Scribd Logo
Carica

Benvenuto in Scribd!

  • Checklist Implementasi ISO 27k

    Caricato da

    ariakom
    2K visualizzazioni42 pagine
    This document provides a checklist for implementing the ISO 27001:2013 standard for an Information Security Management System (ISMS). The checklist includes the key clauses and requirements from the standard, along with columns to document relevant policies, procedures, records, and activities as evidence of implementation. Some of the main areas covered in the checklist include understanding the organization and stakeholder needs, leadership commitment and policies, risk assessment and treatment, and establishing objectives to achieve effective information security management.

    Descrizione originale:

    Checklit for monitoring ISMS implementation

    Copyright

    © © All Rights Reserved

    Formati disponibili

    XLSX, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    This document provides a checklist for implementing the ISO 27001:2013 standard for an Information Security Management System (ISMS). The checklist includes the key clauses and requirements from the standard, along with columns to document relevant policies, procedures, records, and activities as evidence of implementation. Some of the main areas covered in the checklist include understanding the organization and stakeholder needs, leadership commitment and policies, risk assessment and treatment, and establishing objectives to achieve effective information security management.

    Copyright:

    © All Rights Reserved
    Scarica in formato XLSX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    2K visualizzazioni42 pagine

    Checklist Implementasi ISO 27k

    Caricato da

    ariakom
    This document provides a checklist for implementing the ISO 27001:2013 standard for an Information Security Management System (ISMS). The checklist includes the key clauses and requirements from the standard, along with columns to document relevant policies, procedures, records, and activities as evidence of implementation. Some of the main areas covered in the checklist include understanding the organization and stakeholder needs, leadership commitment and policies, risk assessment and treatment, and establishing objectives to achieve effective information security management.

    Copyright:

    © All Rights Reserved
    Scarica in formato XLSX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 42

    CHECKLIST IMPLEMENTASI ISO 27001:2013

    Dokumentasi
    Klausul ISO 27001:2013 Prasyarat Standar ISO 27001:2013 Bukti Pelaksanaan / Records Aktivitas
    (Kebijakan/Pedoman/Prosedur)
    4. CONTEXT OF THE ORGANIZATION
    The organization shall determine external and
    internal issues that are relevant to its purpose and
    Understanding the organization
    4.1 that affect its ability to achieve the intended 1.
    and its context
    outcome(s) of its information security management
    system

    The organization shall determine:


    a) interested parties that are relevant to the
    Understanding the needs and
    4.2 information security management system; and 2.
    expectations of interested parties
    b) the requirements of these interested parties ISMS Context Organization and
    relevant to information security. Scope
    The organization shall determine the boundaries
    Determining the scope of the
    4.3 and applicability of the information security 3.
    ISMS
    management system to establish its scope.

    The organization shall establish, implement,


    maintain and continually improve an information
    Information Security Management
    4.4 security 4.
    System
    management system, in accordance with the
    requirements of this International Standard.

    5. LEADERSHIP

    ISMS Policy

    Kebijakan / Pedoman / Prosedur


    1.
    ISMS
    The organization shall establish, implement,
    maintain and continually improve an information
    5.1 Leadership and commitment security. Top management shall demonstrate
    leadership and commitment with respect to the Bukti pelaksanaan Sosialisasi 2.
    information security management system.

    3.

    Pengukuran ISMS Objectives 5.

    Kebijakan / Pedoman / Prosedur


    1.
    ISMS
    Kebijakan, Pedoman, Prosedur terkait
    Top management shall establish an information ISMS di lingkup SQG OCBC-NISP
    5.2 Policy
    security policy. * Daftar dokumen ada di Document
    Controller
    CHECKLIST IMPLEMENTASI ISO 27001:2013

    Dokumentasi
    Klausul ISO 27001:2013 Prasyarat Standar ISO 27001:2013 Bukti Pelaksanaan / Records Aktivitas
    (Kebijakan/Pedoman/Prosedur)
    Kebijakan, Pedoman, Prosedur terkait
    Top management shall establish an information ISMS di lingkup SQG OCBC-NISP
    5.2 Policy Bukti pelaksanaan Sosialisasi 2.
    security policy. * Daftar dokumen ada di Document
    Controller

    Daftar Dokumentasi ISMS 3.

    Top management shall ensure that the


    Organization Roles and responsibilities and authorities for roles relevant to
    5.3 1. Memo Struktur Organisasi ISMS 1.
    Responsibility information security are assigned and
    communicated.

    6. PLANNING
    Actions to address risk and
    6.1
    opportunities

    1. Risk Profile
    When planning for the information security
    management system, the organization shall
    consider the issues referred to in 4.1 and the 2. Statement of Applicability (SoA)
    6.1.1 General
    requirements referred to in 4.2 and determine the
    risks and opportunities 3. ISMS Objectives
    that need to be addressed
    Program Implementasi / Rencana
    4.
    Kerja ISMS

    Information security risk The organization shall define and apply an Risk and Control Self Assessment Sub
    6.1.2 Risk Register 1.
    assessment information security risk assessment process Policy

    The organization shall define and apply an


    6.1.3 Information security risk treatment Risk and Control Self Assessment Risk Treatment Plan 1.
    information security risk treatment process

    ISMS Objectives 1.
    Information security objectives The organization shall establish information
    6.2
    and planning to achieve them security objectives at relevant functions and levels Hasil Pengukuran Pencapaian
    2.
    ISMS Objectives
    7. SUPPORT
    The organization shall determine and provide the
    resources needed for the establishment,
    Struktur Organisasi SGQ & Uraian
    7.1 Resources implementation, maintenance and continual Awareness and Communication
    Deskipsi Kerja Personil / Pegawai
    improvement of the information security
    management system.
    CHECKLIST IMPLEMENTASI ISO 27001:2013

    Dokumentasi
    Klausul ISO 27001:2013 Prasyarat Standar ISO 27001:2013 Bukti Pelaksanaan / Records Aktivitas
    (Kebijakan/Pedoman/Prosedur)

    The organization shall:


    a) determine the necessary competence of
    person(s) doing work under its control that affects
    its information security performance;
    1.
    b) ensure that these persons are competent on the
    basis of appropriate education, training, or 1. Matriks Kompetensi
    7.2 Competence experience; Awareness and Communication
    c) where applicable, take actions to acquire the 2. Rencana Pelatihan Pegawai
    necessary competence, and evaluate the
    2.
    effectiveness
    of the actions taken; and
    d) retain appropriate documented information as
    evidence of competence.

    Persons doing work under the organizations


    control shall be aware of:
    a) the information security policy;
    b) their contribution to the effectiveness of the 1. Materi & bukti Pelaksanaan
    -
    information security management system, including Awareness
    7.3 Awareness Awareness and Communication -
    the benefits of improved information security
    performance; and 2. Materi Kuisioner ISMS
    -
    c) the implications of not conforming with the
    -
    information security management system
    requirements.

    The organization shall determine the need for


    internal and external communications relevant to
    the information security management system
    including:
    a) on what to communicate;
    7.4 Communication Awareness and Communication Tabel Komunikasi
    b) when to communicate;
    c) with whom to communicate;
    d) who shall communicate; and
    e) the processes by which communication shall be
    effected.

    7.5 Documented information Documentation Control


    CHECKLIST IMPLEMENTASI ISO 27001:2013

    Dokumentasi
    Klausul ISO 27001:2013 Prasyarat Standar ISO 27001:2013 Bukti Pelaksanaan / Records Aktivitas
    (Kebijakan/Pedoman/Prosedur)

    The organizations information security


    management system shall include:
    a) documented information required by this
    International Standard; and
    7.5.1 General Documentation Control
    b) documented information determined by the
    organization as being necessary for the
    effectiveness of the information security
    management system.

    When creating and updating documented


    information the organization shall ensure
    appropriate:
    7.5.2 Creating and updating Documentation Control
    a) identification and description
    b) format and media ; and
    c) review and approval for suitability and adequacy.

