Designing Information Security Governance
Recommendations and Roadmap Using COBIT
2019 Framework and ISO 27001:2013
(Case Study Ditreskrimsus Polda XYZ)
Muhammad Yasin Arry Akhmad Arman
School of Electrical Engineering and School of Electrical Engineering and
Informatics
Bandung Institute of Technology Bandung Institute of Technology
Bandung, Indonesia
muhammadyasin@students.itb.ac.id
Wervyan Shalannanda
School of Electrical Engineering and
Informatics
Bandung Institute of Technology
Bandung, Indonesia
wervyan@stei.itb.ac.id
Abstract— The use of technology has applied in all areas of
Polri’s duties. However, the use of this technology does not yet
have a level of capability in information security management.
For this reason, it is necessary to design recommendations and
an ideal information governance roadmap based on COBIT
2019 and ISO/IEC 27001: 2013 concerning Information
Security Management Systems (ISMS). The design is carried out
based on six stages in the Design Science Research Methodology
(DSRM) in the form of identify problems and motivate, define
objects of a solution, design and development, demonstration,
evaluation, and communication. By mapping ISO/IEC 27001:
2013 into COBIT 2019, 29 domains of the 2019 COBIT core
model selected which became the basis for designing and
assessing the level of information security management
capability at Ditreskrimsus Polda XYZ. The formulation of
recommendations considered the assessment results. It
produced the model of organizational structure, human
resources, and policies and procedures that must be applied to
Ditreskrimsus Polda XYZ in the form of a roadmap starting in
2021-2025 in managing information security. This research
contributes to producing an information security governance
design.
Keywords—governance, information security, roadmap,
COBIT 2019, ISO/IEC 27001:2013
I. INTRODUCTION
The utilization of information technology has a pivotal
role in supporting the Indonesian National Police in
performing its duties. Presidential Instruction No. 3 of 2003
concerning national policies and strategies of the development
of e-government claims that the utilization of communication
and information technology in the governance process will
increase efficiency, effectivity, transparency, and government
administration accountability. Besides, President Regulation
No. 95 of 2018 concerning the electronic-based government
system (SPBE) also regulates information technology
utilization to create an open, participative, innovative, and
accountable government. It will improve the quality and the
978-1-7281-7598-0/20/$31.00 ©2020 IEEE
Authorized licensed use limited to: Carleton University. Downloaded on June 03,2021 at 05:31:56 UTC from IEEE Xplore. Restrictions apply.
Ian Joseph M. Edward
School of Electrical Engineering and
Informatics Informatics
Bandung Institute of Technology
Bandung, Indonesia Bandung, Indonesia
aa@lss.ee.itb.ac.id telematics@gmail.com
reach of public service to the community and decrease the
abuse of power in collusion, corruption, and nepotism through
the implementation of an electronic-based community
monitoring and reporting system.
In the Decree of the Chief of the Indonesian National
Police No. Pol. SKEP/360/IV2005 dated 10 June 2005
concerning the grand strategy of the Indonesian National
Police for 2005-2025, the third phase, which is between the
year 2016 to 2025, details the strategical goals that the
National Police must meet in using technology on every level
based on task field. The National Police has utilized
technology on every level in performing its duties. However,
in practice, the capability level of governance currently
applied is not ideal in managing information security.
Therefore, this research formulated a five-year road map of
information security governance recommendations
Several previous research about information management
and security have been conducted by [1], [2], [3], [4], [5], [6],
and [7]. These researches used the COBIT framework and
ISO/IEC 27001:2013, which regulates the Information
Security Management System (SMKI). This research uses the
COBIT 2019 framework, which is the updated version of
COBIT 5. It complies with ISO/IEC 27001:2013, which
regulates Information Security Management System (SMKI),
to design and recommend an information security governance
to Ditreskrimsus Polda XYZ. This research also will assess the
capability level of information security management of the
Ditreskrimsus Polda XYZ.
The results then will be used as a foundation in making a
recommendation and roadmap that should be met and
implemented to achieve an ideal information security
governance with capability level three.
There are four sections in this research. Section II details
the research methodology used in this research. Section III
describes the recommendation about organizational structure,
human resource acquirement, and policies that should be
complied with to achieve capability level three. The last information security governance are based on the selected
section, Section IV, describes the proposed information COBIT 2019 core model domain.
security management roadmap and some gaps in this research
that might be explorable in the future search. TABLE I. MAPPING ISO/IEC 27001:2013 TO 2019 COBIT.
