2012 International Conference on System Engineering and Technology

September 11-12, 2012, Bandung, Indonesia

IT Risk Management Framework Based on

ISO 31000:2009
Tati Ernawati #1, Suhardi *2, Doddi R.Nugroho #3
#
Informatics, Politeknik TEDC Bandung,
Jalan Pasantren Km 2 Cibabat Cimahi Utara 40513
1
tatiernawati@yahoo.com

*
School of Electrical Engineering and Informatics, Bandung Institut of Technology
Jalan Ganesha No. 10, Bandung 40132
2
suhardi@stei.itb.ac.id

#
PT. Telekomunikasi Indonesia, Tbk,
Jalan Japati No. 1 Bandung 40133
3
doddi@telkom.co.id

Abstract—Utilization of Information Technology (IT) in an
enterprise, in addition to achieve benefit from the
implementation of IT should come along with the risks
(Information Technology Risk) that may affect the achievement
of corporate goals. IT risk management will always involving the
company's overall risk management for IT risk will impact
enterprise itself, thus a framework is required as a tool to
integrate the IT risks with ERM.
This paper present a case study research on IT risk
management framework based on ISO 31000. The research
methodology used in this study is Design Science Research
Methodology (DSRM). The designed architecture includes three
components, they are the principles of IT risk management, risk
identification and analysis of IT. The method used to examine the
framework was a Focus Group Methodology while sampling
technique that used was purposive sampling. The Focus Group
Discussion (FGD), conducted based on expert judgment in the
PT. Telekomunikasi Indonesia, Tbk.
The examination of IT risk management framework resulting
in accordance with the needs of companies that engaged in the
telecommunications industry and has been integrating IT risk
with ERM. In this case the company need is a security related
financial statements to support compliance with Sarbanes-Oxley
Act agreement (SOA). The main thing in the development of IT
risk management framework is the presence of internal control
as a key role in the Enterprise Risk Management.
Keywords— IT Risk, ERM, FMEA, ISO 31000:2009, SOA
Section 404
I. INTRODUCTION
Utilization of Information Technology (IT) in an enterprise,
in addition to benefit from the implementation of IT come
along with the risks (Information Technology Risk) that may
affect the achievement of corporate goals. Given a thought
that IT is an important asset than it must be managed
effectively to maximize the effectiveness of its use and that
the associated risks of the implemented technology can be
mitigated.
The risk management provide considerations regarding
measures to be taken to address these risks [1]. Enterprise
Risk Management (ERM) can provide a structured
consideration by taking into account all forms of uncertainty
in decision making.
International Organization for Standardization (ISO) has
issued a standard framework for managing risk (ISO
31000:2009). This standard is issued to assist companies in
managing risk [2]. Currently there are some risk management
standards that have been published previously. However,
enterprise risk management (ERM) and IT risk framework is
presented separately, not yet integrated in a single framework.
On the other hand the IT risk management will always involve
the company's overall risk management for IT risk will impact
the enterprise itself. Although one of the IT risk framework
stated that IT Risk Information System and Control
Association (ISACA) has elaborated on ERM but only more
specific in terms of IT usage in the enterprise, not too focused
on the control (control activities), which is one of important
component in the ERM [3]. Similarly, the framework Control
Objective for Information and related Technology (COBIT)
focused on meet the standards of The Committee of
Sponsoring Organizations of the Treadway Commission
(COSO) in terms of IT control [4], this indicated that the two
frameworks are complementary to each other not yet
integrated in a single framework.
This paper examines on IT risk management framework
based on ISO 31000. The methodology used is Design
Science Research (DSRM). The study focused on IT security
related to the financial statements to support compliance with
Sarbanes-Oxley Act agreement (SOA). The research resulted
an IT risk management framework based on ISO 31000:2009
which has been tested on a case study in PT. Telekomunikasi
Indonesia, Tbk.

