 27001:2022
The ISO/IEC 27001:2022 standard was officially published in October 2022.
This standard is a revision of ISO/IEC 27001:2013 and is designed to help organizations protect information, as well as increase the relevance and effectiveness of the standard in the context of evolving information security threats and practices .
, .
Table 1.
Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Aspect Release Date Number of Controls ISO 27001:2013 October 2013 114 controls ISO 27001:2022 October 2022 93 controls Annex A Structure 14 domains 4 themes New Controls None 11 new controls added The SNI ISO/IEC 27001:2022 introduces new controls and a restructured Annex, marking a significant update from the 2013 version.
Unlike the earlier standard that primarily focused on documentation, the 2022 edition emphasizes integrated processes, cybersecurity, and privacy.
Additionally, it places greater importance on sustainability, which was less highlighted in the Progresif: Vol.
No.
Agustus 2025: 573-585 Progresif e-ISSN: 2685-0877 previous version .
, .
The latest version of ISO/IEC 27001 includes the addition of 11 new controls .
Figure 2.
New Controls ISO 27001:2022 RESULTS AND ANALYSIS 1 Data Collection This stage involves an initial assessment of the level of information security readiness at Pahlawan Tuanku Tambusai University using the KAMI Index version 5.
0 measurement tool, which is based on the ISO/IEC 27001:2022 standard.
Based on interviews with the head of PUSKOM, it was found that the university had never conducted a formal assessment of its information security, either using the KAMI Index approach or the ISO standard.
As part of this process, a sample of data was obtained in the form of a list of information assets within the university environment, including hardware, data, websites, networks, physical facilities, human resources, and campus buildings.
This evaluation covers several assessment categories in the KAMI Index version 5.
0, namely the Electronic Systems Category used by the Institution.
Information Security Governance.
Information Security Risk Management.
Information Security Framework.
Information Asset Management.
Information Technology and Security, and Personal Data Protection, as well as a Supplement as an evaluation area for the aspect of Securing Third-Party Service Provider Involvement.
The questions in the Information Security Index (KAMI Inde.
are grouped into two main The first category is designed to assess an organization's readiness to implement information security in accordance with the ISO/IEC 27001:2022 standard.
The assessment is conducted through stages of basic framework implementation, effectiveness and consistency of implementation, and the organization's ability to make continuous improvements.
Each answer is given a specific score, which is then compiled to produce an overall index value, visualized in the form of a radar chart to illustrate the level of maturity on a scale of 1 to 3 as a benchmark.
The second category groups questions based on the maturity level of information security implementation, referencing frameworks such as COBIT or CMMI.
This maturity level is used to map and classify information security readiness, particularly within government agencies.
In this case, the KAMI Index divides maturity levels into five levels, namely: Level I (Initial Conditio.
Level II (Basic Framework Implementatio.
Level i (Defined and Consisten.
Level IV (Managed and Measurabl.
, and Level V (Optima.
Evaluation using KAMI Index Version 5.
0 and ISO 27001:2022 The KAMI Index measurement process begins with the preparation of a checklist that aims to validate the data that supports the KAMI Index results.
After the checklist is completed to ensure the data's suitability with the actual conditions, the next step is to verify and calculate the results of the KAMI Index.
This procedure is followed by analyzing and assessing the completeness and maturity levels of the information security system.
The outcomes of the KAMI Index measurement are subsequently compared with the controls specified in ISO 27001.
After the comparison is made, the next step is to provide recommendations, which contain input to improve the shortcomings that Pahlawan Tuanku Tambusai University has not implemented.
Evaluation of Information Security Readinessa.
Novriyadi e-ISSN: 2685-0877 Table 2.
KAMI Index Assessment Result Score Control Category Governance Risk Management Framework Asset Management Technology Aspect Personal Data Protection (PDP) Total Questions Aggregate Score Respondents Table II shows the KAMI Index Assessment Result Score for each of the six assessment categories used in the KAMI Index version 5.
The scores in this table reflect the level of maturity of information security management in each category, obtained from the evaluation results of Pahlawan Tuanku Tambusai University.
Further explanation of the meaning of the scores obtained in each assessment category is presented as follows.
1 Information Security Governance In the information security governance assessment stage, a university is expected to be able to prepare and implement a structured governance mechanism, where the duties and responsibilities of information security management are divided among the information technology manager or staff.
