Checklist Implementasi ISO 27k

CHECKLIST IMPLEMENTASI ISO 27001:2013 Klausul ISO 27001:2013

)*ku+,ntasi -K,.i/akanP,d*+anPr*s,dur

Prasyarat Standar ISO 27001:2013

!"

CONTE ONTE#T #T O$ THE O%&A O%&ANI NI'A 'ATI TION ON

4.1

$nderstanding the organi%ation and its conte&t

'he organi%ation shall determine e&ternal and internal issues that are rele#ant to its purpose and that a((ect its a!ility to achie#e the intended outcome)s* o( its in(ormation security management system

4.2

$nderstanding the needs and e&pectations o( interested parties

'he organi%ation shall determine, a* interested parties that are rele#ant to the in(ormation security management system- and !* the reuirements o( these interested parties rele#ant to in(ormation security. security.

ukti P,laksanaan  Records

1.

2. ISMS +onte&t rgani%ation and Scope

4.3

/etermining the scope o( the ISMS

'he organi%ation shall determine the !oundaries and applica!ility o( the i n(ormation security management system to esta!lish its scope.

3.

4.4

'he organi%ation shall esta!lish0 implement0 maintain and continually impro#e an in(ormation In(ormation Security Management security System management system0 in accordance ith the reuirements o( this International Standard.

4.

("

LEA)E%SHIP

ISMS Policy

5.1 5.1

Lead Leader ersh ship ip and and comm commit itme ment nt

'he organi%ation shall esta!lish0 implement0 maintain and continually impro#e an in(ormation security. 'op management shall demonstrate leadership and commitment ith respect to the in(ormation security management system.

e!i"akan  Pedoman  Prosedur ISMS

1.

Bukti pelaksanaan Sosialisasi

2.

3.

Pengukuran ISMS !"ecti#es

5.

e!i"akan  Pedoman  Prosedur ISMS

1.

CHECKLIST IMPLEMENTASI ISO 27001:2013 Klausul ISO 27001:2013 5.2

Policy

5.3

rgani%ation :oles and :esponsi!ility

"

PLANNIN&

9.1

Prasyarat Standar ISO 27001:2013 'op 'op management shall esta!lish an in(ormation security policy.



e!i"akan0 Pedoman0 Prosedur terkait ISMS di lingkup S +B+67ISP 8 /a(tar dokumen ada di /ocument +ontroller

'op 'op management shall ensure that the responsi!ilities and authorities (or roles rele#ant to in(ormation security are assigned and communicated.


2.

/a(tar /okumentasi ISMS

3.

1. Memo Struktur rganisasi ISMS

1. 1.

;ctions to address address risk and opportunities 1. :isk :isk Pro(i ro(ile le

9.1.1

eneral

=hen planning (or the in(ormation security management system0 the organi%ation shall consider the issues re(erred to in 4.1 and the reuirements re(erred to in 4.2 and determine the risks and opportunities that need to !e addressed

2. State Statemen mentt o( ;pplica ;pplica!ili !ility ty )So;* )So;* 3. ISMS ISMS !"e !"ect cti# i#es es 4.

Program Implementasi  :encana er"a ISMS

9.1.2

In(ormation security risk assessment

'he organi%ation shall de(ine and apply an in(ormation security risk assessment process

:isk and +ontrol Sel( ;ssessment Su! Policy

:isk :egister

1.

9.1.3

In(ormation security risk treatment

'he organi%ation shall de(ine and apply an in(ormation security risk treatment process

:isk and +ontrol Sel( ;ssessment

:isk 'reatment Plan

1.

In(ormation security o!"ecti#es and planning to achie#e them

'he organi%ation shall esta!lish in(ormation security o!"ecti#es at rele#ant (unctions and le#els

ISMS !"ecti#es

1.

>asil Pengukuran Pencapaian ISMS !"ecti#es

2.

9.2

7"

<.1

S4PPO%T

:esources

'he organi%ation shall determine and pro#ide the resources needed (or the esta!lishment0 implementation0 maintenance and continual impro#ement o( the in(ormation security management system.

;areness and +ommunication

Struktur rganisasi S ? $raian /eskipsi er"a Personil  Pegaai


5.3

" 9.1

Policy






'op 'op management shall esta!lish an in(ormation security policy.



2.


3.


1. 1.

PLANNIN& ;ctions to address address risk and opportunities 1. :isk :isk Pro(i ro(ile le

9.1.1

eneral




9.1.2




:isk :egister

1.

9.1.3




:isk 'reatment Plan

1.



ISMS !"ecti#es

1.


2.

9.2

7"

<.1

S4PPO%T

:esources




CHECKLIST IMPLEMENTASI ISO 27001:2013 Klausul IS ISO 27 27001:2013

<.2

<.3

+ompetence

;areness

<.4

+ommunication

<.5

/ocumented in(ormation

Prasyarat St Standar IS ISO 27001:2013


'he organi%ation shall, a* determine the necessary competence o( person)s* doing ork under its control that a((ects its in(ormation security per(ormance!* ensure that these persons are competent on the !asis o( appropriate education0 training0 or e&perience;areness and +ommunication c* here applica!le0 take actions to acuire the necessary competence0 and e#aluate the e((ecti#eness o( the actions taken- and d* retain appropriate documented in(ormation as e#idence o( competence.

Persons doing ork under the organi%ation@s control shall !e aare o(, a* the in(ormation security policy!* their contri!ution to the e((ecti#eness o( the in(ormation security management system0 including ;areness and +ommunication the !ene(its o( impro#ed in(ormation security per(ormance- and c* the implications o( not con(orming ith the in(ormation security management system reuirements.

'he organi%ation shall determine the need (or internal and e&ternal communications rele#ant to the in(ormation security management system including, a* on hat to communicate!* hen to communicatec* ith hom to communicated* ho shall communicate- and e* the processes !y hich communication shall !e e((ected.


/ocumentation +ontrol


1. 1. Matriks ompetensi 2.

:encana Pelatihan Pegaai 2.

1. Materi ? !ukti Pelaksanaan ;areness 2. Materi uisioner ISMS

'a!el omunikasi

6 6 6 6


5.3

" 9.1

Policy






'op 'op management shall esta!lish an in(ormation security policy.



2.


3.


1. 1.

PLANNIN& ;ctions to address address risk and opportunities 1. :isk :isk Pro(i ro(ile le

9.1.1

eneral




9.1.2




:isk :egister

1.

9.1.3




:isk 'reatment Plan

1.



ISMS !"ecti#es

1.


2.

9.2

7"

<.1

S4PPO%T

:esources





<.2

<.3

+ompetence

;areness

<.4

+ommunication

<.5













'a!el omunikasi

6 6 6 6


<.2

<.3

+ompetence

;areness

<.4

+ommunication

<.5












'a!el omunikasi



<.5.1

<.5.2

Prasyarat St Standar ISO 27001:2013


eneral

'he organi%ation@s in(ormation security management system shall include, a* documented in(ormation reuired !y this International Standard- and !* documented in(ormation determined !y the organi%ation as !eing necessary (or the e((ecti#eness o( the in(ormation security management system.

+reating and updating

=hen creating and updating documented in(ormation the organi%ation shall ensure appropriate, /ocumentation +ontrol a* identi(ication and description !* (ormat and media - and c* re#ie and appro#al (or suita!ility and adeuacy.



/ocumented in(ormation reuired !y the in(ormation security management system and !y this International Standard shall !e controlled. <.5.3

+ontrol o( documented in(ormation

/ocumented in(ormation o( e&ternal origin0 /ocumentation +ontrol determined !y the organi%ation to !e necessary (or the planning and operation o( the in(ormation security management system0 shall !e identi(ied as appropriate0 and controlled

5"

OPE%ATIONS

A.1

'he organi%ation shall plan0 implement and control the processes needed to meet in(ormation security reuirements0 and to implement the actions perational Planning and +ontrol ISMS !"ecti#es and Planning determined in 9.1. 'he organi%ation shall also implement plans to achie#e in(ormation security o!"ecti#es determined in 9.2

A.2

In(ormation Security :isk assessment

'he organi%ation shall per(orm in(ormation security risk assessments at planned inter#als or hen signi(icant changes are proposed or occur0 taking 6 :isk and +ontrol Sel( ;ssessment Su! account o( the criteria esta!lished in 9.1.2a Policy

1. /a(tar /okumentasi ISMS 2. >istori Peru!ahan /okumen

1. ISMS !"ecti#es 2. Program Implementasi  :encana er"a ISMS 3. >asil Pengukuran ISMS !"ecti#es

1. :isk :egister

6 6 6 6


<.5.1

<.5.2


Prasyarat St Standar ISO 27001:2013

eneral

'he organi%ation@s in(ormation security management system shall include, a* documented in(ormation reuired !y this International Standard- and !* documented in(ormation determined !y the organi%ation as !eing necessary (or the e((ecti#eness o( the in(ormation security management system.

+reating and updating

=hen creating and updating documented in(ormation the organi%ation shall ensure appropriate, /ocumentation +ontrol a* identi(ication and description !* (ormat and media - and c* re#ie and appro#al (or suita!ility and adeuacy.