COBIT
II. METHODOLOGY 2019
Scope Control Objectives
This research uses the Design Science Research Core
Model
Methodology (DSRM), an information system-oriented Information security Management direction for
methodology [8], and a procedure framework to facilitate 1.
policies.
1.
information security.
EDM
information technology research. It is used in the 2. Internal organization. EDM
Organization of
understanding process and in identifying and evaluating the 2.
information security. 3.
Mobile devices and
EDM
research result [9]. Figure 1 schematic of the research teleworking.
4. Prior to employment. APO 07
methodology shows the stages carried out in this research. Human resource 5. During employment. APO 07
3.
security. Termination and change
6. APO 07
of employment.
7. Responsibility for assets. BAI 09
Information
4. Asset management. 8. BAI 09
classification.
9. Media handling. BAI 09
Business requirements of
10. DSS 05
access control.
11. User access management. DSS 05
5. Access control.
12. User responsibilities. DSS 05
13. System and application
DSS 05
access control.
6. Cryptography. 14. Cryptographic controls. DSS 05
Physical and 15. Secure areas. DSS 05
7.
environmental security. 16. Equipment. DSS 05
17. Operational procedures
DSS 01
and responsibilities.
18. Protection from malware. DSS 05
19. Backup. APO 14
20. Logging and monitoring. DSS 05
8. Operations security. 21. Control of operational
DSS 05
software.
22. Technical vulnerability
DSS 05
management.
23. Information systems audit
MEA 04
considerations.
24. Network security
Communications DSS 05
9. management.
Fig. 1. Research methodology schemes. security.
25. Information transfer. DSS 05
26. Security requirements of
A. Problem Identification & Motivation APO 13
System acquisition, information systems.
This stage defines the specifications of the research 10. development and 27. Security in development
APO 04
maintenance and support processes.
problem and searches for the solutions for that problem. The
28. Test data. APO 14
purpose of this stage is to obtain a specific formulation of the 29. Information security in
problem related to information security. This section will try supplier relationships.
APO 10
11. Supplier relationships.
to find the solution that will be focusing on Ditreskrimsus 30. Supplier service delivery
APO 10
Polda XYZ. management.
31. Management of
B. Define The Object For a Solution Information security information security
12. DSS 05
incident management. incidents and
This stage will determine the purpose of the formulation
improvements.
of the problem related to information security governance. Information security 32. Information security
This purpose is expected to be better than the current condition aspects of business continuity.
DSS 04
or can be a new artefact that can support the resolution of the 13.
continuity 33. Redundancies.
DSS 04
information security problem. management.
34. Compliance with legal
C. Design & Development and contractual MEA 03
14. Compliance. requirements.
This stage will describe the creation of the artefact or the
35. Information security APO 13
development and designing of a model, method, or new trait reviews.
from technical, social, or information resource by mapping the
The assessment refers to COBIT 2019 governance and
clause and target control of ISO/IEC 27001:2013 into the
management objectives based on the 2019 COBIT governance
COBIT 2019 core model domain, as specified TABLE I. This
component, which refers to the process, the fulfilment of
research chooses A COBIT core model domain using COBIT
human resources, I&T governance policies based on the
2019 [10] goal cascade and design factor. Therefore, the
processes and activities in each selected COBIT 2019 core
model’s design and the assessment of the capability level of
model domain.

Authorized licensed use limited to: Carleton University. Downloaded on June 03,2021 at 05:31:56 UTC from IEEE Xplore. Restrictions apply.
D. Demonstration
In this stage, the COBIT 2019 core model domain selected
from the design results will be implemented and used to assess
the capability level with a target of level three. This research
assessed to reveal the disparity in the expected information
security management and the management currently
implemented in Ditreskrimsus Polda XYZ.
E. Evaluation
In this stage, there will be observation, measurement, and
improvement of the information security governance model
that we have implemented on Ditreskrimsus Polda XYZ. The
assessment that we have conducted in the demonstration stage
will produce the disparity level that will become the basis in
deciding the recommendation of activities carried out by
Ditreskimsus Polda XYZ.
F. Communication
In this stage, the assessment results will communicate its
effectiveness to provide a solution for the creation of an
information security governance roadmap for Ditreskrimsus
Polda XYZ. This stage will be closed with a conclusion and
suggestion.