Based on the results shown in Table II, the assessment of the information security governance area obtained a score of 46 out of a maximum total score of This score indicates that the governance maturity level is at level I , which reflects the initial conditions in implementing information security governance.
These results indicate that Pahlawan Tuanku Tambusai University has not fully defined the requirements or standards of competence and expertise required, and has not secured information according to applicable Moreover, the integration of information security needs and requirements into the organization's operational processes remains incomplete, and several issues persist concerning the comprehensive implementation of information security governance.
2 Information Security Risk Management The objective of the information security risk management evaluation phase is to assess the preparedness of risk management strategies and to verify their applicability within the university environment to effectively reduce potential threats.
The completeness score obtained is 27 from the maximum value of the area of 72, as stated in Table II.
These results show that the conditions in the information security risk management area currently have a measurement value of the I maturity level.
It is necessary to implement a documented information security risk management framework, carry out structured information security risk management of existing information assets, arrange mitigation steps according to the priority level and completion target, and need to conduct regular evaluations/assessments related to the risk management framework.
3 Information Security Governance Framework The information security governance framework assessment section contains policies and procedures that will be the center of attention for work readiness.
These aspects will be used as steps to implement information security.
Table II shows the completeness score of the information security management framework section obtained 43 from a maximum value of 43 area of 192.
These results can describe the current state of maturity of the information security framework, which is at the I maturity level.
Pahlawan Tuanku Tambusai University has not carried out official procedures, and there is no policy related to information security, nor is there a secure system development process (Secure SDLC).
Pahlawan Tuanku Tambusai University has also not conducted internal audits in evaluating the level of compliance, consistency, and effectiveness of information security.
However.
Pahlawan Tuanku Tambusai University has developed a strategic plan for improving information security over the medium to long term .
, 3, and 5 year.
, with a commitment to consistent implementation.
Progresif: Vol.
No.
Agustus 2025: 573-585 Progresif e-ISSN: 2685-0877 4 Asset Management The information asset management section assesses the thoroughness of information asset protection and outlines the entire lifecycle of asset utilization within the organization.
Based on Table II, the completeness score obtained in the management of information assets is 110 from the maximum value of the area of 258, which shows the measurement value of the I maturity level.
From these results, it can be seen that the current condition of the information asset management area, where configuration management has not been consistently applied, then the process of identifying and inventorying information assets by laws and regulations has not been implemented if it has passed the retention limit.
Procedures for using access and access rights that have not been followed, if there is a discrepancy with the policy.
5 Technology and Information Security The assessment of technologyAos role is reflected in the extent, consistency, and effectiveness of its application.
The degree of technological completeness directly influences the feasibility of ensuring information security.
As presented in Table II, the technology and information security section achieved a completeness score of 93 out of a maximum possible The maturity level for technology and information security is currently at the I stage.
However, certain issues remain unresolved, such as the lack of documented records and trace analysis results, as well as the absence of regularly and systematically updated antivirus and malware attack reports.
Additionally, the development and testing environments, which should adhere to established technology platform standards and be utilized throughout the system development life cycle, have yet to be fully implemented.
6 Personal Data Protection The personal data protection section assesses how complete, consistent, and effective the implementation of security measures is in safeguarding personal data.
Based on Table II, the completeness score obtained in the amount of 60 out of the maximum value of the area of 80, which indicates the value of measuring the maturity level II.
From these results, it can be seen that the current condition of the personal data protection area has implemented some policies related to personal data protection.
However, there are still several policies that are still in planning, such as the personal data protection mechanism that has been implemented is not by risk mitigation and applicable laws.
Also.
Pahlawan Tuanku Tambusai University has not carried out a program to increase understanding/awareness among all employees regarding personal data protection, including matters related to regulations.
7 Assessment Results The Electronic System Category Score.
Final Evaluation Results.
ISO 27001 Standard Implementation Level per Category, and final score with maturity level for each area can be seen in Figure 2.
Figure 2.
Information Security Evaluation Results Pahlawan Tuanku Tambusai University Based on the evaluation results, the electronic system category score is 23, which can be seen in Figure II.
The results show that the level of dependence on information technology is in Evaluation of Information Security Readinessa.
Novriyadi e-ISSN: 2685-0877 the high category.