/ocumented in(ormation reuired !y the in(ormation security management system and !y this International Standard shall !e controlled. <.5.3

+ontrol o( documented in(ormation

/ocumented in(ormation o( e&ternal origin0 /ocumentation +ontrol determined !y the organi%ation to !e necessary (or the planning and operation o( the in(ormation security management system0 shall !e identi(ied as appropriate0 and controlled

5"

OPE%ATIONS

A.1

'he organi%ation shall plan0 implement and control the processes needed to meet in(ormation security reuirements0 and to implement the actions perational Planning and +ontrol ISMS !"ecti#es and Planning determined in 9.1. 'he organi%ation shall also implement plans to achie#e in(ormation security o!"ecti#es determined in 9.2

A.2

In(ormation Security :isk assessment

'he organi%ation shall per(orm in(ormation security risk assessments at planned inter#als or hen signi(icant changes are proposed or occur0 taking 6 :isk and +ontrol Sel( ;ssessment Su! account o( the criteria esta!lished in 9.1.2a Policy

1. /a(tar /okumentasi ISMS 2. >istori Peru!ahan /okumen

1. ISMS !"ecti#es 2. Program Implementasi  :encana er"a ISMS 3. >asil Pengukuran ISMS !"ecti#es

1. :isk :egister





6 :isk and +ontrol Sel( ;ssessment A.3

In(ormation Security :isk treatment

6"

PE%$O%MANCE EAL4ATION

.1

Monitoring0 measurement0 analysis and e#aluation

'he organi%ation shall e#aluate the in(ormation security per(ormance and the e((ecti#eness o( the in(ormation security management system

.2

Internal audit

'he organi%ation shall conduct internal audits at planned inter#als to pro#ide in(ormation on hether Internal ;udit the in(ormation security management system

.3

Management :e#ie

'op management shall re#ie the organi%ation@s in(ormation security management system at Management :e#ie planned inter#als to e nsure its continuing suita!ility0 adeuacy and e((ecti#eness

10"

IMP%OEMENT

1C.1

7on con(ormity and correcti#e actions

'he organi%ation shall implement the in(ormation security risk treatment plan

1. :isk 'reatment Plan ):'P*

=hen a noncon(ormity occurs0 the organi%ation shall, a* react to the noncon(ormity0 and as applica!le, !* e#aluate the need (or action to el iminate the causes o( noncon(ormity0 in order that it does not recur or occur elseherec* implement any action neededd* re#ie the e((ecti#eness o( any correcti#e action taken- and e* make changes to the in(ormation security 7oncon(ormity and +ontinual Impro#ement management system0 i( necessary. +orrecti#e actions shall !e appropriate to the e((ects o( the noncon(ormities encountered. 'he organi%ation shall retain documented in(ormation as e#idence o(, (* the nature o( the noncon(ormities and any su!seuent actions taken0 and g* the results o( any correcti#e action.

Dormulir Pengukuran E(ekti#itas ontrol

Measurement

1. 2. 3. 4.

;udit Program ;udit Plan ;udit +hecklist ;udit :eport

:isalah :apat 'in"auan Mana"emen )Management Review *

1. 2. Dormulir etidaksesuaian  7on6 +on(ormity

3. 4.





6 :isk and +ontrol Sel( ;ssessment A.3

In(ormation Security :isk treatment

6"

PE%$O%MANCE EAL4ATION

.1

Monitoring0 measurement0 analysis and e#aluation

'he organi%ation shall e#aluate the in(ormation security per(ormance and the e((ecti#eness o( the in(ormation security management system

.2

Internal audit

'he organi%ation shall conduct internal audits at planned inter#als to pro#ide in(ormation on hether Internal ;udit the in(ormation security management system

.3

Management :e#ie

'op management shall re#ie the organi%ation@s in(ormation security management system at Management :e#ie planned inter#als to e nsure its continuing suita!ility0 adeuacy and e((ecti#eness

10"

IMP%OEMENT

1C.1

7on con(ormity and correcti#e actions

'he organi%ation shall implement the in(ormation security risk treatment plan

1. :isk 'reatment Plan ):'P*

Dormulir Pengukuran E(ekti#itas ontrol

Measurement

=hen a noncon(ormity occurs0 the organi%ation shall, a* react to the noncon(ormity0 and as applica!le, !* e#aluate the need (or action to el iminate the causes o( noncon(ormity0 in order that it does not recur or occur elseherec* implement any action neededd* re#ie the e((ecti#eness o( any correcti#e action taken- and e* make changes to the in(ormation security 7oncon(ormity and +ontinual Impro#ement management system0 i( necessary.

1. 2. 3. 4.

;udit Program ;udit Plan ;udit +hecklist ;udit :eport

:isalah :apat 'in"auan Mana"emen )Management Review *

1. 2. Dormulir etidaksesuaian  7on6 +on(ormity

4.

+orrecti#e actions shall !e appropriate to the e((ects o( the noncon(ormities encountered. 'he organi%ation shall retain documented in(ormation as e#idence o(, (* the nature o( the noncon(ormities and any su!seuent actions taken0 and g* the results o( any correcti#e action.


1C.2

+ontinual impro#ement

Prasyarat Standar ISO 27001:2013 'he organi%ation shall continually impro#e the suita!ility0 adeuacy and e((ecti#eness o( the in(ormation security management system.

3.


7oncon(ormity and +ontinual Impro#ement



1C.2

+ontinual impro#ement


Prasyarat Standar ISO 27001:2013 'he organi%ation shall continually impro#e the suita!ility0 adeuacy and e((ecti#eness o( the in(ormation security management system.

Aktiitas

P,nanun ;a
Identi(ikasi ? penetapan isu internal ? eksternal

6 'op Management 6 Management :epresentati#e

Identi(ikasi pihak6pihak terkait !eserta ekspektasi ? ke!utuhannya


Penetapan lingkup implementasi ISMS


Memastikan implementasi ISMS 6 'op Management !er"alan sesuai ketentuan standar 6 Management IS 2
Memastikan 'op management telah mem!erikan arahan dan komitmennya untuk ISMS di rganisasi0 dengan, Memastikan ke!i"akan ? sasaran ISMS telah ditetapkan ? selaras dgn strategi rganisasi Memastikan !aha pentingnya implementasi ISMS di rganisasi telah disosialisasikan kepada seluruh pihak rele#an

Management :epresentati#e

Memastikan ketersediaan sum!er daya terkait implementasi ISMS Memastikan tu"uan ? sasaran ISMS dapat tercapai Memastikan dokumentasi )ke!i"akan0 pedoman0 prosedur* ISMS telah ditetapkan

PF, Management :epresentati#e P>, ISMS ((icer

Status


7oncon(ormity and +ontinual Impro#ement

S,8t 93

9!

Okt*.,r 91

92

93

N*,+.,r 9!

91

92

93

9!

Aktiitas

P,nanun ;a
Identi(ikasi ? penetapan isu internal ? eksternal


Identi(ikasi pihak6pihak terkait !eserta ekspektasi ? ke!utuhannya


Penetapan lingkup implementasi ISMS


Status

S,8t 93

9!

Okt*.,r 91

92

91

92

93

N*,+.,r 9!

91

9!

91

92

93

9!

Memastikan implementasi ISMS 6 'op Management !er"alan sesuai ketentuan standar 6 Management IS 2
Memastikan 'op management telah mem!erikan arahan dan komitmennya untuk ISMS di rganisasi0 dengan, Memastikan ke!i"akan ? sasaran ISMS telah ditetapkan ? selaras dgn strategi rganisasi Memastikan !aha pentingnya implementasi ISMS di rganisasi telah disosialisasikan kepada seluruh pihak rele#an


Memastikan ketersediaan sum!er daya terkait implementasi ISMS Memastikan tu"uan ? sasaran ISMS dapat tercapai Memastikan dokumentasi )ke!i"akan0 pedoman0 prosedur* ISMS telah ditetapkan

Aktiitas


P,nanun ;a
Memastikan dokumentasi ISMS telah disosialisasikan.


Memastikan dokumentasi ISMS tersedia ? dapat diakses oleh pihak rele#an.

/ocument +ontroller

Status

6 'op Management Penetapan ? pengesahan Memo 6 Management Struktur rganisasi ISMS di S. :epresentati#e

Menyusun :isk Pro(ile !erdasarkan hasil :isk ;ssessment

:isk ((icer

/one

Identi(ikasi ? penetapan So;


/one

Identi(ikasi ? penetapan Sasaran ISMS


/one

Menyusun :encana er"a Implementasi ISMS


/one

Melakukan identi(ikasi ? penilaian risiko )risk assessment * !eserta :isk ((icer re#ie

/one

Melakukan identi(ikasi ? penetapan rencana tindak lan"ut :isk ((icer penanganan risiko !eserta re#ie

/one

Menetapkan ISMS !"ecti#es


Melakukan pengukuran pencapaian ISMS !"ecti#es

ISMS ((icer

Melakukan proses analisa ke!utuhan sum!er daya manusia

6 Management :epresentati#e 6 S Manager

/one

S,8t 93

9!

Okt*.,r 93

N*,+.,r 92

93

9!

Aktiitas

P,nanun ;a
Memastikan dokumentasi ISMS telah disosialisasikan.