978-1-4673-2376-5/12/$31.00 ©2012 IEEE

 II. ENTERPRISE RISK MANAGEMENT organization. Risk management process includes 5 (five)
ERM is a comprehensive approach in the management of activities as described in Fig. 2.
risk, especially to minimize the uncertainty affecting the Establish the context
achievement of corporate goals. ERM process involves
activities such as identification, measurement and monitoring
of risk in a structured manner that supported by risk RISK ASSESSMENT

Communication and consultant

management framework as a tool in managing risk so it can

Monitoring and Review

Risk Identification
more integrated, sustainable and controllable.
ISO 31000 "Risk Management-Principles and Guidelines
on Implementation" is a part of international standards of risk Risk Analysis
management guidelines [5]. The structure of ISO 31000
consists of three interrelated elements, they are principles of
risk management, risk management framework and risk Risk Evaluation
management process.
A. Principle of Risk Management
The principles for managing risk in the ISO 31000 [1]: Risk treatment
adding value; an integral part of the organization, part of the
decision making process; addressing the issue of uncertainty; Fig. 2 Risk management process of ISO 31 000
systematic, structured and precised time; based on the best
D. Methods/techniques of risk assessment
information available; typical for use; consider the human and
cultural factors; transparent and inclusive; dynamic, iterative Engineering and risk management methods/technique
and responsive to change; facilitate the improvement and described in ISO 31000 [1]:
enhancement of the organization as a continuing. 1) The principles of risk management
The use of management as agent of change principles, both
B. Risk Management Framework from the aspect of individual and organizational aspects.
One thing that emphasized in the ISO 31000, to be effective 2) Risk management framework
risk management must be integrated in decision-making • Mandate and commitment
process of the organization. This standard does not only Prepare a document that clearly outlines the
explain the important elements required in the framework but responsibilities of directors and board of
also explains how an organization should create, implement commissioners in association with the
and maintain the relevant and up to date elements [6]. implementation of risk management.
• Design of framework for managing risk
Mandate and
Commitment
- Understanding the organizational context
- Development of risk management policy
- Risk governance structure
Design of - Application of risk management processes
framework for
managing risk • Monitoring and review
Process profile worksheet as the basis for monitoring
and review.
Continual
improvement of Implementing
• Continual improvement of the framework
the framework risk Application of the principle of PDCA (Plan-Do
Check-Action).
3) Risk management process
Monitoring and
• Communication and consultancy
review of the Stakeholder analysis and Technical communication
framework
• Establish the context
- Understanding the organizational context
Fig. 1 Risk management framework of ISO 31000 [1] - Taxonomy of the risk of both internal and external
environment.
C. Risk Management Process - Criteria for risk
ISO 31000 risk management process largely adopted the • Risk Assessmen
process of the AS/NZS 4360:2004. The process of risk - Risk identification
management is an integral part of general management. Risk Deepening of the techniques that been used before:
management should be part of organizational culture, document review, stakeholder analysis, risk
organizational best practices and business processes of the breakdown structure, business process mapping.
 - Risk Analysis and risk evaluation
Qualitative Methods and quantitative methods
4) Risk treatment
• Risk treatment strategy
• The strategy emergency response and disaster
recovery
• Built risk treatment plan
• Consideration of benefits and costs
5) Monitoring and review
• Determination of who is doing the monitoring and
review
• What needs to be monitored and reviewed
• What information needs to be evaluated
• The procedures to be used
• The reporting process
6) Documentation of the risk management process
• Records of each stage of the process
• Storage of documents
• Use knowledge management techniques.
III. THE PROPOSED FRAMEWORK
The research methodology used is Design Science Research
Methodology (DSRM). Six stages of design is shown in Fig. 3
as follows.
Fig. 3 The process model of DSRM [7]
A. Identify problem and motivate
Unintegrated enterprise risk management (ERM) with IT
risk in a single framework, become a main trigger to develop a
IT risk management framework based on ISO 31000 that
adapted to the needs and objectives of the company.
B. Define objectives of a solution
Based on problem identification and motivation, the
objectives of the solution in the study are:
• IT risk management framework based on ISO 31000
adapted to the needs and goals of the organization.
• Meet the needs use of risk management framework
which is integrated IT risk with ERM.
C. Design and development
Stages of the framework design as follows.
1) Step 1: Conduct a literature review
Selection of ISO 31000 framework was conducted by
comparison with some of the enterprise general risk
management framework such as AS/NZ 4360:2004, COSO-
ERM 2004 and ISO 31000:2009. The results of the
comparison are presented in TABLE I as follows.
TABLE I