In addition, the results of the analysis also show that the total annual operating budget allocated for electronic system management is over IDR 1 billion, with the value of electronic system investments reaching more than IDR 3 billion.
Based on Figure II, the score obtained in the supplementary area is 37%.
The supplement area includes evaluation questions related to the completeness, consistency, and effectiveness of the implementation of security mechanisms related to the risk of external thirdparty involvement in the operation of the agency/company service delivery.
The measurement results for the six areas of information security, as shown in Figure II, indicate that the information security maturity level at Pahlawan Tuanku Tambusai University is between levels I and II.
This reflects a still early stage, where only the basic framework has been implemented.
In parallel, the degree of adherence to the ISO 27001 standard is classified as "Ineligible", with a total score of 379, which also corresponds to levels I and II.
This highlights that, despite the intensive use of electronic systems, the university has not yet achieved a satisfactory level of information security protection.
Considering that the minimum threshold for obtaining ISO certification is set at level i , it is necessary to undertake significant corrective actions and improvements to meet the requirements of the SNI ISO/IEC 27001 Figure 3.
Radar Chart Display of Information Security Evaluation Results.
Pahlawan Tuanku Tambusai University Figure 3 presents the six-axis radar diagram section.
The evaluation is shown as a thick red line that ranges from 0 to 1.
5, with three thresholds representing the level of completeness .
ight green to dark green for Levels 1 to .
The results show the assessment meets the light green threshold, indicating a basic framework level.
ISO/IEC 27001:2022 Recommendation The results of the KAMI index analysis show that the scores obtained do not meet the criteria required for SNI ISO/IEC 27001 certification.
Therefore, the researcher proposes a series of recommendations that can serve as a guide for developing information security governance to strengthen information protection at Pahlawan Tuanku Tambusai University.
The recommendations are based on the SNI ISO/IEC 27001:2022 standard.
They are formulated by identifying the gaps in each assessed area, with a direct comparison with the controls required by the standard.
The following table illustrates the specific recommendations for each information security assessment area.
Table 3.
ISO 27001:2022 Recommendations Present Conditions Competency standards and qualification requirements for information security managers have not been established, and there are no programs in place to enhance the skills and knowledge of information ISO 27001:2022 Recommendations 3 Information security awareness, education and training The university creates a document/ procedure for competency standards and expertise for information security management implementers, and a training program to improve Progresif: Vol.
No.
Agustus 2025: 573-585 Discussion Competence supports the effective implementation of security controls.
An ISACA that organizations with structured training experience a 30% reduction in incidents.
ISO
27001:2022 also recommends awareness and training components as key security measures.
Progresif Present Conditions security managers.
There is no socialization program and increased understanding of information security for related parties, and no publication of information security regulations There has been no coordination of agency information security managers with related work units, as well as interested internal parties, to ensure and implement information security compliance related to work processes that involve various parties There is no document regulating the work program and framework for managing information security risks No established information security risk management framework outlines the relationships and classification levels of information assets, as well as the threat levels and potential impacts of losses to the organization.
The company's risk mitigation measures were not aligned with its priorities to achieve its objectives, the company did not have a risk management officer, and there was no safety and risk management status report.
e-ISSN: 2685-0877 ISO 27001:2022 Recommendations competencies and expertise 1 Policies for information security Publish information security regulations to all staff/employees that are easily accessible if needed, and create a socialization program to increase understanding of information security Discussion Policies are the foundation of ISMS.
Research show emphasizes that structured policies support consistency, compliance, and risk ISO 27001:2022 also recommends management involvement in policy approval.
5 Contact with authorities Create regulations related to coordination in managing information security in implementing information security compliance with all relevant parties, including work units, internal parties, and other related parties 24 Information security incident management planning and Develop documentation and regulations about work programs and frameworks for managing information security risks 12 Classification of information Create information security risk management framework documents and regulations that include the definition of relationships and classification levels of information assets, threat levels, and the impact of losses to the company Communication with authorities speeds up incident handling and ensures legal compliance.
Previous research shows that organizations with structured contacts respond to incidents 30% faster.
The creation of incident management documents is important as a written reference for handling information security incidents consistently.
These documents ensure that every role, responsibility, and procedure has been agreed upon and is easy to follow when an incident occurs.