Memastikan dokumentasi ISMS tersedia ? dapat diakses oleh pihak rele#an.

/ocument +ontroller

Status

S,8t 93

9!

Okt*.,r 91

92

91

92

93

N*,+.,r 9!

91

9!

91

92

93

9!

6 'op Management Penetapan ? pengesahan Memo 6 Management Struktur rganisasi ISMS di S. :epresentati#e

Menyusun :isk Pro(ile !erdasarkan hasil :isk ;ssessment

:isk ((icer

/one

Identi(ikasi ? penetapan So;


/one

Identi(ikasi ? penetapan Sasaran ISMS


/one

Menyusun :encana er"a Implementasi ISMS


/one

Melakukan identi(ikasi ? penilaian risiko )risk assessment * !eserta :isk ((icer re#ie

/one

Melakukan identi(ikasi ? penetapan rencana tindak lan"ut :isk ((icer penanganan risiko !eserta re#ie

/one

Menetapkan ISMS !"ecti#es


Melakukan pengukuran pencapaian ISMS !"ecti#es

ISMS ((icer

Melakukan proses analisa ke!utuhan sum!er daya manusia

6 Management :epresentati#e 6 S Manager

Aktiitas

Melakukan pemeriksanaan ? penilaian kiner"a pegaai !erdasarkan matriks kompetensi )menggunakan aplikasi :E;7*

P,nanun ;a

Menyusun :encana Pelatihan Pegaai

Melakukan awareness keamanan in(ormasi melalui, email tampilan screen6sa#er ? desktop ISMS ((icer !ackground sosialisasi !erkala pengisian kuisioner ISMS

Menyusun 'a!el omunikasi

ISMS ((icer

/one

Status

S,8t 93

9!

Okt*.,r 93

N*,+.,r 92

93

9!

Aktiitas

Melakukan pemeriksanaan ? penilaian kiner"a pegaai !erdasarkan matriks kompetensi )menggunakan aplikasi :E;7*

P,nanun ;a
Status

S,8t 93

9!

Okt*.,r 91

92

91

92

93

N*,+.,r 9!

91

9!

91

92

93

9!


Menyusun :encana Pelatihan Pegaai

Melakukan awareness keamanan in(ormasi melalui, email tampilan screen6sa#er ? desktop ISMS ((icer !ackground sosialisasi !erkala pengisian kuisioner ISMS

Menyusun 'a!el omunikasi

Aktiitas

ISMS ((icer

P,nanun ;a
Status

S,8t 93

9!

Okt*.,r

Memastikan seluruh ke!utuhan ? 6 ISMS ((icer proses terkait ISMS 6 /ocument +ontroller terdokumentasi sesuai ketentuan

Memastikan proses penyusunan serta penyesuaianre#isi dokumentasi ISMS telah sesuai dengan ketentuan

/ocument +ontroller

Melakukan penanganan dokumentasi ISMS sesuai ketentuan

/ocument +ontroller

Memastikan pencapaian ISMS !"ecti#es ? pelaksanaan program implementasi ISMS sesuai dengan ketentuan


Melakukan penin"auan ) review * terhadap :isk :egister serta pengkinian )update* saat teridenti(ikasi adanya risiko !aru

:isk ((icer

on going

cek

cek

93

N*,+.,r 92

93

9!

Aktiitas

P,nanun ;a
Status

S,8t 93

9!

Okt*.,r 91

92

93

N*,+.,r 9!

91

9!

91

92

93

9!

Memastikan seluruh ke!utuhan ? 6 ISMS ((icer proses terkait ISMS 6 /ocument +ontroller terdokumentasi sesuai ketentuan

Memastikan proses penyusunan serta penyesuaianre#isi dokumentasi ISMS telah sesuai dengan ketentuan

/ocument +ontroller

Melakukan penanganan dokumentasi ISMS sesuai ketentuan

/ocument +ontroller

Memastikan pencapaian ISMS !"ecti#es ? pelaksanaan program implementasi ISMS sesuai dengan ketentuan


Melakukan penin"auan ) review * terhadap :isk :egister serta pengkinian )update* saat teridenti(ikasi adanya risiko !aru

:isk ((icer

Aktiitas

P,nanun ;a
Menindaklan"uti penanganan risiko sesuai dengan kontrol dan :isk ((icer target aktu yang telah ditetapkan

Melaksanakan dan mendokumentasikan proses pengukuran0 analisis0 dan e#aluasi sesuai ketentuan

ISMS ((icer

Melaksanakan ;udit Internal sesuai dengan ketentuan

Internal ;uditor

Melaksanakan 'in"auan Mana"emen dengan agenda pem!ahasan ? proses sesuai kerangka pada standar ? ketentuan


Melaporkan setiap ketidaksesuaian yang ter"adi. Melakukan e#aluasi utk menetapkan tindak lan"ut. Melaksanakan tindak lan"ut yg telah ditetapkan. :e#ie e(ekti#itas tindakan korekti(.

6 ;ll Employee 6 ISMS ((icer

on going

cek

cek

Status

S,8t 93

9!

Okt*.,r 91

92

93

N*,+.,r 92

93

9!

Aktiitas

P,nanun ;a
Status

S,8t 93

9!

Okt*.,r 91

92

91

92

93

N*,+.,r 9!

91

9!

91

92

93

9!

Menindaklan"uti penanganan risiko sesuai dengan kontrol dan :isk ((icer target aktu yang telah ditetapkan

Melaksanakan dan mendokumentasikan proses pengukuran0 analisis0 dan e#aluasi sesuai ketentuan

ISMS ((icer

Melaksanakan ;udit Internal sesuai dengan ketentuan

Internal ;uditor

Melaksanakan 'in"auan Mana"emen dengan agenda pem!ahasan ? proses sesuai kerangka pada standar ? ketentuan


Melaporkan setiap ketidaksesuaian yang ter"adi. Melakukan e#aluasi utk menetapkan tindak lan"ut. Melaksanakan tindak lan"ut yg telah ditetapkan. :e#ie e(ekti#itas tindakan korekti(.

6 ;ll Employee 6 ISMS ((icer

Aktiitas Memastikan implementasi !er"alan sesuai ketentuan serta melakukan re#ie dan upaya peningkatan  impro#ement.

P,nanun ;a, ISMS ((icer

Status

S,8t 93

9!

Okt*.,r 93

N*,+.,r 92

93

9!

Aktiitas Memastikan implementasi !er"alan sesuai ketentuan serta melakukan re#ie dan upaya peningkatan  impro#ement.

P,nanun ;a
Status

S,8t 93

9!

Okt*.,r 91

92

N*,+.,r

93

9!


C Ann,= A ISO 27001:2013 A"( A"("1


SEC4%IT> POLIC> Mana,+,nt dir,?ti*n @*r in@*r+ati*n s,?urity

;.5.1.1

Policies (or in(ormation securi ty

; set o( policies (or in(ormation security shall !e de(ined0 appro#ed !y management0 pu!lished and communicated to employees and rele#ant e&ternal parties

;.5.1.2

:e#ie o( the policies (or in(ormation security

'he policies (or in(ormation securit y shall !e re#ieed at planned inter#als or i( signi(icant changes occur to ensure their continuing suita!ility0 adeuacy and e((ecti#eness

A" A""1

O%&ANI'ATION O$ IN$O%MATION SEC4%IT> Int,rnal Oraniati*n In(ormation security roles and responsi!ility-

;ll in(ormation security responsi !ilities shall !e de(ined and allocated

;.9.1.2

Segregation o( duties-

+on(licting duties and areas o( responsi!ility shall !e segregated to reduce opportunities (or unauthori%ed or unintentional modi(ication or misuse o( the organi%ation@s asset

;.9.1.3

+ontact ith authorities-

;ppropriate contacts ith rele#ant authorities shall !e maintained

;.9.1.1

91

92

93

9!

C Ann,= A ISO 27001:2013 A"( A"("1


SEC4%IT> POLIC> Mana,+,nt dir,?ti*n @*r in@*r+ati*n s,?urity

;.5.1.1

Policies (or in(ormation securi ty

; set o( policies (or in(ormation security shall !e de(ined0 appro#ed !y management0 pu!lished and communicated to employees and rele#ant e&ternal parties

;.5.1.2

:e#ie o( the policies (or in(ormation security

'he policies (or in(ormation securit y shall !e re#ieed at planned inter#als or i( signi(icant changes occur to ensure their continuing suita!ility0 adeuacy and e((ecti#eness

A" A""1

O%&ANI'ATION O$ IN$O%MATION SEC4%IT> Int,rnal Oraniati*n In(ormation security roles and responsi!ility-

;ll in(ormation security responsi !ilities shall !e de(ined and allocated

;.9.1.2

Segregation o( duties-

+on(licting duties and areas o( responsi!ility shall !e segregated to reduce opportunities (or unauthori%ed or unintentional modi(ication or misuse o( the organi%ation@s asset

;.9.1.3

+ontact ith authorities-

;ppropriate contacts ith rele#ant authorities shall !e maintained

;.9.1.4

+ontact ith special interest groups-

;ppropriate contacts ith special interest groups or other specialist security (orums and pro(essional associations shall !e maintained

;.9.1.5

In(ormation security in pro"ect management

In(ormation security shall !e addressed in pro"ect management0 regardless o( the type o( the pro"ect.