    Documented information required by the


    information security management system and by
    this International Standard shall be controlled.
    Control of documented 1. Daftar Dokumentasi ISMS
    7.5.3 Documented information of external origin, Documentation Control
    information 2. Histori Perubahan Dokumen
    determined by the organization to be necessary for
    the planning and operation of the information
    security management system, shall be identified as
    appropriate, and controlled

    8. OPERATIONS

    The organization shall plan, implement and control


    1. ISMS Objectives
    the processes needed to meet information security
    2. Program Implementasi / Rencana
    requirements, and to implement the actions
    8.1 Operational Planning and Control ISMS Objectives and Planning Kerja ISMS
    determined in 6.1. The organization shall also
    3. Hasil Pengukuran ISMS
    implement plans to achieve information security
    Objectives
    objectives determined in 6.2

    The organization shall perform information security


    Information Security Risk risk assessments at planned intervals or when
    8.2 1. Risk Register
    assessment significant changes are proposed or occur, taking
    account of the criteria established in 6.1.2a - Risk and Control Self Assessment Sub
    Policy
    - Risk and Control Self Assessment
    CHECKLIST IMPLEMENTASI ISO 27001:2013

    Dokumentasi
    - Risk and Control Self Assessment Sub
    Klausul ISO 27001:2013 Prasyarat Standar ISO 27001:2013 Bukti Pelaksanaan / Records Aktivitas
    (Kebijakan/Pedoman/Prosedur)
    Policy
    - Risk and Control Self Assessment
    Information Security Risk The organization shall implement the information
    8.3 1. Risk Treatment Plan (RTP)
    treatment security risk treatment plan

    9. PERFORMANCE EVALUATION

    The organization shall evaluate the information


    Monitoring, measurement, Formulir Pengukuran Efektivitas
    9.1 security performance and the effectiveness of the Measurement
    analysis and evaluation Kontrol
    information security management system

    1. Audit Program
    The organization shall conduct internal audits at
    2. Audit Plan
    9.2 Internal audit planned intervals to provide information on whether Internal Audit
    3. Audit Checklist
    the information security management system
    4. Audit Report

    Top management shall review the organizations


    Risalah Rapat Tinjauan
    information security management system at
    9.3 Management Review Management Review Manajemen (Management
    planned intervals to ensure its continuing suitability,
    Review)
    adequacy and effectiveness

    10. IMPROVEMENT

    When a nonconformity occurs, the organization


    shall:
    a) react to the nonconformity, and as applicable:
    b) evaluate the need for action to eliminate the
    causes of nonconformity, in order that it does not
    recur or occur elsewhere;
    1.
    c) implement any action needed;
    d) review the effectiveness of any corrective action
    2.
    taken; and
    Non conformity and corrective Formulir Ketidaksesuaian / Non-
    10.1 e) make changes to the information security Nonconformity and Continual Improvement
    actions Conformity 3.
    management system, if necessary.
    4.
    Corrective actions shall be appropriate to the
    effects of the nonconformities encountered.
    The organization shall retain documented
    information as evidence of:
    f) the nature of the nonconformities and any
    subsequent actions taken, and
    g) the results of any corrective action.
    CHECKLIST IMPLEMENTASI ISO 27001:2013

    Dokumentasi
    Klausul ISO 27001:2013 Prasyarat Standar ISO 27001:2013 Bukti Pelaksanaan / Records Aktivitas
    (Kebijakan/Pedoman/Prosedur)

    The organization shall continually improve the


    10.2 Continual improvement suitability, adequacy and effectiveness of the Nonconformity and Continual Improvement
    information security management system.
    O 27001:2013

    Penanggung Jawab / Sept Oktober November


    Aktivitas Status
    Pelaksana W3 W4 W1 W2 W3 W4 W1 W2 W3 W4

    - Top Management
    Identifikasi & penetapan isu
    - Management
    internal & eksternal
    Representative

    Identifikasi pihak-pihak terkait - Top Management


    beserta ekspektasi & - Management
    kebutuhannya Representative

    - Top Management
    Penetapan lingkup implementasi
    - Management
    ISMS
    Representative

    Memastikan implementasi ISMS - Top Management


    berjalan sesuai ketentuan standar - Management
    ISO 27001:2013 Representative

    Memastikan Top management


    telah memberikan arahan dan
    komitmennya untuk ISMS di
    Organisasi, dengan:

    Memastikan kebijakan & sasaran


    ISMS telah ditetapkan & selaras
    dgn strategi Organisasi

    Memastikan bahwa pentingnya Management


    implementasi ISMS di Organisasi Representative
    telah disosialisasikan kepada
    seluruh pihak relevan

    Memastikan ketersediaan sumber


    daya terkait implementasi ISMS

    Memastikan tujuan & sasaran


    ISMS dapat tercapai
    Memastikan dokumentasi PJ: Management
    (kebijakan, pedoman, prosedur) Representative
    ISMS telah ditetapkan PH: ISMS Officer
    O 27001:2013

    Penanggung Jawab / Sept Oktober November


    Aktivitas Status
    Pelaksana W3 W4 W1 W2 W3 W4 W1 W2 W3 W4
    PJ: Management
    Memastikan dokumentasi ISMS
    Representative
    telah disosialisasikan.
    PH: ISMS Officer
    Memastikan dokumentasi ISMS
    tersedia & dapat diakses oleh Document Controller
    pihak relevan.

    - Top Management
    Penetapan & pengesahan Memo
    - Management
    Struktur Organisasi ISMS di SQG.
    Representative

    Menyusun Risk Profile


    berdasarkan hasil Risk Risk Officer Done
    Assessment
    Management
    Identifikasi & penetapan SoA Done
    Representative
    Identifikasi & penetapan Sasaran Management
    Done
    ISMS Representative
    Menyusun Rencana Kerja Management
    Done
    Implementasi ISMS Representative
    Melakukan identifikasi & penilaian
    risiko (risk assessment) beserta Risk Officer Done
    review

    Melakukan identifikasi &


    penetapan rencana tindak lanjut Risk Officer Done
    penanganan risiko beserta review

    Management
    Menetapkan ISMS Objectives Done
    Representative
    Melakukan pengukuran
    ISMS Officer
    pencapaian ISMS Objectives

    - Management
    Melakukan proses analisa
    Representative
    kebutuhan sumber daya manusia
    - SQG Manager
    O 27001:2013

    Penanggung Jawab / Sept Oktober November


    Aktivitas Status
    Pelaksana W3 W4 W1 W2 W3 W4 W1 W2 W3 W4

    Melakukan pemeriksanaan &


    penilaian kinerja pegawai
    berdasarkan matriks kompetensi PJ: Management
    (menggunakan aplikasi REKAN) Representative
    PH: ISMS Officer
    Menyusun Rencana Pelatihan
    Pegawai

    Melakukan awareness keamanan


    informasi melalui:
    email
    tampilan screen-saver & desktop ISMS Officer
    background
    sosialisasi berkala
    pengisian kuisioner ISMS

    Menyusun Tabel Komunikasi ISMS Officer


    O 27001:2013

    Penanggung Jawab / Sept Oktober November


    Aktivitas Status
    Pelaksana W3 W4 W1 W2 W3 W4 W1 W2 W3 W4

    Memastikan seluruh kebutuhan &


    - ISMS Officer
    proses terkait ISMS
    - Document Controller
    terdokumentasi sesuai ketentuan

    Memastikan proses penyusunan


    serta penyesuaian/revisi
    Document Controller on going cek
    dokumentasi ISMS telah sesuai
    dengan ketentuan

    Melakukan penanganan
    dokumentasi ISMS sesuai Document Controller cek
    ketentuan

    Memastikan pencapaian ISMS


    Objectives & pelaksanaan Management
    program implementasi ISMS Representative
    sesuai dengan ketentuan

    Melakukan peninjauan (review)


    terhadap Risk Register serta
    Risk Officer
    pengkinian (update) saat
    teridentifikasi adanya risiko baru
    O 27001:2013