COMPARISON OF RISK MANAGEMENT FRAMEWORK [8]
Framework ERM Principle Framework Process
ISO 31000:2009 3 3 3
AS/NZ 4360:2004 X X 3
COSO ERM :2004 X X 3
Compared with the COSO ERM, ISO 31000 has the
advantage of more practical, more detailed, the terms defined
explicitly in the framework, written more clearly so it is easy
to understand [8]. Based on those comparisons, the ISO 31000
was chosen as a reference framework with the following
considerations: ISO 31000 is more structured/systematic so
that easy to be applied; the architecture supports the risk
management process changes in the application; there is
consistency in the terminology [8]; in contrast to other risk
management framework, ISO 31000 provides the techniques
of risk assessment that can be adapted to the conditions and
needs of the company; the integration through the provision of
more general framework can accommodate all types of risk
management in an ISO 31000 framework, this shows that risk
management is an integral part of the organization.
2) Step 2: Data collection
Research derived from primary and secondary data.
Primary data obtained by conducting a survey to the PT.
Telekomunikasi Indonesia, Tbk. Data collection was
conducted through interview with the Senior Officer IT
Governance and Compliance Strategy in the unit associated
risk management IT namely Solutions and Strategy Portfolio
(ITSP) and Compliance Risk Management (CRM). Secondary
data obtained by content analysis techniques derived from
various references based on problems that examined. The
purpose of this phase was to obtain detailed information on
existing conditions of the risk management process in PT.
Telekomunikasi Indonesia, Tbk.
3) Step 3: Data Analysis
Analysis is performed on 31000 ISO risk management
framework and data surveyed in the field.
a) IT Risk Management Principles
The design of risk management principles based on ISO
31000 IT was done in two stages, by mapping business ethics
with the principles of ISO 31000 and an analysis of IT
objectives and strategic.
The first stage of mapping done by analyzing every element
of corporate and business ethics and the search for a
counterpart with risk management principles of ISO 31000.
The goal is to obtain a comprehensive picture of business
ethics policies related to ISO 31000 risk management
principles. Business ethics consists of [9]: primary values,
consisting of: integrity, openness, commitment, teamwork,
discipline, caring and responsibility; primary behaviors,
consisting of: achieving a higher target, simplify (working
effectively and efficiently), to cooperate and synergized, - Acquiring and maintaining technology infrastructure
prioritize quality in every tasks/works, respect and appreciate. Technology infrastructure (hardware and software)
Based on the mapping, it can be analyzed that the designed and acquited in accordance with the
company's business ethics are applied in accordance with requirements of financial applications. Unit of manager
some of the principles of ISO 31000 risk management such as is UPTI.
IT risk aware culture; integrated IT risk management with - Perform the operations
corporate risk management: a systematic, structured and Updating of policies, procedures and documentation
precised time, transparent and inclusive; create IT value. related to application and infrastructure systems. Unit
The second stage of the analysis was conducted by of manager is UPTI (IT Development Division).
reviewing the events that may occur and will disrupt IT - Installing and accrediting the solutions and changes
objectives in the case at PT. Telekomunikasi Indonesia, Tbk., Performance and system reliability related to financial
Analysis results can be seen in TABLE II. The proposed IT reporting requirements. Unit of manager is UPTI.
risk management principles are drawn from the management • Program changes
and need to be done in anticipation of the event that may - Manage the the change
occur and will disrupt IT objectives. The accuracy and security of the financial statements
related to the process of switching the system
TABLE II
ANALYSIS OF RESULTS IT OBJECTIVES AND STRATEGIC
development/ changes. Unit of manager is UPTI.
- Define and manage service levels
No Aspects analyzed Event* Service level over the financial reporting system in
IT goals [9] accordance. Unit of manager is UPTI.
IT helps corporate TI does not effectively support - Manage the third party services
1
governance in an integrated the implementation of the
company's business
The process of control with third-party contracts
Strategic IT handled by a unit that has accountability to handle the
a. Efficiency of IT Lack of adequate IT procurement process. Unit of manager is Unit Suply
investments Architecture Center.
b. Efficiency of IT The absence of the IT strategic • Access to program and data
investments on cloud plan for the implementation of Ensure the security of the system:
computing services cloud computing initiative - The legitimacy of the financial statements.
Changes to financial reporting - Integration of data.
2 c. Accurate financial
system by unauthorized parties - Policies and procedures related to security nfrastructure.
statements
and/or without adequate testing
the use of the system by - Control authentication and access rights on a periodic
unauthorized persons, or the basis.
d. IT governance in an Unit of manager is BPO (Bussiness Process Owner) and
modification of the data
effective corporate UPTI
integrity by violance
information systems security • Computer Operation