III. RESULT AND DISCUSSION
ISO/IEC 27001:2013 mapping into COBIT 2019
generated 29 selected COBIT 2019 core model domains. We
then used the selected domain to evaluate the capability level
of the current information security management. The results
of the evaluation are:
1. EDM 01 on 1.8, EDM 03 on 1.3, and EDM 05 on 1.7;
2. APO 01 on 1.8, APO03 on 1.2, APO04 on 1.4, APO 07 on
2.3, APO08 on 2.2, APO 09 on 2.3, APO 10 on 0.9, APO
Fig. 2. Recommended information security governance structure.
Authorized licensed use limited to: Carleton University. Downloaded on June 03,2021 at 05:31:56 UTC from IEEE Xplore. Restrictions apply.
11 on 1.4, APO 12 on 1.3, APO 13 on 0.1, and APO 14 on
1.2;
3. BAI 06 on 1.0, BAI 07 on 0.8, BAI 08 on 1.0, BAI 09 on
2.3, and BAI 10 on 1.1;
4. DSS 01 on 1.4, DSS 02 on 1.1, DSS 03 on 1.1, DSS 04 on
1.6, DSS 05 on 0.9, and DSS 06 on 0.9; and
5. MEA01 on 2.6, MEA02 on 2.2, MEA03 on 2.7, and
MEA04 on 2.1.
The results of this assessment show that currently, the
information security governance at Ditreskrimsus Polda XYZ
has not reached the target capability level 3. Capability level
3 can be fulfilled if the definition of a process or activity
achieves its objectives in a much more organized manner
using organizational assets and is well defined.
The design of information security governance
recommendations and roadmaps in organizational structure,
human resources fulfilment, and information security policies
used the selected 2019 COBIT core model domain to achieve
capability level three for each domain. Fig. 2 shows the
recommended organizational structure revision that added the
job descriptions of 12 sections in the Ditreskrimsus Polda
XYZ organizational structure based on the 2019 COBIT
organizational structure. The organizational structure is
written in Indonesian.
Fulfilling the position composition, as shown in Fig. 2,
requires 36 human resources. The recommendations for the
fulfilment of human resources are then compiled in the form
of a roadmap, as shown in TABLE II. The fulfilment begins
in 2021 with 11 personnel in 2022, 8 personnel in 2023, 8
personnel in 2024, and 5 personnel in 2025. The position is
written in Indonesian.
 Governance Policy 2021 2022 2023 2024 2025
TABLE II. RECOMMENDATION HUMAN RESOURCES
Information security management
X X
No Position 2021 2022 2023 2024 2025 policy.
1. CEO - - - - - Data management policy. X X
2. CISO - - - - - Establishing and implementing I&T Policy.
3. PO - 1 - - - I&T change management policy. X X
4. Panit PO - - 1 - - Management for I&T change
X X
5 Banum Unit PO - 1 - 1 - acceptance and transition policy.
6. ISM 1 - - - - Organizational knowledge and
X X
7. Panit ISM - 1 - - - information management policy.
8. Banum Unit ISM 1 - 1 - - I&T asset classification and
X
9. LC - 1 - - - management policy.
10. Panit LC - - 1 - - Configuration management
X X
11. Banum Unit LC - 1 - - 1 between resources policy.
12. COO & BCM - - - - - I&T delivery, service, and support policy.
13. CTO & CDO 1 - - - - Operational management policy. X
14. Paur CTO & CDO - - 1 - - Service request and incident
X X
management policy.
15. Banum CTO & CDO 1 - - 1 -
Problem management policy. X X
16. CRO & CIO 1 - - - -
Business sustainability
17. Paur CRO & CIO - 1 - - - X X
management policy.
18. Banum CRO & CIO 1 - 1 - -
Service security management
19. HIA - - - - - X X
policies.
20. PM 1 - - - -
Business process control
21. Pamin PM - 1 - 1 - X X
management policy.
22. Banum PM 1 - 1 1 1
I&T monitoring, evaluation and assessment policy.
23. SM 1 - - - -
Performance and compliance
24. Pamin SM - 1 - - 1 X
monitoring policy.
25. Banum SM 1 - 1 1 1
Internal control system
26. CFO - - - - - X
management policy.
27. Pamin CFO 1 - 1 - -
Compliance management with
28. Banum CFO - - - - - X
external requirements policy.