;.9.1.1

A""2

M*.il, ),i?, and T,l,<*rkin

;.9.2.1

Mo!ile de#ice policy-

; policy and supporting security measures shall !e adopted to manage the risks introduced !y using mo!ile de#ices

;.9.2.2

'eleorking.

; policy and supporting security measures shall !e implemented to protect in(ormation accessed0 processed or stored at teleorking sites

A"7 A"7"1

H4MAN %ESO4%CE SEC4%IT> Pri*r t* E+8l*y+,nt

;.<.1.1

Screening-

Background #eri(ication checks on all candidates (or employment shall !e carried out in accordance ith rele#ant las0 regulations and ethics and shall !e proportional to the !usiness reuirements0 the classi(ication o( the in(ormation to !e accessed and the percei#ed risks

;.<.1.2

'erms and conditio ns o( employment

'he contractual agreements ith employees and contractors shall state their and the organi%ation@s responsi!ilities (or in(ormation security

A"7"2

)urin ,+8l*y+,nt

;.<.2.1

;.<.2.2

;.<.2.3

A"7"3

Management responsi!ilities-

Management shall reuire all employees and contractors to apply in(ormation security in accordance ith the esta!lished policies and procedures o( the organi%ation

In(ormation security aareness0 education and training-

;ll employees o( the organi%ation and0 here rele#ant0 contractors shall recei#e appropriate aareness education and training and regular updates in organi%ational policies and procedures0 as rele#ant (or their "o! (unction

/isciplinary process.

'here shall !e a (ormal and communicated disciplinary process in place to take action against employees ho ha#e committed an in(ormation security !reach

T,r+inati*n *r ?Ban, *@ ,+8l*y+,nt

;.<.3.1

'ermination or c hange o( employment responsi!ilities

A"5

ASSET MANA&EMENT

A"5"1

%,s8*nsi.ility @*r Ass,ts

In(ormation security responsi!ilities and duties that remain #alid a(ter termination or change o( employment shall !e de(ined0 communicated to the employee or contractor and en(orced

;.A.1.1

In#entory o( assets-

;ssets associated ith in(ormation and in(ormation processing (acilities shall !e identi(ied and an in#entory o( these assets shall !e dran up and maintained

;.A.1.2

nership o( assets-

;ssets maintained in the in#entory shall !e oned

;ccepta!le use o( assets-

:ules (or the accepta!le use o( in(ormation and o( assets associated ith in(ormation and in(ormation processing (acilities shall !e identi(ied0 documented and implemented

:eturn o( assets.

;ll employees and e&ternal party users shall retur n all o( the organi%ational assets in their possession upon termination o( their employment0 contract or agreement

;.A.1.3

;.A.1.4

A"5"2

In@*r+ati*n ?lassi@i?ati*n

;.A.2.1

+lassi(ication o( in(ormation-

In(ormation shall !e classi(ied in terms o( legal reuirements0 #alue0 criticality and sensiti#ity to unauthorised disclosure or modi(ication

La!elling o( in(ormation-

;n appropriate set o( procedures (or in(ormatio n la!elling shall !e de#eloped and implemented in accordance ith the in(ormation classi(ication scheme adopted !y the organi%ation

>andling o( assets.

Procedures (or handling assets shall !e de#eloped and implemented in accordance ith the in(ormation classi(ication scheme adopted !y the organi%ation

;.A.2.2

;.A.2.3

A"5"3

;.A.3.1

M,dia Handlin Procedures shall !e implemented (or the management o( remo#a!le media in accordance Management o( remo#a!le mediaith the classi(ication scheme adopted !y the organi%ation

;.A.3.2

/isposal o( media-

Media shall !e disposed o( securely hen no longer reuired0 using (ormal procedures

;.A.3.3

Physical media trans(er

Media containing in(ormation shall !e protected against unauthori%ed access0 misuse or corruption during transportation

A"6

ACCESS CONT%OL

A"6"1

usin,ss r,uir,+,nt @*r a??,ss ?*ntr*l

;..1.1

;ccess control policy-

;n access control policy shall !e esta!li shed0 documented and re#ieed !ased on !usiness and in(ormation security reuirements

;..1.2

;ccess to netorks and netork ser#ices

$sers shall only !e pro#ided ith access to the netork and netork ser#ices that they ha#e !een speci(ically authori%ed to use

A"6"2

4s,r a??,ss +ana,+,nt

;..2.1

$ser registration and de6 registration-

; (ormal user registration and de6registration process shall !e implemented to ena!le assignment o( access rights

;..2.2

$ser access pro#isioning-

; (ormal user access pro#isioning process shall ! e implemented to assign or re#oke access rights (or all user types to all systems and ser#ices

;..2.3

Management o( pri#ileged access 'he allocation and use o( pri#ileged access rights rightsshall !e restricted and controlled

;..2.4

'he allocation o( secret authentication in(ormation Management o( secret shall !e controlled through a (ormal management authentication in(ormation o( users process

;..2.5

:e#ie o( user access rights-

;..2.9

'he access rights o( all employees and e&ternal party users to in(ormation and in(ormation :emo#al or ad"ustment o( access processing (acilities shall !e remo#ed upon rights. termination o( their employment0 contract or agreement0 or ad"usted upon change

A"6"3 ;..3.1 A"6"!

;sset oners shall re#ie users access ri ghts at regular inter#als

4s,r r,s8*nsi.iliti,s $se o( secret authentication in(ormation

$sers shall !e reuired to (ollo the organi%ation@s practices in the use o( secret authentication in(ormation

Syst,+ and a88li?ati*n a??,ss ?*ntr*l

;..4.1

In(ormation access restriction-

;ccess to in(ormation and application system (unctions shall !e restricted in accordance ith the access control policy

;..4.2

Secure log6on procedure-

=here reuired !y the access control policy0 access to systems and applications shall !e controlled !y a secure log6on procedure

;..4.3

Passord management system-

Passord management systems shall !e interacti#e and shall ensure uality passords

;..4.4

$se o( pri#ileged utility programs-

'he use o( utility programs that might !e capa!le o( o#erriding system and application controls shall !e restricted and tightly controlled

;..4.5

A"10

;ccess control to program source ;ccess to program source code shall !e restricted code.

C%>PTO&%APH>

A"10"1

Cry8t*ra8Bi? ?*ntr*ls

;.1C.1

; policy on the use o( cryptographic controls (or Policy on the use o( cryptographic protection o( in(ormation shall !e de#eloped and controlsimplemented

;.1C.2

ey management

A"11 A"11"1

; policy on the use0 protection and li(etime o( cryptographic keys shall !e de#eloped and implemented through their hole li(ecycle

PH>SICAL AN) ENI%ONMENTAL SEC4%IT> S,?ur, ar,as

;.11.1.1 Physical security perimeter-

Security perimeters shall !e de(ined and used to protect areas that contain either sensiti#e or critical in(ormation and in(ormation processing (acilities

;.11.1.2 Physical entry control-

Secure areas shall !e protected !y appropriate entry controls to ensure that only authori%ed personnel are alloed access

;.11.1.3

Securing o((ices0 rooms and (acilities-

Physical security (or o((ices0 rooms and (acilities shall !e designed and applied

;.11.1.4

Protecting against e&ternal and en#ironmental threats-

Physical protection against natural disasters0 malicious attack or accidents shall !e designed and applied

;.11.1.5 =orking in secure areas-

Procedures (or orking in secure areas shall !e designed and applied Not Applicable

;.11.1.9 /eli#ery and loading areas.

;ccess points such as deli#ery and loadi ng areas and other points here unauthori%ed persons could enter the premises shall !e controlled and0 i( possi!le0 isolated (rom in(ormation processing (acilities to a#oid unauthori%ed access

A"11"2

Eui8+,nt

;.11.2.1 Euipment siting and protection-

Euipment shall !e sited and protected to reduce the risks (rom en#ironmental threats and ha%ards0 and opportunities (or unauthori%ed access.

;.11.2.2 Supporting utilities-

Euipment shall !e protected (rom poer (ailures and other disruptions caused !y (ailures in supporting utilities

;.11.2.3 +a!ling security-

Poer and telecommunications ca!ling carrying data or supporting in(ormation ser#ices shall !e protected (rom interception0 inter(erence or damage

;.11.2.4 Euipment maintenance-

Euipment shall !e correctly maintained to ensure its continued a#aila!ility and integrity

;.11.2.5 :emo#al o( assets-

;.11.2.9

Euipment0 in(ormation or so(tare shall not !e taken o((6site ithout prior authori%ation

Security shall !e applied to o((6site assets taking Security o( euipment and assets into account the di((erent risks o( orking outside o((6premisesthe organi%ation@s premises

Secure disposal or reuse o( ;.11.2.< euipment-

;ll items o( euipment containing storage media shall !e #eri(ied to ensure that any sensiti#e data and licensed so(tare has !een remo#ed or securely o#erritten prior to disposal or re6use

;.11.2.A $nattended user euipment-

$sers shall ensure that unattended euipment has appropriate protection

;.11.2.