Classification helps protect information according to its value and ISO 27002:2022 emphasizes classification as the basis for protection controls, including for personal, confidential, and public 8 Information security event Reorganized risk management mitigation steps by priority and objective achievement, assigned risk managers, and reported on the status of information security risk Early reporting enables rapid A study found that 35% of incidents were handled late due to the lack of clear reporting channels.
ISO
27001:2022 recommends transparent and secure reporting mechanisms.
26 Response to information Incidents Information security regulations do not reflect the need to mitigate information security risks.
There is no information security identification process in the applicable follow-up procedures Lack of an information security exception management process develop information security regulations and procedures that address mitigation requirements identified through the results of information security risk 27 Learning from information security incidents Create a document that provides a process that identifies conditions that compromise information security and applicable follow-up procedures 36 Compliance with policies, rules and standards for information Prompt handling reduces the impact of incidents, and documented response procedures reduce the average cost of incidents.
Learning from incidents drives continuous improvement.
ISO
27001:2022 recommends this process as part of the incident management A study shows that organizations that implement incident post-mortems demonstrate up to a 40% increase in security maturity.
The document formally regulates requests and approvals for exceptions to information security controls through risk assessment.
Evaluation of Information Security Readinessa.
Novriyadi e-ISSN: 2685-0877 Present Conditions ISO 27001:2022 Recommendations Create a document containing formal procedures for managing an exception to the application of information security, including a follow-up process 37 Documented operating There are no policies and procedures related to security patches The discussion of information security in project management has not been carried out A secure system development process (Secure SDLC) has not been implemented Create operational policies and procedures to manage security patches and the allocation of 8 Information security in the project management Creating documentation to explain information security in project 25 Secure development life cycle Create a secure software development regulation (Secure SDLC) Discussion documentation, and periodic reviews, so that each exception is managed in a controlled manner without compromising the integrity of the security system, in accordance with ISO/IEC 27001:2022.
Documentation helps with consistency and training new staff.
ISO 27001
requires documentation as part of operational controls and also emphasizes the importance of documented procedures for IT Information security is often overlooked in projects, even though it can pose serious risks.
The Project Management Institute (PMI) recommends integrating security aspects from the planning stage, so that risks can be anticipated early on and projects can run more securely.
The implementation of SDLC plays an important role in preventing vulnerabilities from the early stages of system development.
SDLC shows that addressing security aspects from the outset can provide significant cost efficiencies compared to mitigation at the final stage.
30 Outsourced development There is no process or policy in place to mitigate the risks of implementing a new system There has been no internal audit that evaluates the level of compliance with information security implementation, identifies corrective and preventive measures, and there is no report on the results of the internal audit evaluation to the leadership Implement regulations or procedures that can mitigate new risks arising from the implementation of new systems, as well as strategies for the use of information technology 34 Protection of information systems during audit testing Prepare internal audit reports that contain the results of internal audits that assess the compliance, consistency, and effectiveness of information security implementation, as well as audits that were conducted to identify improvements and preventive actions for information 14 Redundancy of information processing facilities Compliance assessments of the information security program were not conducted regularly.
10 Acceptable use of information and other associated assets There is no clearly defined matrix to record access levels and access assignments for each type of information asset.
There is no process in place to identify and inventory 10 Information Deletion Develop a timetable for regular evaluation and compliance testing of the information security program Create documents containing asset Progresif: Vol.
No.
Agustus 2025: 573-585 Outsourcing is risky if not supervised.
ISO 27001: 2022 provides guidance on third-party risk management.
Research shows that 60% of breaches originate from unmonitored third parties.
The unmanaged audit process can open unauthorized access or disrupt operational systems.
Therefore, it is very important to establish audit procedures that are secure and do not interfere with ongoing services.
ISO
27001 emphasizes the need for risk mitigation during audits to prevent service disruption or data breaches.
Establishing a schedule for regular compliance evaluations and testing is important to ensure that security controls remain effective and aligned with applicable standards.
This helps detect weaknesses early and prevent incidents or non-compliance that could impact the organization.
The creation of a university IT asset usage policy is important for regulating user behavior in the safe and responsible use of IT resources.
This policy helps prevent misuse, protect digital assets, and raise awareness of information security within the university environment.