*)
Events that may occur and will disrupt IT goals - Manage the configuration
Based on the mapping of business ethics to ISO 31000 risk The company's commitment to comply with the use of
management principles with the analysis of the IT goal and legal software. Unit of manager is Unit Suply Center.
strategic, the proposed IT risk management can be seen in - Managing problems and incidents
Appendix A Fig. 6. Problem and incident management operations related
to financial reporting system. Unit of manager is Unit
b) IT Risk identification and analysis process Suply Center.
In designing the IT risk identification, the stage is carried - Managing the data
out by analyzing business process and IT assets that involved Integrity, completeness, security and accuracy of
in the achievement of IT objectives and strategy. IT and financial report related to data management and
business processes that examined were associated with the financial information process performed in accordance
assurance that the financial statements to support SOA with IT governance. Unit of manager is Unit Suply
compliance agreements are taken on a case study in PT. Center.
Telekomunikasi Indonesia, Tbk. - Managing the physical environment and operational
Bussiness process to achievement of bussiness IT Management of information assets that affect the
objectives and strategic: integrity of financial statements performed in
• Program development accordance with corporate IT governance compliance
- Acquire and maintain application software to accommodate the technology and IT governance
The process of application acquisition related to best practice internationally. Unit of manager is Unit
effectiveness of financial reports, security and integrity Suply Center.
of the process. Unit of manager is IT Policy
UPTI (Unit Pengelola TI).
 • End User Computing
Policy and/or procedures that govern of End User
Computing related to the integrity financial statements.
Unit of manager is BPO.
IT assets related to the financial statements guarantee to
support compliance with Sarbanes-Oxley Act agreement
(SOA) can be seen in as follows:
• Hardware
Telecommunications infrastructure such as central,
transmission, satellite, nationwide backbone network to
the last-mile at the point of customer.
• Software
Billing system, Application of Customer Relation
Management (CRM) for customer service, network
management system, provisioning system, server service
(content and value added services), ERP (for internal
operations management include the financial system
began revenue, treasury, taxation, the burden of
capex/opex, to financial reporting).
• Human Resources (HR)
Telecommunications experts from customer access
transmission, optical backbone, and satellite; marketing
and business experts; and company's internal
management system.
Each IT business process and assets involved in the
achievement of IT objectives will certainly pose a risk of IT,
so the effects can influence the achievement of corporate
goals. Therefore, it is necessary to cope with the anticipation
of IT risks by identifying failures at every business process.
Identification techniques to be used based on Failure Mode
and Effect Analysis (FMEA). FMEA techniques are used in
the identification of IT risks with the following considerations.
• FMEA can be used widely to all areas, software,
hardware, processes et cetera.
• Important prerequisite the use of FMEA is the clarity of
the business process [1]. Availability of information and
surveyed data in PT. Telekomunikasi Indonesia, Tbk., of
related business processes with IT goals and strategic are
fairly complete and clear.
• The results of the FMEA is a list of failures, the
possibilities and impact on the achievement of corporate
goals [8]. This is in accordance with the conditions
where the identification of risk carried by significant
business process that affected on
sustainability/corporate goals.
Risk Management (CRM) which establishes the methodology
of risk in the corporate and Information Technology Center
(ITC).
D. Demonstration
Perform the test through a Focus Group Discussion (FGD),
this is done with considerations: researcher and examiners are
allowed for intensive discussions in a very specific topic, so
the researcher could find arguments, perceptions, attitudes and
experience toward the examiner expertisement opinion/
judgment; the examinitation process can be done in a
relatively shorter time period.
Assessment plan was done by 12 (twelve) experts in
accordance with the recommendations of ITGI and
determination FGD. The FGD was attended by 10 examiners
who came from three divisions (IT Strategy Portofolio,
Compliance Risk Management and IT Center), FDGs were
performed a total of 4 meetings between February 13th to
17th ,2012 held at PT. Telekomunikasi Indonesia, Tbk. The
sampling technique used in research was purposive sampling,
this technique is used with the consideration that this
technique is suitable for case studies based on judgment and
expert opinion (expert judgment) [10].
TABLE III
RATING TO THE PRINCIPLE OF THE PROPOSED
Assessment
No The principle of the proposed
Score Average
1 IT Risk Awareness 43 4.3
2 IT risk management is integrated with
47 4.7
corporate risk management
3 Transparent and inclusive 50 5.0
4 Create IT Value 47 4.7
5 Oversight of IT projects 47 4.7
6 IT controls to support the financial
47 4.7
reporting
7 Ensure the security of system 47 4.7
To be more clear, the average value in TABLE III plotted on a
graphic as shown in Fig.4.
the