A"12 A"12"1

+lear desk and clear screen policy.

; clear desk policy (or papers and remo#a!le storage media and a clear screen policy (or in(ormation processing (acilities shall !e adopted

OPE%ATIONS SEC4%IT> O8,rati*nal 8r*?,dur,s and r,s8*nsi.iliti,s

;.12.1.1 /ocumented operation procedure-

perating procedures shall !e documented and made a#aila!le to all users ho need them

;.12.1.2 +hange management-

+hanges to the organi%ation0 !usiness processes0 in(ormation processing (acilities and systems that a((ect in(ormation security shall !e controlled

;.12.1.3 +apacity management-

'he use o( resources shall !e monitored0 tuned and pro"ections made o( (uture capacity reuirements to ensure the reuired system per(ormance

Separation o( de#elopment0 ;.12.1.4 testing and operational en#ironment.

/e#elopment0 testing0 and operational en#ironments shall !e separated to reduce the risks o( unauthori%ed access or changes to the operational en#ironment

A"12"2

Pr*t,?ti*n @r*+ +al
;.12.2.1 +ontrol against malare

/etection0 pre#ention and reco#ery controls to protect against malare shall !e implemented0 com!ined ith appropriate user aareness

A"12"3

a ?ku8

;.12.3.1 In(ormation !ackup

A"12"!

Backup copies o( in(ormation0 so(tare and system images shall !e taken and tested regularly in accordance ith an agreed !ackup policy

L*in and M*nit*rin

;.12.4.1 E#ent logging-

E#ent logs recording user acti#ities0 e&ceptions0 (aults and in(ormation security e#ents shall !e produced0 kept and regularly re#ieed

;.12.4.2 Protection o( log in(ormation-

Logging (acilities and log in(ormation shall !e protected against tampering and unauthori%ed access

;.12.4.3 ;dministrator and operator log-

System administrator and system operator acti#ities shall !e logged and the logs protected and regularly re#ieed

;.12.4.4 +lock synchoni%ation.

'he clocks o( all rele#ant in(ormation processing systems ithin an organi%ation or security domain shall !e synchronised to a single re(erence time source

A"12"(

;.12.5.1

A"12"

C*ntr*l *@ *8,rati*nal s*@t
Installation o( so(tare on operational systems

Procedures shall !e implemented to control the installation o( so(tare on operational system

T,?Bni?al uln,ra.ility +ana,+,nt

;.12.9.1

Management o( technical #ulnera!ilities-

In(ormation a!out technical #ulnera!ilities o( in(ormation systems !eing used shall !e o!tained in a timely (ashion0 the organi%ation@s e&posure to such #ulnera!ilities e#aluated and appropriate measures taken to address the associated risk

;.12.9.2

:estrictions on so(tare installation

:ules go#erning the installation o( so(tare !y users shall !e esta!lished and implemented

A"12"7

In@*r+ati*n syst,+ audit ?*nsid,rati*ns

;.12.<.1 In(ormation system audit control

;udit reuirements and acti#ities in#o l#ing #eri(ication o( operational systems shall !e care(ully planned and agreed to minimise disruptions to !usiness processes

A"13

COMM4NICATIONS SEC4%IT>

A"13"1

N,t<*rk s,?urity +ana,+,nt

;.13.1.1 7etork controls-

7etorks shall !e managed and controlled to protect in(ormation in systems and applications

;.13.1.2 Security o( netork ser#ices-

Security mechanisms0 ser#ice le#els and management reuirements o( all netork ser#ices shall !e identi(ied and included in netork ser#ices agreements0 hether these ser#ices are pro#ided in6house or outsourced

;.13.1.3 Segregation in netorks A"13"2

In@*r+ati*n trans@,r

In(ormation trans(er policy and ;.13.2.1 procedures-

;.13.2.2

roups o( in(ormation ser#ices0 users and in(ormation systems shall !e segregated on netorks

;greements on in(ormation trans(er-

Dormal trans(er policies0 procedures and controls shall !e in place to protect the trans(er o( in(ormation through the use o( all types o( communication (acilities ;greements shall address the secure trans(er o( !usiness in(ormation !eteen the organi%ation and e&ternal parties

;.13.2.3 Electronic messaging-

In(ormation in#ol#ed in electronic messaging shall !e appropriately protected

+on(identiality or non disclosure ;.13.2.4 agreements

:euirements (or con(identiality or non6disclosure agreements re(lecting the organi%ation@s needs (or the protection o( in(ormation shall !e identi(ied0 regularly re#ieed and documented

A"1! A"1!"1

S>STEM ACD4ISITION )EELOPMENT AN) MAINTENANCE S,?urity r,uir,+,nts *@ in@*r+ati*n syst,+s

'he in(ormation security related reuirements shall In(ormation security reuirements !e included in the reuirements (or ne in(ormation ;.14.1.1 analysis and speci(icationsystems or enhancements to e&isting in(ormation systems

Securing application ser#ices on ;.14.1.2 pu!lic netorks-

;.14.1.3

A"1!"2

Protecting application ser#ices transactions

In(ormation in#ol#ed in application ser#ices passing o#er pu!lic netorks shall !e protected (rom (raudulent acti#ity0 contract dispute and unauthori%ed disclosure and modi(ication

In(ormation in#ol#ed in application ser#ice transactions shall !e protected to pre#ent incomplete transmission0 mis6routing0 unauthori%ed message alteration0 unauthori%ed disclosure0 unauthori%ed message duplication or replay

S,?urity in d,,l*8+,nt and su88*rt 8r*?,ss,s

;.14.2.1 Secure de#elopment policy-

:ules (or the de#elopment o( so(tare and systems shall !e esta!lished and applied to de#elopments ithin the organi%ation

+hanges to systems ithin the de#elopment ;.14.2.2 System change control procedure- li(ecycle shall !e controlled !y the use o( (ormal change control procedures

'echnical re#ie o( applications ;.14.2.3 a(ter operating plat(orm changes-

;.14.2.4

:estrictions on changes to so(tare packages-

=hen operating plat(orms are changed0 !usiness critical applications shall !e re#ieed and tested to ensure there is no ad#erse impact on organi%ational operations or security Modi(ications to so(tare packages shall !e discouraged0 limited to necessary changes and all changes shall !e strictly controlled

;.14.2.5

Secure system engineering principles-

Principles (or engineering secure systems shall !e esta!lished0 documented0 maintained and applied to any in(ormation system implement ation e((orts

rgani%ations shall esta!lish and appropriately protect secure de#elopment en#ironments (or ;.14.2.9 Secure de#elopment en#ironmentsystem de#elopment and integration e((orts that co#er the entire system de#elopment li(ecycle

;.14.2.< utsourced de#elopment-

'he organi%ation shall super#ise and monitor the acti#ity o( outsourced system de#elopment

;.14.2.A System security testing-

'esting o( security (unctionality shall !e carried out during de#elopment

;.14.2. System acceptances testing

;cceptance testing programs and related criteria shall !e esta!lished (or ne in(ormation systems0 upgrades and ne #ersions

A"1!"3

T,st data

;.14.3.1 Protection o( test data

A"1( A"1("1

'est data shall !e selected car e(ully0 protected and controlled

S4PPLIE% %ELATIONSHIP In@*r+ati*n s,?urity in su88li,r r,lati*nsBi8

In(ormation security policy (or ;.15.1.1 supplier relationship-

In(ormation security reuirements (or mitigating the risks associated ith supplier@s access to the organi%ation@s assets shall !e agreed ith the supplier and documented

;ll rele#ant in(ormation secur ity reuirements shall !e esta!lished and agreed ith each supplier that ;ddressing security ithin supplier ;.15.1.2 may access0 process0 store0 communicate0 or agreementspro#ide I' in(rastructure components (or0 the organi%ation@s in(ormation

;.15.1.3

A"1("2

;.15.2.1

In(ormation and communication technology supply chain.