    Penanggung Jawab / Sept Oktober November


    Aktivitas Status
    Pelaksana W3 W4 W1 W2 W3 W4 W1 W2 W3 W4

    Menindaklanjuti penanganan
    risiko sesuai dengan kontrol dan Risk Officer
    target waktu yang telah ditetapkan

    Melaksanakan dan
    mendokumentasikan proses
    ISMS Officer
    pengukuran, analisis, dan
    evaluasi sesuai ketentuan

    Melaksanakan Audit Internal


    Internal Auditor
    sesuai dengan ketentuan

    Melaksanakan Tinjauan
    Manajemen dengan agenda
    Management
    pembahasan & proses sesuai
    Representative
    kerangka pada standar &
    ketentuan

    Melaporkan setiap
    ketidaksesuaian yang terjadi.
    Melakukan evaluasi utk
    menetapkan tindak lanjut. - All Employee
    Melaksanakan tindak lanjut yg - ISMS Officer
    telah ditetapkan.
    Review efektivitas tindakan
    korektif.
    O 27001:2013

    Penanggung Jawab / Sept Oktober November


    Aktivitas Status
    Pelaksana W3 W4 W1 W2 W3 W4 W1 W2 W3 W4
    Memastikan implementasi
    PJ: Management
    berjalan sesuai ketentuan serta
    Representative
    melakukan review dan upaya
    PH: ISMS Officer
    peningkatan / improvement.
    CHECKLIST IMPLEMENTASI ISO 270

    Annex A ISO 27001:2013 Prasyarat Standar ISO 27001:2013

    A.5 SECURITY POLICY


    A.5.1 Management direction for information security

    A set of policies for information security shall be


    defined, approved by management, published and
    A.5.1.1 Policies for information security
    communicated to employees and relevant external
    parties

    The policies for information securit y shall be


    Review of the policies for reviewed at planned intervals or if significant
    A.5.1.2
    information security changes occur to ensure their continuing
    suitability, adequacy and effectiveness

    A.6 ORGANIZATION OF INFORMATION SECURITY


    A.6.1 Internal Organization

    Information security roles and All information security responsibilities shall be


    A.6.1.1
    responsibility; defined and allocated

    Conflicting duties and areas of responsibility shall


    be segregated to reduce opportunities for
    A.6.1.2 Segregation of duties;
    unauthorized or unintentional modification or
    misuse of the organizations asset

    Appropriate contacts with relevant authorities shall


    A.6.1.3 Contact with authorities;
    be maintained

    Appropriate contacts with special interest groups or


    Contact with special interest
    A.6.1.4 other specialist security forums and professional
    groups;
    associations shall be maintained

    Information security in project Information security shall be addressed in project


    A.6.1.5
    management management, regardless of the type of the project.

    A.6.2 Mobile Device and Teleworking


    A policy and supporting security measures shall be
    A.6.2.1 Mobile device policy; adopted to manage the risks introduced by using
    mobile devices

    A policy and supporting security measures shall be


    A.6.2.2 Teleworking. implemented to protect information accessed,
    processed or stored at teleworking sites

    A.7 HUMAN RESOURCE SECURITY


    A.7.1 Prior to Employment

    Background verification checks on all candidates


    for employment shall be carried out in accordance
    with relevant laws, regulations and ethics and shall
    A.7.1.1 Screening;
    be proportional to the business requirements, the
    classification of the information to be accessed and
    the perceived risks

    The contractual agreements with employees and


    Terms and conditions of
    A.7.1.2 contractors shall state their and the organizations
    employment
    responsibilities for information security

    A.7.2 During employment


    Management shall require all employees and
    contractors to apply information security in
    A.7.2.1 Management responsibilities;
    accordance with the established policies and
    procedures of the organization

    All employees of the organization and, where


    relevant, contractors shall receive appropriate
    Information security awareness,
    A.7.2.2 awareness education and training and regular
    education and training;
    updates in organizational policies and procedures,
    as relevant for their job function

    There shall be a formal and communicated


    disciplinary process in place to take action against
    A.7.2.3 Disciplinary process.
    employees who have committed an information
    security breach

    A.7.3 Termination or change of employment

    Information security responsibilities and duties that


    Termination or change of remain valid after termination or change of
    A.7.3.1
    employment responsibilities employment shall be defined, communicated to the
    employee or contractor and enforced

    A.8 ASSET MANAGEMENT


    A.8.1 Responsibility for Assets

    Assets associated with information and information


    processing facilities shall be identified and an
    A.8.1.1 Inventory of assets;
    inventory of these assets shall be drawn up and
    maintained

    A.8.1.2 Ownership of assets; Assets maintained in the inventory shall be owned

    Rules for the acceptable use of information and of


    assets associated with information and information
    A.8.1.3 Acceptable use of assets;
    processing facilities shall be identified, documented
    and implemented

    All employees and external party users shall return


    all of the organizational assets in their possession
    A.8.1.4 Return of assets.
    upon termination of their employment, contract or
    agreement
    A.8.2 Information classification

    Information shall be classified in terms of legal


    A.8.2.1 Classification of information; requirements, value, criticality and sensitivity to
    unauthorised disclosure or modification

    An appropriate set of procedures for information


    labelling shall be developed and implemented in
    A.8.2.2 Labelling of information;
    accordance with the information classification
    scheme adopted by the organization

    Procedures for handling assets shall be developed


    and implemented in accordance with the
    A.8.2.3 Handling of assets.
    information classification scheme adopted by the
    organization

    A.8.3 Media Handling


    Procedures shall be implemented for the
    management of removable media in accordance
    A.8.3.1 Management of removable media;
    with the classification scheme adopted by the
    organization
    Media shall be disposed of securely when no
    A.8.3.2 Disposal of media;
    longer required, using formal procedures

    Media containing information shall be protected


    A.8.3.3 Physical media transfer against unauthorized access, misuse or corruption
    during transportation

    A.9 ACCESS CONTROL


    A.9.1 Business requirement for access control
    An access control policy shall be established,
    A.9.1.1 Access control policy; documented and reviewed based on business and
    information security requirements
    Users shall only be provided with access to the
    Access to networks and network
    A.9.1.2 network and network services that they have been
    services
    specifically authorized to use
    A.9.2 User access management

    A formal user registration and de-registration


    User registration and de-
    A.9.2.1 process shall be implemented to enable
    registration;
    assignment of access rights

    A formal user access provisioning process shall be


    A.9.2.2 User access provisioning; implemented to assign or revoke access rights for
    all user types to all systems and services

    Management of privileged access The allocation and use of privileged access rights
    A.9.2.3
    rights; shall be restricted and controlled

    The allocation of secret authentication information


    Management of secret
    A.9.2.4 shall be controlled through a formal management
    authentication information of users
    process

    Asset owners shall review users access rights at


    A.9.2.5 Review of user access rights;
    regular intervals

    The access rights of all employees and external


    party users to information and information
    Removal or adjustment of access
    A.9.2.6 processing facilities shall be removed upon
    rights.
    termination of their employment, contract or
    agreement, or adjusted upon change
    A.9.3 User responsibilities
    Users shall be required to follow the organizations
    Use of secret authentication
    A.9.3.1 practices in the use of secret authentication
    information
    information
    A.9.4 System and application access control
    Access to information and application system
    A.9.4.1 Information access restriction; functions shall be restricted in accordance with the
    access control policy
    Where required by the access control policy,
    A.9.4.2 Secure log-on procedure; access to systems and applications shall be
    controlled by a secure log-on procedure

    Password management systems shall be


    A.9.4.3 Password management system;
    interactive and shall ensure quality passwords

    The use of utility programs that might be capable of


    A.9.4.4 Use of privileged utility programs; overriding system and application controls shall be
    restricted and tightly controlled
    Access control to program source
    A.9.4.5 Access to program source code shall be restricted
    code.