4) Step 4: Proposed IT risk management framework

based on ISO 31000
Proposed IT risk management framework can be seen in
Appendix A Fig.6.

5) Step 5: Testing of IT risk management framework
Tests are conducted through Focus Group Discussion
(FGD), which is based on expert opinion (expert judgment) of
PT. Telekomunikasi Indonesia, Tbk. FGDs were conducted
with three groups, namely IT Solutions and Strategy Portfolio
(ITSP) as the holder of a business process, the Compliance
Fig.4 Assessment of IT Risk Management Principles (Average Value)
The other IT risk management principle were examined in
the form of open questions were systematic, structured and
precised time. Examiner considers that systematic, structured
and precised time can be used as risk management principles
with arguments the IT risk management should be TABLE V
RISK ASSESSMENT PROCESS FMEA COMPARISON WITH SOA
implemented according to the time planned, budgeted costs
SECTION 404 (source [11,12,13])
and supported by adequate human resources (expert).
The results of the assessment and discussion with the Risk Assessment Process
Steps FMEA SOA Section 404
examiners that it is important to be mentioned about IT risk Identify the components and Identifying significant accounts and
management principles are as follows: 1
related functions disclosures
• The proposed principle can be used as the principle of risk Identify the process/business cycle
management but are not limited to the 8 proposed and sub-processes/cycle and do
2 Identify the failure mode
mapping for significant accounts and
principles. Other principles can also be developed such as: disclosures
part of the process of decision making and avoid surprise. Identification of the relevant financial
Identifying the effects of
• Business ethics can be used as the principles of risk 3
failure
statement assertions for each
management with the reason good values such as the significant account and disclosures
Determine the severity/ Perform business risk assessment sub-
honesty, transparency and integrity will mitigate the risk of 4
gravity of the failure processes/sub-cycles
fraud. Risk management is essentially an implementation Complete list of locations or business
5 Identifying the cause of failure
of the corporate culture that can oversee the achievement units
of corporate goals and information dissemination efforts 6
Determine the probability/ Identifying the location based on
will be more effective. Examiner stated it was appropriate possibilities of failure examination and assessment coverage
Map location for the process/business
if the proposed principles derived from the company's 7 Identify the control cycle and sub-processes/subcycles
business ethics are analyzed using the principles of ISO previously identified.
31000. 8
Determine the effectiveness of
-
control
TABLE IV Calculate the risk priority
9 -
RESULT OF ASSESSMENT IT RISK IDENTIFICATION AND (RPN)
ANALYSIS PROCESS PROPOSED Determine measures to reduce
10 -
the risk of failure
Assessment
No The proposed process
Score Average Based on the mapping, the proposed IT risk management
1 Reviewing business processes 47 4.7 framework is shown in Appendix A Fig.7. Explanation about
2 Identification of all failures 47 4.7 IT Risk Analysis process:
3 Compile a list of risk 47 4.7 a) Determining a significant risk factor of each sub-process
4 Assessment of the possibilities 48 4.8 business.
5 Impact assessment 48 4.8
Examples of risk factors [12], that is the impact on the
6 Mitigation/treatment 50 5.0
financial statements; the complexity of the system; frequency
7 Early detection/control 47 4.7
of transactions; centralization process; risks inherent in the
To be more clear, the average value in TABLE IV plotted process
on a graph as shown in Fig.5. The results of the assessment
and discussion with the examiners that’s important to be b) Determine the risk level of each risk factor.
mentioned about the process of identification and analysis of Categories defined as follows [12].
IT risk is that the proposed framework is too general so it was • High; high possibilities of misstatements, or the balance