;greements ith suppliers shall include reuirements to address the in(ormation security risks associated ith in(ormation and communications technology ser#ices and product supply chain

Su88li,r s,ri?, d,li,ry +ana,+,nt

Monitoring and re#ie o( supplier ser#ices-

rgani%ations shall regularly monitor0 re#ie and audit supplier ser#ice deli#er

;.15.2.2

A"1 A"1"1

Managing changes to supplier ser#ices

+hanges to the pro#ision o( ser#ices !y suppliers0 including maintaining and impro#ing e&isting in(ormation security policies0 procedures and controls0 shall !e managed0 taking account o( the criticality o( !usiness in(ormation0 systems and processes in#ol#ed and re6assessment o( risks

IN$O%MATION SEC4%IT> INCI)ENT MANA&EMENT Mana,+,nt *@ in@*r+ati*n s,?urity in?id,nts and i+8r*,+,nts

;.19.1.1 :esponsi!ilities and procedures-

Management responsi!ilities and procedures shall !e esta!lished to ensure a uick0 e((ecti#e and orderly response to in(ormation security incident

:eporting in(ormations security e#ents-

In(ormation security e#ents shall !e reported through appropriate management channels as uickly as possi!le

;.19.1.3

:eporting in(ormations security eaknesses-

Employees and contractors using the organi%ation@s in(ormation systems and ser#ices shall !e reuired to note and report any o!ser#ed or suspected in(ormation security eaknesses in systems or ser#ices

;.19.1.4

;ssessment o( and decision on in(ormation security e#ents-

In(ormation security e#ents shall !e assessed and it shall !e decided i( they are to !e classi(ied as in(ormation security incidents

;.19.1.5

:esponse to in(ormation security incidents-

In(ormation security incidents shall !e responded to in accordance ith the documented procedures

;.19.1.9

noledge gained (rom analysing and resol#ing Learning (rom in(ormation security in(ormation security incidents shall !e used to incidentsreduce the likelihood or impact o( (uture incidents

;.19.1.2

;.19.1.< +ollection o( e#idence

A"17 A"17"1

;.1<.1.1

;.1<.1.2

IN$O%MATION SEC4%IT> ASPECT ON 4SINESS CONTIN4IT> MANA& In@*r+ati*n s,?urity ?*ntinuity Planning in(ormation security continuity-

In(ormation security continuity shall !e em!edded in the organi%ation@s !usiness continuity management systems

Implementing in(ormations security continuity-

'he organi%ation should esta!lish0 document0 implement and maintain processes0 procedures and controls to ensure the reuired le#el o( continuity (or in(ormation security during an ad#erse situation

Geri(y0 re#ie and e#aluate ;.1<.1.3 in(ormations security continuity

A"17"2

;.1<.2.1

A"15 A"15"1

'he organi%ation shall de(ine and apply procedures (or the identi(ication0 collection0 acuisition and preser#ation o( in(ormation0 hich can ser#e as e#idence

'he organi%ation shall #eri(y the esta!lished and implemented in(ormation security continuity controls at regular inter#als in order to ensure that they are #alid and e((ecti#e during ad#erse situation

%,dundan?i,s ;#aila!ility o( in(ormation processing (acilities

In(ormation processing (acilities shall !e implemented ith redundancy su((icient to meet a#aila!ility reuirements

COMPLIENCE C*+8lian?,
Identi(ication o( applica!le ;.1A.1.1 legislation and contractual reuirements-

;ll rele#ant legislati# e statutory0 regulatory0 contractual reuirements and the organi%ation@s approach to meet these reuirements shall !e e&plicitly identi(ied0 documented and kept up to date (or each in(ormation system and the organi%ation

;.1A.1.2 Intellectual property rights-

;ppropriate procedures shall !e impl emented to ensure compliance ith legislati#e0 regulatory and contractual reuirements related to intellectual property rights and use o( proprietary so(tare products

;.1A.1.3 Protection o( records-

:ecords shall !e protected (rom loss0 destruction0 (alsi(ication0 unauthori%ed access and unauthori%ed release0 in accordance ith legisl atory0 regulatory0 contractual and !usiness reuirements

;.1A.1.4

Pri#acy and protection o( personally identi(ia!le Pri#acy and protection o( in(ormation shall !e ensured as reuired in rele#ant personally identi(ia!le in(ormation. legislation and regulation here applica!le

;.1A.1.5

:egulation o( cryptographic controls

A"15"2

+ryptographic controls shall !e used in compliance ith all rele#ant agreements0 legislation and regulations

In@*r+ati*n s,?urity r,i,
'he organi%ation@s approach to managing in(ormation security and its implementation )i.e. Independent re#ie o( in(ormation control o!"ecti#es0 controls0 policies0 processes and ;.1A.2.1 securityprocedures (or in(ormation security* shall !e re#ieed independently at planned inter#als or hen signi(icant changes occur

;.1A.2.2

+ompliance ith security policies and standard-

;.1A.2.3 'echnical compliance re#ie 

Managers shall regularly re#ie the compliance o( in(ormation processing and procedures ithin their area o( responsi!ility ith the appropriate security policies0 standards and any other security reuirements In(ormation systems shall !e regularly re#ieed (or compliance ith the organi%ation@s in(ormation security policies and standards

ECKLIST IMPLEMENTASI ISO 27001:2013 )*ku+,ntasi -K,.i/akanP,d*+anPr*s,dur


ISS

ISS

ISS


1. :isalah :apat :e#ie /okumen 2. >istori Peru!ahan /okumen

Aktiitas

1.

Penetapan e!i"akan eamanan In(ormasi

2.

Sosialisasi e!i"akan eamanan In(ormasi

1.

Melaksanakan re#ie !erkala terhadap ISS ? ISMS Policy


Penetapan ? pengesahan Memo Struktur rganisasi ISMS di S.

Struktur rganisasi ? $raian /eskripsi er"a

Penetapan ? pengesahan Struktur rganisasi di S.

2.

1. /a(tar ontak 7omor Penting

Bukti  /a(tar eikutsertaan dalam Dorum terkait eamanan In(ormasi

1. /okumen ontrak 2. 7/;

1. Menyusun /a(tar ontak 7omor Penting 2. Memasang /a(tar ontak 7omor Penting di lokasi mudah terlihat oleh seluruh pegaai Mengikuti (orum terkait eamanan In(ormasi 1. Memastikan penerapan kontrol keamanan in(ormasi telah tercakup dalam mana"emen proyek 2. Memastikan pihak6pihak rele#an telah menandatangani 7/;

Dormulir Penggunaan ;set Pri!adi

Memastikan pendataan ? penggunaan perangkat mo!ile telah sesuai ketentuan

;ccess +ontrol

Dormulir /e#iasi 'eleorking

Melakukan pendataan user yang mendapatkan akses GP7 dan penggunaan mo!ile de#ice milik pri!adi  perusahaan

>uman :esource Security

>asil Screening Pegaai

;sset Management

memastikan proses yang di"alankan di >+ sesuai dengan panduan yang !erlaku terkait >uman :esource Security >uman :esource Security

/okumen ontrak Pegaai  Buku Panduan Peraturan Perusahaan


1. Bukti pelaksanaan ;areness  Sosialisasi eamanan In(ormasi. 2. 7/;.


1. Bukti pelaksanaan ;areness  Sosialisasi eamanan In(ormasi. 2. :encana Pelatihan Pegaai.

1. Melaksanakan sosialisasi  aareness keamanan in(ormasi 2. Menyusun rencana pelatihan ? melaksanakan pelatihan pegaai


/okumen ;B )lasi(ikasi le#el0 kategori pelanggaran0 dan sanksi yang akan diperoleh*

Memastikan adanya aturan di >+ terkait disciplinary process atas penyimpangan yang dilakukan sum!er daya )karyaan  pihak ketiga*


;sset Management

;sset Management

Memastikan kontrol keamanan in(ormasi telah diterapkan pada saat ter"adinya pemutusan atau peru!ahan hu!ungan ker"a terhadap pegaai

1. E&it +learence. 2. :e#ie peru!ahan hak akses karyaan. 3. 7/;.

Memastikan in(ormasi serta perangkat pemroses ? penyimpan in(ormasi telah terin#etarisasi !eserta kepemilikannya ke dalam aset register. Mem!eri la!el perangkat ker"a 2. sesuai dengan aset register. Melakukan pendataan sarana pendukung yang ada di area 3. S. Memastikan penggunaan seluruh 4. perangkat di S telah sesuai dengan ketentuan penggunaan perangkat. 1.

1. ;sset :egister 2. Dormulir Sera h 'erima ;set 3. La!el ;set

;sset Management

;sset Management

+lassi(ication and >andling In(ormation

1. riteria klasi(ikasi In(ormasi 2. /a(tar ;set In(ormasi !erikut klasi(ikasinya

Seluruh in(ormasi telah di!eri la!el sesuai ketentuan ? klasi(ikasinya

+lassi(ication and >andling In(ormation

1. +lassi(ication and >andling In(ormation

;sset Management

/a(tar /okumen ? Lokasi Penyimpanan 2. /a(tar ? Log Pelaksanaan Backup

Dormulir /e#iasi

Melakukan identi(ikasi klasi(ikasi in(ormasi, 6 Pu!lik 6 Internal 6 +on(idential 6 Strictly +on(idential

Melakukan pela!elan in(ormasi sesuai ketentuan ? klasi(ikasinya, >ardcopy, /icap di!ag. +o#er So(tcopy, /itulis di!ag. kiri !aah (ooter

1. Menyimpan dokumen hardcopy di lemari yg dapat dikunci. 2. Menyimpan dokumen so(tcopy sesuai ketentuan 3. Melakukan !ackup sesuai dengan ketentuan

Memastikan pengelolaan ? penggunaan remo#a!le media telah sesuai dgn ketentuan

;sset Management

;sset Management

;ccess +ontrol

;ccess +ontrol

1. Dormulir Permohonan Pemusnahan ;set 2. Domulir Pemusnahan ;set

Memastikan proses pemusnahan media telah sesuai dgn ketentuan.

+hecklist Implementasi

Memastikan media penyimpan in(ormasi telah di!erikan pengamanan memadai pada saat digunakan untuk memindahkan in(ormasi. +ontoh, 6 menggunakan pengamanan dgn passord pd (lashdisk. 6 pengiriman surat (isik menggunakan amplop !ersegel.