Developing procedures for the secure deletion of information, both on digital Progresif Present Conditions information asset retention requirements by existing laws and regulations, and no process in place to evaluate compliance with retention requirements and delete information assets if they have passed the retention limit No configuration management process is consistently applied A procedure for reviewing user access and access rights, including corrective actions in cases of noncompliance with applicable policies, has not been Agencies/companies have not evaluated the security feasibility of cloud services, including aspects of their availability and fulfillment of ISO 27001-based service There are no documented records or analysis .
udit trail.
verifying that antivirus/antimalware software is updated regularly and systematically, nor are there reports on the follow-up and resolution of successful or failed virus/malware attacks Organizations have yet to implement secure application development principles .
ecure codin.
for in-house or externally developed applications, and current applications lack defined security specifications and features that are verified and validated throughout the development and testing Organizations have not established a development and testing environment secured according to existing technology platform standards, which is utilized throughout the entire system development e-ISSN: 2685-0877 ISO 27001:2022 Recommendations Create a document that contains inventory information, including retention requirements for information assets as mandated by laws and regulations, and a process for evaluating compliance with these requirements and deleting information assets once they have exceeded their retention limit.
18 Use Of Privileged utility University IT staff must perform configuration management processes regularly and consistently 2 Privileged access rights Create documents that discuss user access review procedures and user access rights.
19 Information security in supplier Evaluate information security, including cloud services, using information security standardization such as the KAMI Index.
7 Protection against malware Create periodic reports related to the results of technology analysis/audit, containing antivirus/antimalware, that are followed up on.
28 Secure Coding The University must apply the principles in developing applications that are safe to use both internally and externally, and have been verified/validated in the application development process.
31 Separation of development, test, and production environments The University should implement a secure development and test environment by existing technology platform standards.
Discussion and physical media, is important to prevent data leaks.
ISO/IEC 27001
emphasizes the importance of data sanitization processes appropriate to the type of storage media, to ensure that information cannot be recovered.
Special utility programs should be restricted and only used by authorized personnel, with activity logging to prevent misuse.
IT staff also need to perform regular configuration management to keep the system secure and under control.
Privileged access rights need to be strictly managed because they are often the target of cyber attacks.
The process of granting, reviewing, and revoking these rights must be carried out regularly to prevent misuse and ensure that only authorized parties have access.
Hubungan dengan pihak ketiga menimbulkan risiko tambahan, sehingga perlu perjanjian keamanan informasi dan evaluasi berkala.
ISO
27001:2022 menyarankan agar kontrol keamanan dicantumkan dalam kontrak vendor.
Malware protection is essential to prevent infections that can result in data theft, system damage, or service The use of up-to-date antivirus software, user education, and active monitoring help detect and stop threats early on, as well as reduce the risk of human error as a major factor in the spread of malware.
Implementing secure coding standards such as OWASP and providing regular training to developers is important because coding errors are often the entry point for attacks.
OWASP shows that application vulnerabilities are a common cause of data breaches.
Google and Microsoft also emphasize the importance of regular training as a preventive measure to improve software security.
Separating development, testing, and production environments is important to prevent cross-contamination between systems, data leaks, and configuration conflicts.
ISO 27001
emphasizes that this separation is an important part of change control and protection of system operational Evaluation of Information Security Readinessa.
Novriyadi 584 e-ISSN: 2685-0877 Conclusion Evaluation of information security readiness at Pahlawan Tuanku Tambusai University, using the KAMI Index version 5.
0, reveals a readiness status of AuIneligibleAy for ISO/IEC 27001:2022 compliance, with a total score of 379.
While the Electronic Systems Category shows a AuhighAy score of 23 and the Technology and Personal Data Protection areas show progress in maintaining confidentiality, integrity, and availability, other areas are still at the Basic Framework maturity level (I to I ).
These findings highlight the need for substantial improvements, including the establishment of a dedicated information security team, a structured risk management program, and a comprehensive security policy.
Furthermore, prioritizing network segmentation, improving personal data protection, and maintaining an up-todate asset inventory are important steps.
By implementing the provided recommendations, conducting regular audits, and enhancing staff knowledge of information security.
Pahlawan Tuanku Tambusai University can strengthen its information security measures and align them with the ISO/IEC 27001:2022 standard, thereby ensuring better protection of student and employee data.
References