still not able to detect possible fraud, so the deepen framework sheet have a material impact on the financial statements.
preparation is a necessary for fraud detection. • Medium; the possibility for a certain section of
misstatements in financial statements is moderate, or the
error rate is average.
• Low; the process is easy, and misstatements have
minimal impact on the financial statements.

c) Determine the risk level sub-processes based on risk

factors.
Establish the overall risk rating (high, medium, or low) for
each sub process.
Fig.5 Graph Assessment Process Risk Identification and Analysis of IT
(Average Value) d) Assessment of the likehood of IT risk.
Criteria of the possibility (likehood)
E. Evaluation
• Low; the possibilities of future risks are small.
Based on the examination results, the evaluation to the
• Moderate; the possibilities of future risks may still occur.
design of IT risk management framework is developed. The
initial stage is the identification and mapping of risk analysis • High; the possibilities of future risks is still very possible.
using FMEA techniques and SOA section 404, as shown in
TABLE V.
e) Assessment of the impacts of IT risk.
An assessment of the impact level is the approximate
magnitude of the negative impact on business processes
resulting from the financial statements when an error occurs.
• Insignificant
- The process does not directly relate to the recording of
significant accounts in the ledger.
- There is potential for fraud that occurs in the process of
financial report misstatements that can cause insignificant
amount.
• Significant
- The process of recording directly related to one or more
significant accounts in the ledger.
- There is potential for fraud that occurred in the reporting
process that led to a number of significant misstatements.
• Material
- The process of recording directly related to one or more
significant accounts in the ledger.
- There is potential for fraud that occurred in the financial
reporting process that causes the amount of material
misstatement.
(source: Telkom data)
f) Calculate the priority level of each IT risk.
The priority is based on the impact and possibilities. Criteria
for risk rating can be seen as follow:
TABLE VI
CRITERIA FOR PRIORITY/LEVEL OF RISK
Impact
Kriteria Insignificant Significant
(1) (2)
High High
Moderate (3.1)
Possibilities
business ethics, IT objectives and strategic companies with
risk management principles of ISO 31000. The process of
identification and analysis of IT risk is obtained by mapping
results of FMEA risk assessment techniques in ISO
31000:2009 and SOA section 404; based on the results of
examination, the IT risk management framework has been
designed in accordance with the requirements related to
company financial statements to support the treaty compliance
of Sarbanes-Oxley Act (SOA); examination is conducted
through FGDs in PT. Telekomunikasi Indonesia, Tbk. The
results for the proposed principle of IT risk management
obtained by minimun assesment score that is 43 with average
score 4.3 and a maximum of 50 with an average of 5.0. For
the IT risk identification and analysis the assessment scores
obtained is 47 with an average score of 4.7 and a maximum of
50 with an average of 5.0; the main issue in IT risk
management framework is the presence of IT internal controls
that play an important part/role in the Enterprise Risk
Management.
IT risk management framework based on ISO 31000:2009
remains to be studied further. Some suggestions can be
underlined for further improvement and development: the
proposed framework is not designed as a whole architecture
(principles, framework and process) so it is possible to be
developed in further research; this framework is not been
implemented so that an assessment can not be related to level
its efficiency and effectiveness; this framework also limited to
the fulfillment of SOA agreements related to financial report,
so it is possible to be developed on a broader study; and
framework examination was conducted in only one case study,
Material it is possible to be examined elsewhere in the company that
(3)
High
engaged in the same field.