    A.10 CRYPTOGRAPHY
    A.10.1 Cryptographic controls

    A policy on the use of cryptographic controls for


    Policy on the use of cryptographic
    A.10.1 protection of information shall be developed and
    controls;
    implemented

    A policy on the use, protection and lifetime of


    A.10.2 Key management cryptographic keys shall be developed and
    implemented through their whole lifecycle

    A.11 PHYSICAL AND ENVIRONMENTAL SECURITY


    A.11.1 Secure areas

    Security perimeters shall be defined and used to


    A.11.1.1 Physical security perimeter; protect areas that contain either sensitive or critical
    information and information processing facilities

    Secure areas shall be protected by appropriate


    A.11.1.2 Physical entry control; entry controls to ensure that only authorized
    personnel are allowed access

    Securing offices, rooms and Physical security for offices, rooms and facilities
    A.11.1.3
    facilities; shall be designed and applied

    Physical protection against natural disasters,


    Protecting against external and
    A.11.1.4 malicious attack or accidents shall be designed and
    environmental threats;
    applied

    Procedures for working in secure areas shall be


    A.11.1.5 Working in secure areas; designed and applied
    Not Applicable

    Access points such as delivery and loading areas


    and other points where unauthorized persons could
    A.11.1.6 Delivery and loading areas. enter the premises shall be controlled and, if
    possible, isolated from information processing
    facilities to avoid unauthorized access

    A.11.2 Equipment

    Equipment shall be sited and protected to reduce


    A.11.2.1 Equipment siting and protection; the risks from environmental threats and hazards,
    and opportunities for unauthorized access.

    Equipment shall be protected from power failures


    A.11.2.2 Supporting utilities; and other disruptions caused by failures in
    supporting utilities

    Power and telecommunications cabling carrying


    A.11.2.3 Cabling security; data or supporting information services shall be
    protected from interception, interference or damage

    Equipment shall be correctly maintained to ensure


    A.11.2.4 Equipment maintenance;
    its continued availability and integrity
    Equipment, information or software shall not be
    A.11.2.5 Removal of assets;
    taken off-site without prior authorization

    Security shall be applied to off-site assets taking


    Security of equipment and assets
    A.11.2.6 into account the different risks of working outside
    off-premises;
    the organizations premises

    All items of equipment containing storage media


    Secure disposal or reuse of shall be verified to ensure that any sensitive data
    A.11.2.7
    equipment; and licensed software has been removed or
    securely overwritten prior to disposal or re-use

    Users shall ensure that unattended equipment has


    A.11.2.8 Unattended user equipment;
    appropriate protection

    A clear desk policy for papers and removable


    Clear desk and clear screen
    A.11.2.9 storage media and a clear screen policy for
    policy.
    information processing facilities shall be adopted

    A.12 OPERATIONS SECURITY


    A.12.1 Operational procedures and responsibilities

    Operating procedures shall be documented and


    A.12.1.1 Documented operation procedure;
    made available to all users who need them

    Changes to the organization, business processes,


    A.12.1.2 Change management; information processing facilities and systems that
    affect information security shall be controlled

    The use of resources shall be monitored, tuned and


    A.12.1.3 Capacity management; projections made of future capacity requirements to
    ensure the required system performance

    Development, testing, and operational


    Separation of development,
    environments shall be separated to reduce the risks
    A.12.1.4 testing and operational
    of unauthorized access or changes to the
    environment.
    operational environment
    A.12.2 Protection from malware

    Detection, prevention and recovery controls to


    A.12.2.1 Control against malware protect against malware shall be implemented,
    combined with appropriate user awareness
    A.12.3 Backup

    Backup copies of information, software and system


    A.12.3.1 Information backup images shall be taken and tested regularly in
    accordance with an agreed backup policy

    A.12.4 Logging and Monitoring

    Event logs recording user activities, exceptions,


    A.12.4.1 Event logging; faults and information security events shall be
    produced, kept and regularly reviewed

    Logging facilities and log information shall be


    A.12.4.2 Protection of log information; protected against tampering and unauthorized
    access

    System administrator and system operator activities


    A.12.4.3 Administrator and operator log; shall be logged and the logs protected and regularly
    reviewed

    The clocks of all relevant information processing


    systems within an organization or security domain
    A.12.4.4 Clock synchonization.
    shall be synchronised to a single reference time
    source
    A.12.5 Control of operational software

    Installation of software on Procedures shall be implemented to control the


    A.12.5.1
    operational systems installation of software on operational system

    A.12.6 Technical vulnerability management

    Information about technical vulnerabilities of


    information systems being used shall be obtained
    Management of technical
    A.12.6.1 in a timely fashion, the organizations exposure to
    vulnerabilities;
    such vulnerabilities evaluated and appropriate
    measures taken to address the associated risk

    Restrictions on software Rules governing the installation of software by


    A.12.6.2
    installation users shall be established and implemented

    A.12.7 Information system audit considerations

    Audit requirements and activities involving


    verification of operational systems shall be carefully
    A.12.7.1 Information system audit control
    planned and agreed to minimise disruptions to
    business processes

    A.13 COMMUNICATIONS SECURITY


    A.13.1 Network security management

    Networks shall be managed and controlled to


    A.13.1.1 Network controls;
    protect information in systems and applications

    Security mechanisms, service levels and


    management requirements of all network services
    A.13.1.2 Security of network services; shall be identified and included in network services
    agreements, whether these services are provided
    in-house or outsourced
    Groups of information services, users and
    A.13.1.3 Segregation in networks information systems shall be segregated on
    networks
    A.13.2 Information transfer
    Formal transfer policies, procedures and controls
    Information transfer policy and shall be in place to protect the transfer of
    A.13.2.1
    procedures; information through the use of all types of
    communication facilities

    Agreements shall address the secure transfer of


    Agreements on information
    A.13.2.2 business information between the organization and
    transfer;
    external parties

    Information involved in electronic messaging shall


    A.13.2.3 Electronic messaging;
    be appropriately protected

    Requirements for confidentiality or non-disclosure


    Confidentiality or non disclosure agreements reflecting the organizations needs for
    A.13.2.4
    agreements the protection of information shall be identified,
    regularly reviewed and documented

    A.14 SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE


    A.14.1 Security requirements of information systems

    The information security related requirements shall


    Information security requirements be included in the requirements for new information
    A.14.1.1
    analysis and specification; systems or enhancements to existing information
    systems

    Information involved in application services passing


    Securing application services on over public networks shall be protected from
    A.14.1.2
    public networks; fraudulent activity, contract dispute and
    unauthorized disclosure and modification

    Information involved in application service


    transactions shall be protected to prevent
    Protecting application services
    A.14.1.3 incomplete transmission, mis-routing, unauthorized
    transactions
    message alteration, unauthorized disclosure,
    unauthorized message duplication or replay

    A.14.2 Security in development and support processes

    Rules for the development of software and systems


    A.14.2.1 Secure development policy; shall be established and applied to developments
    within the organization

    Changes to systems within the development


    A.14.2.2 System change control procedure; lifecycle shall be controlled by the use of formal
    change control procedures

    When operating platforms are changed, business


    Technical review of applications critical applications shall be reviewed and tested to
    A.14.2.3
    after operating platform changes; ensure there is no adverse impact on
    organizational operations or security

    Modifications to software packages shall be


    Restrictions on changes to
    A.14.2.4 discouraged, limited to necessary changes and all
    software packages;
    changes shall be strictly controlled
    Principles for engineering secure systems shall be
    Secure system engineering
    A.14.2.5 established, documented, maintained and applied
    principles;
    to any information system implement ation efforts

    Organizations shall establish and appropriately


    protect secure development environments for
    A.14.2.6 Secure development environment;
    system development and integration efforts that
    cover the entire system development lifecycle

    The organization shall supervise and monitor the


    A.14.2.7 Outsourced development;
    activity of outsourced system development

    Testing of security functionality shall be carried out


    A.14.2.8 System security testing;
    during development

    Acceptance testing programs and related criteria


    A.14.2.9 System acceptances testing shall be established for new information systems,
    upgrades and new versions