1. $ser ;ccess Matri& )$;M* 2. Dormulir :e#ie $;M

Menetapkan prosedur terkait kontrol akses ? melakukan re#ie secara !erkala

Dormulir :e#ie >ak ;kses

Memastikan proses penda(taran akses !aru ? penghapusan akses telah sesuai dgn ketentuan

;ccess +ontrol

;ccess +ontrol

;ccess +ontrol

Memastikan hak akses user ke "aringan telah sesuai dgn ketentuan

1. Dormulir Permohonan >ak ;kses 2. Memo Penun"ukan ;dministrator


Memastikan proses pem!erian akses telah sesuai dgn ketentuan Memastikan kontrol thdp alokasi hak akses khusus telah sesuai dgn ketentuan Memastikan alokasi otenti(ikasi in(ormasi telah sesuai dgn ketentuan

;ccess +ontrol

;ccess +ontrol


Melakukan re#ie hak akses (isik ? logical

;ccess +ontrol


Menyesuaikan akses sesuai dengan da(tar user dan melakukan re#ie hak akses

;ccess +ontrol


Menggunakan Hstrong passordH sesuai dgn ketentuan

;ccess +ontrol

1. Dormulir :e#ie >ak ;kses 2. $;P

;ccess +ontrol


Memastikan akses ke sistem ? aplikasi telah dikontrol melalui prosedur secure log-on

;ccess +ontrol


Memastikan sistem dapat mengakomodasi ketentuan passord secara interakti(

;ccess +ontrol

1. /a(tar So(tare yg /ii%inkan. 2. Dormulir /e#iasi

Memastikan kontrol akses ke in(ormasi ? sistem in(ormasi telah sesuai dgn ketentuan

Melakukan kontrol pem!atasan penggunaan program utility yg dapat meleati  mem!atalkan kontrol sistem yg telah ada

;ccess +ontrol


Memeriksa kesesuaian hak akses ke penyimpanan source code

IS peration and Security

Penetapan ke!i"akan ? implementasi penggunaan kriptogra(i utk kontrol pengamanan in(ormasi


Penetapan ke!i"akan ? implementasi pengelolaan kunci kriptogra(i )cryptographic keys*

Physical and En#ironmental Security

Menetapkan !atas ilayah area kedalam 3 kategori, Public, Restricted, Secured


Berkoodinasi dgn Satpam utk memastikan setiap tamu yg akan memasuki area Restricted ? Secured telah terda(tar pd Buku 'amu ? di!erik an I/ Gisitor

1. Dormulir Permohonan ;kses 2. Log  Buku 'amu Physical and En#ironmental Security

Memastikan kontrol akses Dingerprint I/ !er(ungsi sesuai ketentuan


1. Memastikan kontrol akses Dingerprint I/ !er(ungsi sesuai ketentuan. 2 Memastikan ++'G !er(ungsi dengan !aik dgn area pantau ++'G dpt mencakup seluruh area ker"a.



1. +hecklist Implementasi 2. :ecord ++'G sd 3C hari se!elumnya

Dormulir maintenance supporting utilities

Memastikan ;P;: dpt !er(ungsi dgn !aik serta pemeriksaan riayat pemeliharaan rutin

:ekaman ++'G min. sd. 3C hari se!elumnya Not Applicable

Memastikan akti#itas peker"aan di ilayah secure area dpt terpantau ? sesuai dgn ketentuan


Berkoordinasi dgn satpam utk memastikan kontrol pengamanan telah diterapkan pada pintu akses melalui deli#ery ? loading area


Memastikan penempatan perangkat ker"a yg aman dari potensi risiko gangguan ? ancaman lingkungan serta akses tdk terotorisasi

;sset Management

Laporan Pemeliharaan :utin utk enset

Memeriksa alur perka!elan !aik data maupun daya listrik utk memastikan keamanan (isik ? (ungsional



Melakukan pemeriksaan status pemeliharaan rutin utk genset

1. Dormulir erusakan ;set 2. Dormulir :ekapitulasi Per!aikan ;set

Melaksanakan pemeliharaan rutin utk perangkat ker"a.



;sset Management

;sset Management

1. Dormulir Serah 'erima ;set

1. Fika perangkat ker"a0 in(ormasi0 atau so(tare akan di!aa keluar area ker"a0 pastikan telah terdapat proses permohonan0 persetu"uan0 dan serah terima yg terdokumentasi (ormal. 2. Fika perangkat ker"a akan dipindahtangankan atau dimusnahkan0 pastikan in(ormasi ? lisensi telah dihapus danatau di!ackup terle!ih dahulu


1. 'idak meninggalkan perangkat ker"a tanpa pengaasan saat !eker"a diluar kantor atau ketika mem!aa perangkat ker"a keluar kantor. 2. Fika harus meninggalkan perangkat ker"a0 simpan di tempat yg aman seperti misal Sa(e /eposit Bo&.

1. Dormulir Serah 'erima ;set

Melakukan (ormat media penyimpanan in(ormasi se!elum dilakukan pemusnahan danatau penggunaan kem!ali


Mengakti(kan Screensa#er Lock dengan menekan indos  L setiap kali akan meninggalkan me"a ker"a 1.


2. Mengakti(kan Screensa#er Lock dengan menekan indos  L setiap kali akan meninggalkan me"a ker"a



Memastikan tdk ada dokumen danatau remo#a!le media yg memuat in(ormasi !ersi(at +on(idential atau le!ih tinggi yg tersimpan di me"a ker"a tanpa pen"agaan

1. /a(tar /okumentasi ISMS

Memastikan seluruh prosedur ? keluaran prosesnya terdokumentasi secara (ormal serta mudah diakses oleh pihak rele#an yg mem!utuhkan


Dormulir :D+ ? /okumentasi terkait

Memastikan setiap proses peru!ahan yg !erdampak pd keamanan in(ormasi dpt terkelola sesuai ketentuan


>asil ;nalisa e!utuhan ? Perencanaan Pegaai

Melaksanakan analisa ke!utuhan ? perencanaan pegaai


Melakukan pemisahan antara Ser#er Pengem!angan0 Ser#er Pengu"ian0 dan Ser#er perasionalProduksi

In(ormation System /e#elopment


Status ;nti Girus

1. Instalasi s ;nti Girus 2. $pdate ;nti Girus secara !erkala 3. Pengaturan scan ? (ull6scan secara otomatis



/a(tar In(ormasi yg perlu di6 backup !erikut metode dan periode backup6nya

1. Melakukan !ackup in(ormasi secara !erkala sesuai ketentuan. 2. Melakukan u"i restore secara !erkala.

E#ent Log

1. Mengakti(kan Syslog yang meliputi log login failure. 2. Memastikan Event Log disimpan dan ditin"au secara !erkala.


Menempatkan (asilitas logging ? menyimpan in(ormasi terkait di tempat yg aman.


1. Menyimpan log akti#itas ;dministrator Sistem ? perator Sistem. 2. Melakukan re#ie log akti#itas secara !erkala.

Log ;kti#itas ;dministrator ? perator Sistem

Melakukan sinkronisasi aktu pada setiap perangkat I'.


1.


1. /a(tar So(tare yg /ii%inkan. 2. Dormulir /e#iasi


1. Laporan Gurnera!ility ;ssessment. 2. Laporan Penetration 'est.

Memastikan so(tare yg di6install di perangkat ker"a sesuai dgn /a(tar So(tare yg /ii%inkan. Menga"ukan permohonan khusus 2. apa!ila ada permintaan so(tare di luar /a(tar So(tare yg /ii%inkan.

Melaksanakan Gurnela!ility ;ssessment )G;* ? Penetration 'est secara !er kala


Mengatur user pre#illage pd sistem operasi setiap perangkat ker"a  note!ook utk memastikan user tdk dapat melakukan sendiri instalasi so(tare diluar yg telah ditentukan.


Memastikan proses pengendalian dalam proses audit sistem in(ormasi0 mencakup pem!atasan hak akses auditor0 perencanaan dan implementasi audit sistem in(ormasi.

+ommunications Security  7etork Ser#ice Process

Melakukan pengelolaan keamanan "aringan sesuai ketentuan.


Memastikan kontrol keamanan telah diterapkan pada layanan "aringan yg digunakan S.


Melakukan pemisahan  grouping "aringan sesuai ke!utuhan rganisasi.


Menetapkan ke!i"akan ? prosedur serta penerapan kontrol pengamanan dlm proses perpindahan in(ormasi.


1. ontrak 2. 7/;

1. Menerapkan kontrol pengamanan dalam pengiriman in(ormasi melalui email. 2. Memastikan (ungsional sistem ekripsi otomatis utk pengiriman in(ormasi !ersi(at con(idential atau lenih tinggi melalui email.



Memastikan pihak eksternal mematuhi ketentuan dlm pelaksanaan proses perpindahan in(ormasi.

7/;

Memastikan setiap pihak terkait telah menandatangani 7/;.

S:S

Memastikan !aha persyaratan keamanan in(ormasi telah tercakup dalam S:S dan diimplementasikan pada saat pengem!angan



Implementasi kontrol pengamanan antara lain, Enkripsi0 Direall0 GP70 utk pengamanan in(ormasi pada layanan aplikasi yang menggunakan atau dapat diakses melalui "aringan internet pu!lik.