(3) (3.2) (3.3)

Moderate Low Moderate High ACKNOWLEDGMENT
(2) (2.1) (2.2) (2.3) Authors wish to thank PT. Telekomunikasi Indonesia, Tbk.
Low Low Low Moderate for their thoughtful support and encouragement during the
(1) (1.1) (1.2) (1.3)
research.
REFERENCES
g) Documenting analysis [1] Susilo, L., dan Kaho,V., Manajemen Risiko Berbasis ISO 31000 Untuk
Documenting the results of risk analysis that includes the IT Industri Non Perbankan, Penerbit PPM, Jakarta, 2010.
implementation process, risk rating that needs to get treatment [2] Shortreed, J., “Enterprise Risk Management and ISO 31000”, The
and risk profile. Journal of Policy Engagement, vol.2, no.3, 2010.
[3] (2011) The ISACA website. [Online]. Available: http://www.isaca.org/
F. Communication [4] (2011) The ITGI website. [Online]. Available: http://www.itgi.org/
[5] (2011) The ISO website. [Online]. Available: http://www.iso.org/
The results of the study is documented in the form of [6] Nocco, B., dan Stulz, R., “Enterprise Risk Management: Theory and
scientific writing and research reports published as a paper. Practice”, Journal of Applied Corporate Finance, vol.18, no.4, 2006.
The contribution of this research is the development of an [7] Peffers, K., Tuunanen, T., Rothenberger, M., dan Chatterjee, S., “A
integrated IT risk management framework with the ERM, and Design Science Research Methodology for Information Systems
Research”, Journal of Management Information Systems, vol.24, pp.45-
focus on ensuring the financial statements to support 78, 2007.
compliance with Sarbanes-Oxley Act agreement. [8] Susilo, L., Tantangan Penerapan ISO 31000:2009: Risk Management-
Principles and Guidline, General lecture in Manajemen Risiko TI, 2011.
IV. CONCLUSIONS [9] (2011) The TELKOM website. [Online]. Available:
http://www.telkom.co.id/
After doing research on the development of IT risk [10] Riduwan, Metode dan Teknik Menyusun Tesis, Penerbit Alfabeta,
management framework based on ISO 31000, it can be Bandung, 2008.
concluded as follows: IT risk management framework that is [11] (2011) Failure Modes & Effects Analysis. [Online]. Available:
designed covering the principles, process identification and http://www.fmeainfocentre.com/
[12] (2012) The Institute of Internal Auditors website. [Online]. Available:
risk analysis of IT processes. The principles of the proposed http:// www.theiia.org/
IT risk management is obtained by mapping the company's [13] (2012) The Sarbanes-Oxley Act website. [Online]. Available:
http://www.sox-expert.com/
Appendix A

Fig .6. Proposed IT risk management framework based on ISO 31000:2009

Fig .7. IT risk management framework based on ISO 31000 (test results)