    A.14.3 Test data

    Test data shall be selected carefully, protected and


    A.14.3.1 Protection of test data
    controlled

    A.15 SUPPLIER RELATIONSHIP


    A.15.1 Information security in supplier relationship
    Information security requirements for mitigating the
    Information security policy for risks associated with suppliers access to the
    A.15.1.1
    supplier relationship; organizations assets shall be agreed with the
    supplier and documented

    All relevant information security requirements shall


    be established and agreed with each supplier that
    Addressing security within supplier
    A.15.1.2 may access, process, store, communicate, or
    agreements;
    provide IT infrastructure components for, the
    organizations information

    Agreements with suppliers shall include


    requirements to address the information security
    Information and communication
    A.15.1.3 risks associated with information and
    technology supply chain.
    communications technology services and product
    supply chain
    A.15.2 Supplier service delivery management

    Monitoring and review of supplier Organizations shall regularly monitor, review and
    A.15.2.1
    services; audit supplier service deliver
    Changes to the provision of services by suppliers,
    including maintaining and improving existing
    Managing changes to supplier information security policies, procedures and
    A.15.2.2
    services controls, shall be managed, taking account of the
    criticality of business information, systems and
    processes involved and re-assessment of risks

    A.16 INFORMATION SECURITY INCIDENT MANAGEMENT


    A.16.1 Management of information security incidents and improvements

    Management responsibilities and procedures shall


    A.16.1.1 Responsibilities and procedures; be established to ensure a quick, effective and
    orderly response to information security incident

    Information security events shall be reported


    Reporting informations security
    A.16.1.2 through appropriate management channels as
    events;
    quickly as possible

    Employees and contractors using the organizations


    information systems and services shall be required
    Reporting informations security
    A.16.1.3 to note and report any observed or suspected
    weaknesses;
    information security weaknesses in systems or
    services

    Information security events shall be assessed and it


    Assessment of and decision on
    A.16.1.4 shall be decided if they are to be classified as
    information security events;
    information security incidents

    Response to information security Information security incidents shall be responded to


    A.16.1.5
    incidents; in accordance with the documented procedures

    Knowledge gained from analysing and resolving


    Learning from information security
    A.16.1.6 information security incidents shall be used to
    incidents;
    reduce the likelihood or impact of future incidents

    The organization shall define and apply procedures


    for the identification, collection, acquisition and
    A.16.1.7 Collection of evidence
    preservation of information, which can serve as
    evidence

    A.17 INFORMATION SECURITY ASPECT ON BUSINESS CONTINUITY MANAGEMENT


    A.17.1 Information security continuity

    Information security continuity shall be embedded


    Planning information security
    A.17.1.1 in the organizations business continuity
    continuity;
    management systems

    The organization should establish, document,


    implement and maintain processes, procedures
    Implementing informations
    A.17.1.2 and controls to ensure the required level of
    security continuity;
    continuity for information security during an adverse
    situation

    The organization shall verify the established and


    Verify, review and evaluate implemented information security continuity
    A.17.1.3
    informations security continuity controls at regular intervals in order to ensure that
    they are valid and effective during adverse situation

    A.17.2 Redundancies

    Information processing facilities shall be


    Availability of information
    A.17.2.1 implemented with redundancy sufficient to meet
    processing facilities
    availability requirements

    A.18 COMPLIENCE
    A.18.1 Compliance with legal and contractual requirements
    All relevant legislative statutory, regulatory,
    contractual requirements and the organizations
    Identification of applicable
    approach to meet these requirements shall be
    A.18.1.1 legislation and contractual
    explicitly identified, documented and kept up to
    requirements;
    date for each information system and the
    organization

    Appropriate procedures shall be implemented to


    ensure compliance with legislative, regulatory and
    A.18.1.2 Intellectual property rights; contractual requirements related to intellectual
    property rights and use of proprietary software
    products

    Records shall be protected from loss, destruction,


    falsification, unauthorized access and unauthorized
    A.18.1.3 Protection of records;
    release, in accordance with legislatory, regulatory,
    contractual and business requirements

    Privacy and protection of personally identifiable


    Privacy and protection of
    A.18.1.4 information shall be ensured as required in relevant
    personally identifiable information.
    legislation and regulation where applicable

    Cryptographic controls shall be used in compliance


    Regulation of cryptographic
    A.18.1.5 with all relevant agreements, legislation and
    controls
    regulations
    A.18.2 Information security reviews

    The organizations approach to managing


    information security and its implementation (i.e.
    Independent review of information control objectives, controls, policies, processes and
    A.18.2.1
    security; procedures for information security) shall be
    reviewed independently at planned intervals or
    when significant changes occur

    Managers shall regularly review the compliance of


    information processing and procedures within their
    Compliance with security policies
    A.18.2.2 area of responsibility with the appropriate security
    and standard;
    policies, standards and any other security
    requirements

    Information systems shall be regularly reviewed for


    A.18.2.3 Technical compliance review compliance with the organizations information
    security policies and standards
    CHECKLIST IMPLEMENTASI ISO 27001:2013

    Dokumentasi
    Bukti Pelaksanaan / Records Aktivitas
    (Kebijakan/Pedoman/Prosedur)

    Penetapan Kebijakan Keamanan


    ISSG 1.
    Informasi

    Sosialisasi Kebijakan Keamanan


    ISSG Bukti pelaksanaan Sosialisasi 2.
    Informasi

    1. Risalah Rapat Review Dokumen Melaksanakan review berkala


    ISSG 1.
    2. Histori Perubahan Dokumen terhadap ISSG & ISMS Policy

    Penetapan & pengesahan Memo


    1. Memo Struktur Organisasi ISMS
    Struktur Organisasi ISMS di SQG.

    Struktur Organisasi & Uraian Penetapan & pengesahan Struktur


    2.
    Deskripsi Kerja Organisasi di SQG.

    1. Menyusun Daftar Kontak Nomor


    Penting
    1. Daftar Kontak Nomor Penting 2. Memasang Daftar Kontak Nomor
    Penting di lokasi mudah terlihat
    oleh seluruh pegawai

    Bukti / Daftar Keikutsertaan dalam


    Mengikuti forum terkait Keamanan
    Forum terkait Keamanan
    Informasi
    Informasi

    1. Memastikan penerapan kontrol


    keamanan informasi telah
    1. Dokumen Kontrak tercakup dalam manajemen
    2. NDA proyek
    2. Memastikan pihak-pihak relevan
    telah menandatangani NDA

    Memastikan pendataan &


    Asset Management Formulir Penggunaan Aset Pribadi penggunaan perangkat mobile
    telah sesuai ketentuan

    Melakukan pendataan user yang


    mendapatkan akses VPN dan
    Access Control Formulir Deviasi Teleworking
    penggunaan mobile device milik
    pribadi / perusahaan

    Human Resource Security Hasil Screening Pegawai


    memastikan proses yang
    dijalankan di HC sesuai dengan
    panduan yang berlaku terkait
    Human Resource Security

    Dokumen Kontrak Pegawai / Buku


    Human Resource Security
    Panduan Peraturan Perusahaan
    1. Bukti pelaksanaan Awareness /
    Human Resource Security Sosialisasi Keamanan Informasi.
    2. NDA.