Implementasi kontrol pengamanan untuk transasksi pada layanan sistem in(ormasi

Prosedur Pengem!angan Sistem In(ormasi

Menetapkan dan melaksanakan prosedur pengem!angan sistem in(ormasi dengan mencakup ketentuan persyaratan keamanan in(ormasi.


Dormulir :D+

Memastikan setiap peru!ahan pada saat proses pengem!angan sistem in(ormasi telah sesuai dengan ketentuan +hange Management.


Laporan :e#ie dan Pengu"ian

Melakukan re#ie dan pengu"ian setiap kali dilakukan peru!ahan  penyesuaian plat(orm.

Dormulir :D+

Memastikan setiap peru!ahan terhadap sistem in(ormasi telah sesuai dengan ketentuan +hange Management.






Prosedur Pengem!angan Sistem In(ormasi

Menetapkan dan melaksanakan prosedur pengem!angan sistem in(ormasi dengan mencakup ketentuan persyaratan keamanan in(ormasi.


Melakukan kontrol pengamanan lingkungan area ker"a dan Ser#er Pengem!angan antara lain dengan kontrol akses (isik dan logical.

1.


1. ontrak 2. SL; 3. 7/;

Memastikan !aha klausul terkait keamanan in(ormasi telah tercakup pada ontrak danatau SL; dengan Gendor. 2. Memastikan !aha #endor dan pihak6pihak terkait telah menandatangani 7/;. 3. Memantau dan mengaasi proses pengem!angan agar tetap sesuai dengan kontrak danatau SL;.


Laporan Pengu"ian

Melakukan Pengu"ian (ungsionalitas keamanan terhadap sistem in(ormasi yang sedang dikem!angan


Laporan $;'

Melakukan $ser ;cceptance 'est )$;'*


1. :e#ie >ak ;kses 2. Log Penggunaan /ata Pengu"ian

1. Memeriksa kesesuaian hak akses terhadap /ata Pengu"ian. 2. Menyimpan /ata Pengu"ian di ser#er atau media dengan kontrol akses tertentu. 3. Mencatat log penggunaan /ata Pengu"ian.

Supplier Management  Gendor Management


1. ontrak  SL;. 2. 7/;. 3. /a(tar Gendor.

Memastikan klausul terkait keamanan in(ormasi telah tercantum pada setiap kontrak ker"asama.

1. Laporan :e#ie  Monitoring Gendor  Supplier. 2. MoM dengan Gendor  Supplier terkait pem!ahasan kiner"a layanan.

Melakukan re#ie terhadap Gendor  Supplier




SL;

Menetapkan prosedur penanganan insiden keamanan in(ormasi

In(ormation Security Incident

Memastikan proses pengelolaan peru!ahan terkait layanan #endor  supplier !er"alan sesuai dengan ketentuan.


1. 'iket Pelaporan Insiden 2. Dormulir etidaksesuaian

Melaporkan setiap ke"adian ketidaksesuaian terkait keamanan in(ormasi.


1. 'iket Pelaporan Insiden 2. Dormulir etidaksesuaian

Melaporkan setiap potensi keraanan  risiko terkait keamanan in(ormasi.


1. Dormulir etidaksesuaian 2. :isk :egister

Melakukan analisa terhadap setiap pelaporan ketidaksesuaian  insiden utk menetapkan klasi(ikasi insiden ? tindak lan"ut yg diperlukan serta apakah insiden "g merupakan potensi risiko !aru.


Dormulir etidaksesuaian

Menindaklan"uti setiap insiden yg dilaporkan sesuai dengan ketentuan.


1. 'iket Insiden 2. Dormulir etidaksesuaian 3. :e#ie Insiden

Mendokumentasikan setiap hasil analisa ? solusi atas suatu insiden.


1. 'iket Insiden 2. Dormulir etidaksesuaian

Melakukan identi(ikasi0 dokumentasi0 ? penyimpanan setiap in(ormasi yg dpt men"adi !ukti terkait suatu insiden.

MENT Memastikan lingkup keamanan in(ormasi telah tercakup dlm perencanaan ke!erlangsungan !isnis S.

Business and In(ormation Security +ontinuity




1. 2. 3. 4.

Business Impact ;nalysis )BI;* :isk ;nalysis Business +ontinuity Plan )B+P* Skenario B+P

Menyusun perencanaan ke!erlangsungan !isnis

Laporan Pelaksanaan Simulasi B+P

Melaksanakan Simulasi B+P

1. BI;. 2. B+P.

Memastikan ketersediaan (asilitas pemroses in(ormasi cadangan sesuai dgn ke!utuhan di S.

+omplience Security

+omplience Security

/a(tar Peraturan ? Perundang6 udangan

1. /a(tar Lisensi 2. Dormulir P+ +hecking

Melaksanakan identi(ikasi ? dokumentasi terkait peraturan ? undang6undang yg rele#an dgn implementasi ISMS di S.

1. Melakukan pendataan lisensi perangkat lunak 2. Melakukan pemeriksaan penggunaan perangkat lunak di perangkat Ser#er0 P+0 7ote!ook.

+omplience Security

Memastikan setiap records dikelola sesuai dgn ketentuan.

+omplience Security

Memastikan setiap in(ormasi pri!adi dikelola sesuai dgn peraturan ? undang6undang yg !erlaku.

+omplience Security

Memastikan penggunaan kontrol kriptogra(i sesuai dgn peraturan ? undang6undang yg !erlaku.

+omplience Security

1. Laporan ;udit Internal 2. Laporan ;udit Eksternal

Melaksanakan proses ;udit Internal ? ;udit Eksternal

+omplience Security

Laporan ;udit epatuhan

Melaksanakan proses ;udit epatuhan

+omplience Security

Laporan ;udit epatuhan

Melaksanakan proses ;udit epatuhan

P,nanun ;a
6 'op Management 6 Management :epresentati#e PF, Management :epresentati#e P>, ISMS ((icer 6 Management :epresentati#e 6 I'PS

6 'op Management 6 Management :epresentati#e 6 'op Management 6 Management :epresentati#e

ISMS ((icer

PF, Management :epresentati#e P>, JJ


PF, Management :epresentati#e P>, I'PS PF, ISMS ((icer P>, I' Sec

PF, Management :epresentati#e P>, >+ /i#

PF, Management :epresentati#e P>, >+ /i#

Status

S,8t 93

9!

Okt*.,r 91

92

9!

N*,+.,r 9!

91

92

93

9!


I'PS


PF, ISMS ((icer P>, >+ /i#

;sset Manager

In(ormation ner

/ocument +ontroller

6 In(ormation ner 6 /ocument +ontroller

;sset Manager

6 ;sset Manager 6 'MS

6 ISMS ((icer 6 In(ormation ner

I' Sec

I' Sec

6 >+ /i# 6 I' Sec

6 I' Sec 6 ;pplication $ser

I' Sec

I' Sec 6 I' Sec 6 ISMS ((icer 6 ;pplication ner

I' Sec

;ll Employee

6 ISMS ((icer 6 I' Security

I' Sec

I' Sec

I'PS

PF, ISMS ((icer P>, ;dministrator

I'PS

I' Sec


PF, ISMS ((icer P>, Dacility Ser#ice




PF, ISMS ((icer P>, DES Monitoring


PF, ISMS ((icer P>, DES



PF, ;sset Manager P>, DES'MS

PF, ;sset Manager P>, DES'MS

PF, ISMS ((icer P>, DES Monitoring

PF, ;sset Manager P>, 'MS

;ll Employee

;ll Employee

;ll Employee

PF, I'PS P>, /ocument +ontroller

PF, Management :epresentati#e P>, S Manager

PF, Management :epresentati#e P>, S Manager PF, ISMS ((icer P>, ;dministrator


PF, ISMS ((icer P>, In(ormation ner

PF, I' Sec P>, /+M

I' Sec

I' Sec

PF, I' Sec P>, /+M


I' Sec

I'PS

I'PS

I' Sec

I' Sec

PF, I' Sec P>, /+M

I'PS

PF, ISMS ((icer P>, I'PS'MS

PF, ISMS ((icer P>, I' Sec


PF, ISMS ((icer P>, 'im /e#elopment

PF, ISMS ((icer P>, ;dministrator I' Security

;dministrator I' Security

I' Policy /ocument +ontroller

ISMS ((icer 'im /e#elopment

;dministrator I' Security

ISMS ((icer 'im /e#elopment

I' Policy /ocument +ontroller

ISMS ((icer


PF, ISMS ((icer P>, I' Security 'im /e#elopment PF, ISMS ((icer P>, 'im /e#elopment





6 Management :epresentati#e 6 I'PS 6 ;ll Employee 6 ISMS ((icer

6 ;ll Employee 6 Gendor  ontraktor ? pihak terkait lainnya.

6 ISMS ((icer 6 :isk ((icer

6 ISMS ((icer 6 Ser#ice /esk

6 ISMS ((icer 6 Ser#ice /esk

ISMS ((icer

I'PS

I'PS

I'PS

;sset Manager

Checklist Implementasi ISO 27k

Recommend Documents