Total 11 8 8 5 4 Assurance management policy. X
In reaching the target of capability level 3 on information
security governance, the policies related to information IV. CONCLUSIONS AND FUTURE WORK
security governance are also being evaluated, and The evaluation of information security governance using
organizational structure and human resources. Every process 29 selected COBIT 2019 core model domain show that the
of the conducted information security governance will be capability level of Ditreskrimsus Polda XYZ has not reached
arranged in the form of policy recommendation as shown in capability level three. To achieve that level, Ditreskrimsus
Table III, which includes the I&T process management and Polda XYZ has to implement the recommendations in the
standardized determination and implementation for every T&I form of a roadmap. The recommendations cover
process and its security. These policies are created based on organizational structure, human resources acquisition,
the COBIT 2019 core model domain that has been selected process, and activities in the form of policies and procedures
and evaluated. These selection and evaluation processes that must be met between 2021 to 2025.
generated 29 policies that must be implemented. These
policies are set in the form of a roadmap, as shown in Table This research does not discuss risk management’s
III. recommendation as referred to in ISO/IEC 27005:2018
regarding Information Security Risk Management, COSO
TABLE III. GOVERNANCE POLICY RECOMMENDATIONS ERM 2017, and other risk management framework. It is an
Governance Policy 2021 2022 2023 2024 2025 opportunity for future research to enhances the recommended
I&T governance area policy. roadmap.
Setting up and maintaining I&T
X X
governance framework policy.
Managed risk optimization
policy.
X REFERENCES
Stakeholder engagement policy. X
Aligning, planning and organizing I&T Policy. [1] R. E. Putri, "Penilaian Kapabilitas Proses Tata Kelola TI Berdasarkan
I&T management framework Proses DSS01 Pada Framework COBIT 5," Jurnal CoreIT, vol. 2, no.
X
management policy. 1, pp. 41-54, 2016.
Company architecture [2] H. Tanuwijaya and R. Sarno, "Comparation of CobiT Maturity Model
X
management policy. and Structural Equation Model for Measuring the Alignment between
Innovation management policy. X University Academic Regulations and Information Technology
Human resource management Goals," InternationalJournal of Computer Science and Network
X
policy. Security, vol. 10, no. 6, pp. 80-92, 2010.
Relationship management policy. X [3] P. G. Anarkhi, A. H. N. Ali and I. Kurnia, "Penyusunan Perangkat
Service notification management Audit Keamanan Informasi Aplikasi Berbasis Web Menggunakan
X
policy. ISO/IEC 27001 Klausul Kendali Akses," Jurnal Teknik POMITS, vol.
I&T procurement management
X X
1, no. 1, pp. 1-5, 2013.
policy. [4] T. Kristanto, R. Arief and N. F. Rozi, "Perancangan Audit Keamanan
Service quality management Informasi Berdasarkan Standar ISO 27001:2005 (Studi Kasus: PT
X X
policy. Adira Dinamika Multi Finance)," in Seminar Nasional Sistem
Risk management policy. X Informasi Indonesia, Surabaya, 2014.

Authorized licensed use limited to: Carleton University. Downloaded on June 03,2021 at 05:31:56 UTC from IEEE Xplore. Restrictions apply.
[5] V. S. Kasma, S. Sutikno and K. Surendro, "Design of e-Government
Security Governance System Using COBIT 2019 : (Trial
Implementation in Badan XYZ)," in 2019 International Conference on
ICT for Smart Society (ICISS), Bandung, 2019.
[6] A. Aginsa, I. Y. M. Edward and W. Shalannanda, "Enhanced
information security management system framework design using ISO
27001 and zachman framework - A study case of XYZ company," in
2016 2nd International Conference on Wireless and Telematics
(ICWT), Yogyakarta, 2016.
[7] I. K. Nisrina, I. J. M. Edward and W. Shalannanda, "IT governance
framework planning based on COBIT 5 case study: secured internet
service provider company: Case Study: Secured internet service
provider company," in 2016 2nd International Conference on Wireless
and Telematics (ICWT), Yogyakarta, 2016.
Authorized licensed use limited to: Carleton University. Downloaded on June 03,2021 at 05:31:56 UTC from IEEE Xplore. Restrictions apply.
[8] F. Nabyla, Penelitian Desain pada Pengembangan Sistem Pendaftaran
Pasien Layanan Poliklinik Menggunakan SmartPhone di RSUI
Harapan Anda, Yogyakarta: Universitas Islam Indonesia, 2018.
[9] K. Peffers, T. Tuunanen, M. A. Rothenberger and S. Chatterjee, "A
Design Science Research Methodology for Information Systems
Research," Journal of Management Information Systems, vol. 24, no.
3, pp. 45-77, 2014.
[10] Information Systems Audit and Control Association, COBIT 2019
Framework: Introduction and Methodology, ISACA, 2018.