    1. Melaksanakan sosialisasi /
    1. Bukti pelaksanaan Awareness /
    awareness keamanan informasi
    Human Resource Security Sosialisasi Keamanan Informasi.
    2. Menyusun rencana pelatihan &
    2. Rencana Pelatihan Pegawai.
    melaksanakan pelatihan pegawai

    Memastikan adanya aturan di HC


    Dokumen KAB (Klasifikasi level, terkait disciplinary process atas
    Human Resource Security kategori pelanggaran, dan sanksi penyimpangan yang dilakukan
    yang akan diperoleh) sumber daya (karyawan / pihak
    ketiga)

    Memastikan kontrol keamanan


    1. Exit Clearence.
    informasi telah diterapkan pada
    2. Review perubahan hak akses
    Human Resource Security saat terjadinya pemutusan atau
    karyawan.
    perubahan hubungan kerja
    3. NDA.
    terhadap pegawai

    Asset Management Memastikan informasi serta


    1.
    perangkat pemroses & penyimpan
    informasi telah terinvetarisasi
    beserta kepemilikannya ke dalam
    aset register.
    Memberi label perangkat kerja
    Asset Management 1. Asset Register 2.
    sesuai dengan aset register.
    2. Formulir Serah Terima Aset
    Melakukan pendataan sarana
    3. Label Aset
    pendukung yang ada di area
    3.
    Asset Management SQG.
    Memastikan penggunaan seluruh
    4.
    perangkat di SQG telah sesuai
    dengan ketentuan penggunaan
    perangkat.
    Asset Management

    Melakukan identifikasi klasifikasi


    informasi:
    1. Kriteria klasifikasi Informasi
    - Publik
    Classification and Handling Information 2. Daftar Aset Informasi berikut
    - Internal
    klasifikasinya
    - Confidential
    - Strictly Confidential

    Melakukan pelabelan informasi


    Seluruh informasi telah diberi sesuai ketentuan & klasifikasinya:
    Classification and Handling Information label sesuai ketentuan & Hardcopy: Dicap dibag. Cover
    klasifikasinya Softcopy: Ditulis dibag. kiri bawah
    footer

    1. Menyimpan dokumen hardcopy di


    1. lemari yg dapat dikunci.
    Daftar Dokumen & Lokasi
    2. Menyimpan dokumen softcopy
    Classification and Handling Information Penyimpanan
    2. sesuai ketentuan
    Daftar & Log Pelaksanaan Backup
    3. Melakukan backup sesuai dengan
    ketentuan

    Memastikan pengelolaan &


    Asset Management Formulir Deviasi penggunaan removable media
    telah sesuai dgn ketentuan
    1. Formulir Permohonan
    Memastikan proses pemusnahan
    Asset Management Pemusnahan Aset
    media telah sesuai dgn ketentuan.
    2. Fomulir Pemusnahan Aset

    Memastikan media penyimpan


    informasi telah diberikan
    pengamanan memadai pada saat
    digunakan untuk memindahkan
    Asset Management Checklist Implementasi informasi. Contoh:
    - menggunakan pengamanan dgn
    password pd flashdisk.
    - pengiriman surat fisik
    menggunakan amplop bersegel.

    Menetapkan prosedur terkait


    1. User Access Matrix (UAM)
    Access Control kontrol akses & melakukan review
    2. Formulir Review UAM
    secara berkala
    Memastikan hak akses user ke
    Access Control Formulir Review Hak Akses jaringan telah sesuai dgn
    ketentuan

    Memastikan proses pendaftaran


    Access Control akses baru & penghapusan akses
    telah sesuai dgn ketentuan

    1. Formulir Permohonan Hak Akses Memastikan proses pemberian


    Access Control
    2. Memo Penunjukan Administrator akses telah sesuai dgn ketentuan

    Memastikan kontrol thdp alokasi


    Access Control Formulir Review Hak Akses hak akses khusus telah sesuai
    dgn ketentuan
    Memastikan alokasi otentifikasi
    Access Control informasi telah sesuai dgn
    ketentuan

    Melakukan review hak akses fisik


    Access Control Formulir Review Hak Akses
    & logical

    Menyesuaikan akses sesuai


    Access Control Formulir Review Hak Akses dengan daftar user dan
    melakukan review hak akses

    Menggunakan 'strong password'


    Access Control Checklist Implementasi
    sesuai dgn ketentuan

    Memastikan kontrol akses ke


    1. Formulir Review Hak Akses
    Access Control informasi & sistem informasi telah
    2. UAP
    sesuai dgn ketentuan
    Memastikan akses ke sistem &
    Access Control Checklist Implementasi aplikasi telah dikontrol melalui
    prosedur secure log-on
    Memastikan sistem dapat
    Access Control Checklist Implementasi mengakomodasi ketentuan
    password secara interaktif

    Melakukan kontrol pembatasan


    1. Daftar Software yg Diizinkan. penggunaan program utility yg
    Access Control
    2. Formulir Deviasi dapat melewati / membatalkan
    kontrol sistem yg telah ada
    Memeriksa kesesuaian hak akses
    Access Control Formulir Review Hak Akses
    ke penyimpanan source code

    Penetapan kebijakan &


    implementasi penggunaan
    IS Operation and Security
    kriptografi utk kontrol
    pengamanan informasi

    Penetapan kebijakan &


    IS Operation and Security implementasi pengelolaan kunci
    kriptografi (cryptographic keys)

    Menetapkan batas wilayah area


    Physical and Environmental Security kedalam 3 kategori: Public,
    Restricted, Secured

    Berkoodinasi dgn Satpam utk


    memastikan setiap tamu yg akan
    Physical and Environmental Security memasuki area Restricted &
    1. Formulir Permohonan Akses Secured telah terdaftar pd Buku
    2. Log / Buku Tamu Tamu & diberikan ID Visitor

    Memastikan kontrol akses


    Physical and Environmental Security Fingerprint ID berfungsi sesuai
    ketentuan

    1. Memastikan kontrol akses


    Fingerprint ID berfungsi sesuai
    1. Checklist Implementasi ketentuan.
    Physical and Environmental Security 2. Record CCTV sd 30 hari 2 Memastikan CCTV berfungsi
    sebelumnya dengan baik dgn area pantau
    CCTV dpt mencakup seluruh area
    kerja.

    Formulir maintenance supporting Memastikan APAR dpt berfungsi


    Physical and Environmental Security utilities dgn baik serta pemeriksaan
    riwayat pemeliharaan rutin

    Rekaman CCTV min. sd. 30 hari Memastikan aktivitas pekerjaan di


    Physical and Environmental Security sebelumnya wilayah secure area dpt terpantau
    Not Applicable & sesuai dgn ketentuan

    Berkoordinasi dgn satpam utk


    memastikan kontrol pengamanan
    Physical and Environmental Security
    telah diterapkan pada pintu akses
    melalui delivery & loading area

    Memastikan penempatan
    perangkat kerja yg aman dari
    Physical and Environmental Security potensi risiko gangguan &
    ancaman lingkungan serta akses
    tdk terotorisasi

    Laporan Pemeliharaan Rutin utk Melakukan pemeriksaan status


    Asset Management
    Genset pemeliharaan rutin utk genset

    Memeriksa alur perkabelan baik


    data maupun daya listrik utk
    Physical and Environmental Security
    memastikan keamanan fisik &
    fungsional

    1. Formulir Kerusakan Aset


    Melaksanakan pemeliharaan rutin
    Physical and Environmental Security 2. Formulir Rekapitulasi Perbaikan
    utk perangkat kerja.
    Aset
    1. Jika perangkat kerja, informasi,
    atau software akan dibawa keluar
    area kerja, pastikan telah terdapat
    proses permohonan, persetujuan,
    dan serah terima yg
    Physical and Environmental Security 1. Formulir Serah Terima Aset terdokumentasi formal.
    2. Jika perangkat kerja akan
    dipindahtangankan atau
    dimusnahkan, pastikan informasi
    & lisensi telah dihapus dan/atau
    dibackup terlebih dahulu

    1. Tidak meninggalkan perangkat


    kerja tanpa pengawasan saat
    bekerja diluar kantor atau ketika
    membawa perangkat kerja keluar
    Physical and Environmental Security Checklist Implementasi kantor.
    2. Jika harus meninggalkan
    perangkat kerja, simpan di tempat
    yg aman seperti misal Safe
    Deposit Box.

    Melakukan format media


    penyimpanan informasi sebelum
    Asset Management 1. Formulir Serah Terima Aset
    dilakukan pemusnahan dan/atau
    penggunaan kembali

    Mengaktifkan Screensaver Lock


    dengan menekan windows + L
    Asset Management Checklist Implementasi
    setiap kali akan meninggalkan
    meja kerja
    1.
    Memastikan tdk ada dokumen
    dan/atau removable media yg
    memuat informasi bersifat
    Physical and Environmental Security
    Confidential atau lebih tinggi yg
    tersimpan di meja kerja tanpa
    penjagaan

    2. Mengaktifkan Screensaver Lock


    dengan menekan windows + L
    Physical and Environmental Security
    setiap kali akan meninggalkan
    meja kerja

    Memastikan seluruh prosedur &


    keluaran prosesnya
    IS Operation and Security 1. Daftar Dokumentasi ISMS terdokumentasi secara formal
    serta mudah diakses oleh pihak
    relevan yg membutuhkan

    Memastikan setiap proses


    Formulir RFC & Dokumentasi perubahan yg berdampak pd
    IS Operation and Security
    terkait keamanan informasi dpt terkelola
    sesuai ketentuan

    Hasil Analisa Kebutuhan & Melaksanakan analisa kebutuhan


    IS Operation and Security
    Perencanaan Pegawai & perencanaan pegawai

    Melakukan pemisahan antara


    Server Pengembangan, Server
    Information System Development Checklist Implementasi
    Pengujian, dan Server
    Operasional/Produksi

    1. Instalasi s/w Anti Virus


    2. Update Anti Virus secara berkala
    IS Operation and Security Status Anti Virus
    3. Pengaturan scan & full-scan
    secara otomatis
    1. Melakukan backup informasi
    Daftar Informasi yg perlu di-
    secara berkala sesuai ketentuan.
    IS Operation and Security backup berikut metode dan
    2. Melakukan uji restore secara
    periode backup-nya
    berkala.

    1. Mengaktifkan Syslog yang meliputi


    log login failure.
    IS Operation and Security Event Log
    2. Memastikan Event Log disimpan
    dan ditinjau secara berkala.

    Menempatkan fasilitas logging &


    IS Operation and Security menyimpan informasi terkait di
    tempat yg aman.

    1. Menyimpan log aktivitas


    Administrator Sistem & Operator
    Log Aktivitas Administrator &
    IS Operation and Security Sistem.
    Operator Sistem
    2. Melakukan review log aktivitas
    secara berkala.

    Melakukan sinkronisasi waktu


    IS Operation and Security
    pada setiap perangkat IT.

    1.
    Memastikan software yg di-install
    di perangkat kerja sesuai dgn
    Daftar Software yg Diizinkan.
    1. Daftar Software yg Diizinkan.
    IS Operation and Security Mengajukan permohonan khusus
    2. Formulir Deviasi 2.
    apabila ada permintaan software
    di luar Daftar Software yg
    Diizinkan.

    1. Laporan Vurnerability Melaksanakan Vurnelability


    IS Operation and Security Assessment. Assessment (VA) & Penetration
    2. Laporan Penetration Test. Test secara berkala

    Mengatur user previllage pd


    sistem operasi setiap perangkat
    kerja / notebook utk memastikan
    IS Operation and Security
    user tdk dapat melakukan sendiri
    instalasi software diluar yg telah
    ditentukan.

    Memastikan proses pengendalian


    dalam proses audit sistem
    informasi, mencakup pembatasan
    IS Operation and Security
    hak akses auditor, perencanaan
    dan implementasi audit sistem
    informasi.

    Melakukan pengelolaan
    Communications Security / Network
    keamanan jaringan sesuai
    Service Process
    ketentuan.

    Memastikan kontrol keamanan


    Communications Security / Network
    telah diterapkan pada layanan
    Service Process
    jaringan yg digunakan SQG.
    Melakukan pemisahan / grouping
    Communications Security / Network
    jaringan sesuai kebutuhan
    Service Process
    Organisasi.

    Menetapkan kebijakan & prosedur


    Communications Security / Network serta penerapan kontrol
    Service Process pengamanan dlm proses
    perpindahan informasi.

    Memastikan pihak eksternal


    Communications Security / Network 1. Kontrak mematuhi ketentuan dlm
    Service Process 2. NDA pelaksanaan proses perpindahan
    informasi.

    1. Menerapkan kontrol pengamanan


    dalam pengiriman informasi
    melalui email.
    Communications Security / Network
    2. Memastikan fungsional sistem
    Service Process
    ekripsi otomatis utk pengiriman
    informasi bersifat confidential atau
    lenih tinggi melalui email.

    Communications Security / Network Memastikan setiap pihak terkait


    NDA
    Service Process telah menandatangani NDA.

    Memastikan bahwa persyaratan


    keamanan informasi telah
    Information System Development SRS tercakup dalam SRS dan
    diimplementasikan pada saat
    pengembangan

    Implementasi kontrol pengamanan


    antara lain: Enkripsi, Firewall,
    VPN, utk pengamanan informasi
    Information System Development Checklist Implementasi
    pada layanan aplikasi yang
    menggunakan atau dapat diakses
    melalui jaringan internet publik.

    Implementasi kontrol pengamanan


    Information System Development Checklist Implementasi untuk transasksi pada layanan
    sistem informasi

    Menetapkan dan melaksanakan


    prosedur pengembangan sistem
    Prosedur Pengembangan Sistem
    Information System Development informasi dengan mencakup
    Informasi
    ketentuan persyaratan keamanan
    informasi.

    Memastikan setiap perubahan


    pada saat proses pengembangan
    Information System Development Formulir RFC sistem informasi telah sesuai
    dengan ketentuan Change
    Management.

    Melakukan review dan pengujian


    Information System Development Laporan Review dan Pengujian setiap kali dilakukan perubahan /
    penyesuaian platform.

    Memastikan setiap perubahan


    terhadap sistem informasi telah
    Information System Development Formulir RFC
    sesuai dengan ketentuan Change
    Management.
    Menetapkan dan melaksanakan
    prosedur pengembangan sistem
    Prosedur Pengembangan Sistem
    Information System Development informasi dengan mencakup
    Informasi
    ketentuan persyaratan keamanan
    informasi.

    Melakukan kontrol pengamanan


    lingkungan area kerja dan Server
    Information System Development Checklist Implementasi Pengembangan antara lain
    dengan kontrol akses fisik dan
    logical.

    1.
    Memastikan bahwa klausul terkait
    keamanan informasi telah
    tercakup pada Kontrak dan/atau
    SLA dengan Vendor.
    1. Kontrak 2.
    Memastikan bahwa vendor dan
    Information System Development 2. SLA
    pihak-pihak terkait telah
    3. NDA
    menandatangani NDA.
    3.
    Memantau dan mengawasi proses
    pengembangan agar tetap sesuai
    dengan kontrak dan/atau SLA.

    Melakukan Pengujian
    fungsionalitas keamanan terhadap
    Information System Development Laporan Pengujian
    sistem informasi yang sedang
    dikembangan

    Melakukan User Acceptance Test


    Information System Development Laporan UAT
    (UAT)

    1. Memeriksa kesesuaian hak akses


    terhadap Data Pengujian.
    2. Menyimpan Data Pengujian di
    1. Review Hak Akses
    Information System Development server atau media dengan kontrol
    2. Log Penggunaan Data Pengujian
    akses tertentu.
    3. Mencatat log penggunaan Data
    Pengujian.

    Supplier Management / Vendor


    Management

    Supplier Management / Vendor Memastikan klausul terkait


    1. Kontrak / SLA.
    Management keamanan informasi telah
    2. NDA.
    tercantum pada setiap kontrak
    3. Daftar Vendor.
    kerjasama.

    Supplier Management / Vendor


    Management

    1. Laporan Review / Monitoring


    Vendor / Supplier.
    Supplier Management / Vendor Melakukan review terhadap
    2. MoM dengan Vendor / Supplier
    Management Vendor / Supplier
    terkait pembahasan kinerja
    layanan.
    Memastikan proses pengelolaan
    Supplier Management / Vendor perubahan terkait layanan
    SLA
    Management vendor / supplier berjalan sesuai
    dengan ketentuan.

    Menetapkan prosedur
    Information Security Incident penanganan insiden keamanan
    informasi

    Melaporkan setiap kejadian


    1. Tiket Pelaporan Insiden
    Information Security Incident ketidaksesuaian terkait keamanan
    2. Formulir Ketidaksesuaian
    informasi.

    Melaporkan setiap potensi


    1. Tiket Pelaporan Insiden
    Information Security Incident kerawanan / risiko terkait
    2. Formulir Ketidaksesuaian
    keamanan informasi.

    Melakukan analisa terhadap


    setiap pelaporan
    ketidaksesuaian / insiden utk
    1. Formulir Ketidaksesuaian
    Information Security Incident menetapkan klasifikasi insiden &
    2. Risk Register
    tindak lanjut yg diperlukan serta
    apakah insiden jg merupakan
    potensi risiko baru.

    Menindaklanjuti setiap insiden yg


    Information Security Incident Formulir Ketidaksesuaian dilaporkan sesuai dengan
    ketentuan.

    1. Tiket Insiden Mendokumentasikan setiap hasil


    Information Security Incident 2. Formulir Ketidaksesuaian analisa & solusi atas suatu
    3. Review Insiden insiden.

    Melakukan identifikasi,
    1. Tiket Insiden dokumentasi, & penyimpanan
    Information Security Incident
    2. Formulir Ketidaksesuaian setiap informasi yg dpt menjadi
    bukti terkait suatu insiden.

    ITY MANAGEMENT

    Memastikan lingkup keamanan


    Business and Information Security informasi telah tercakup dlm
    Continuity perencanaan keberlangsungan
    bisnis SQG.

    1. Business Impact Analysis (BIA)


    Business and Information Security 2. Risk Analysis Menyusun perencanaan
    Continuity 3. Business Continuity Plan (BCP) keberlangsungan bisnis
    4. Skenario BCP

    Business and Information Security Laporan Pelaksanaan Simulasi


    Melaksanakan Simulasi BCP
    Continuity BCP

    Memastikan ketersediaan fasilitas


    Business and Information Security 1. BIA.
    pemroses informasi cadangan
    Continuity 2. BCP.
    sesuai dgn kebutuhan di SQG.
    Melaksanakan identifikasi &
    Daftar Peraturan & Perundang- dokumentasi terkait peraturan &
    Complience Security
    udangan undang-undang yg relevan dgn
    implementasi ISMS di SQG.

    1. Melakukan pendataan lisensi


    perangkat lunak
    1. Daftar Lisensi
    Complience Security 2. Melakukan pemeriksaan
    2. Formulir PC Checking
    penggunaan perangkat lunak di
    perangkat Server, PC, Notebook.

    Memastikan setiap records


    Complience Security
    dikelola sesuai dgn ketentuan.

    Memastikan setiap informasi


    pribadi dikelola sesuai dgn
    Complience Security
    peraturan & undang-undang yg
    berlaku.

    Memastikan penggunaan kontrol


    Complience Security kriptografi sesuai dgn peraturan &
    undang-undang yg berlaku.

    1. Laporan Audit Internal Melaksanakan proses Audit


    Complience Security
    2. Laporan Audit Eksternal Internal & Audit Eksternal

    Melaksanakan proses Audit


    Complience Security Laporan Audit Kepatuhan
    Kepatuhan

    Melaksanakan proses Audit


    Complience Security Laporan Audit Kepatuhan
    Kepatuhan
    Penanggung Jawab / Sept Oktober November
    Status
    Pelaksana W3 W4 W1 W2 W4 W4 W1 W2 W3 W4

    - Top Management
    - Management
    Representative
    PJ: Management
    Representative
    PH: ISMS Officer

    - Management
    Representative
    - ITPS

    - Top Management
    - Management
    Representative

    - Top Management
    - Management
    Representative

    ISMS Officer

    PJ: Management
    Representative
    PH: ??

    PJ: Management
    Representative
    PH: ISMS Officer

    PJ: Management
    Representative
    PH: ITPS

    PJ: ISMS Officer


    PH: IT Sec

    PJ: Management
    Representative
    PH: HC Div

    PJ: Management
    Representative
    PH: HC Div
    Management
    Representative

    ITPS

    Management
    Representative

    PJ: ISMS Officer


    PH: HC Div

    Asset Manager

    Information Owner

    Document Controller

    - Information Owner
    - Document Controller

    Asset Manager
    - Asset Manager
    - TMS

    - ISMS Officer
    - Information Owner

    IT Sec

    IT Sec

    - HC Div
    - IT Sec

    - IT Sec
    - Application User

    IT Sec

    IT Sec

    - IT Sec
    - ISMS Officer
    - Application Owner

    IT Sec

    All Employee

    - ISMS Officer
    - IT Security

    IT Sec

    IT Sec

    ITPS
    PJ:
    ISMS Officer
    PH:
    Administrator

    ITPS

    IT Sec

    PJ: Management
    Representative
    PH: ISMS Officer

    PJ: ISMS Officer


    PH: Facility Service

    PJ: ISMS Officer


    PH: Facility Service

    PJ: ISMS Officer


    PH: Facility Service

    PJ: ISMS Officer


    PH: Facility Service

    PJ: ISMS Officer


    PH: FES Monitoring

    PJ: ISMS Officer


    PH: Facility Service

    PJ: ISMS Officer


    PH: FES

    PJ: ISMS Officer


    PH: FES

    PJ: ISMS Officer


    PH: FES

    PJ: Asset Manager


    PH: FES/TMS
    PJ: Asset Manager
    PH: FES/TMS

    PJ: ISMS Officer


    PH: FES Monitoring

    PJ: Asset Manager


    PH: TMS

    All Employee

    All Employee

    All Employee

    PJ: ITPS
    PH: Document Controller

    PJ: Management
    Representative
    PH: SQG Manager

    PJ: Management
    Representative
    PH: SQG Manager

    PJ:
    ISMS Officer
    PH:
    Administrator

    PJ: ISMS Officer


    PH: FES
    PJ: ISMS Officer
    PH: Information Owner

    PJ: IT Sec
    PH: DCM

    IT Sec

    IT Sec

    PJ: IT Sec
    PH: DCM

    PJ: ISMS Officer


    PH: FES

    IT Sec

    ITPS

    ITPS

    IT Sec

    IT Sec
    PJ: IT Sec
    PH: DCM

    ITPS

    PJ: ISMS Officer


    PH: ITPS/TMS

    PJ: ISMS Officer


    PH: IT Sec

    PJ: ISMS Officer


    PH: ITPS/TMS

    PJ:
    ISMS Officer
    PH:
    Tim Development

    PJ:
    ISMS Officer
    PH:
    Administrator
    IT Security

    Administrator
    IT Security

    IT Policy
    Document Controller

    ISMS Officer
    Tim Development

    Administrator
    IT Security

    ISMS Officer
    Tim Development
    IT Policy
    Document Controller

    ISMS Officer

    PJ:
    ISMS Officer
    PH:
    Tim Development

    PJ:
    ISMS Officer
    PH:
    IT Security
    Tim Development

    PJ:
    ISMS Officer
    PH:
    Tim Development

    PJ:
    ISMS Officer
    PH:
    Tim Development

    PJ: ISMS Officer


    PH: ITPS/TMS

    PJ: ISMS Officer


    PH: ITPS/TMS
    PJ: ISMS Officer
    PH: ITPS/TMS

    - Management
    Representative
    - ITPS

    - All Employee
    - ISMS Officer

    - All Employee
    - Vendor / Kontraktor &
    pihak terkait lainnya.

    - ISMS Officer
    - Risk Officer

    - ISMS Officer
    - Service Desk

    - ISMS Officer
    - Service Desk

    ISMS Officer

    ITPS

    ITPS

    ITPS

    Asset Manager
    ITPS

    ISMS Officer

    - ITPS
    - Document Controller

    ISMS Officer

    IT Sec

    Management
    Representative

    - ISMS Officer
    - ITPS

    ITPS

    Potrebbero piacerti anche