Professional Documents
Culture Documents
07 SoA-final Ok
07 SoA-final Ok
SOA/2021
TERHADAP PERSYARATAN ISO 27001:2013 Mulai berlaku Tgl :
Dinas Penanaman Modal
dan PTSP Jawa Timur CAKUPAN: DATABASE DPMPTSP 24 Juni 2021
Revisi ke : 1
Dipersyaratkan UU ITE
Teridentifikasi dalam
Risk Register
Tujuan Pengendalian
Tahun 2016
No. Pengendalian (Kontrol)
(Control Objective) Diadopsi /
Penjelasan Adopsi
Dikecualikan
Alasan pengadopsian:
1) Memberikan pedoman umum dalam
A set of policies for information security shall be defines, approves menjalankan ISMS
Policies for information
A.5.1.1 by management, published and communicated to employee and √ √ 2) Mendapatkan komitmen dari semua
security
relevant parties stakeholder untuk menjalankan ISMS secara
efektif
3) memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
The policies for information security shall be reviewed at planned
Review of the policies for 1) Melakukan review terhadap efektifitas
A.5.1.2 intervals or if significant changes occur to ensure their continuing √ √
information security pelaksanaan ISMS
suitability, adequacy and effectiveness
2) Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Information security roles and All information security responsibilities shall be defined and 1. Mendefinisikan peran dan tanggungjawab
A.6.1.1 √ √
responsibilities allocated organisasi dalam ISMS
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Conflicting duties and areas of responsibility shall be segregated
1. Mendefinisikan peran dan area
A.6.1.2 Segregation of duties to reduce opportunities for unauthorized or unintentional √ √
tanggungjawab organisasi dalam ISMS
modification or misuse of the organization's assets
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
1. Mendefinisikan daftar kontak penting yang
A.6.1.3 Contact with authorities Appropriate contacts with relevant authorities shall be maintained √ √
dibutuhkan dalam menjalankan ISMS
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
1. mendefinisikan peran dan keanggotaan
Contact with special interest A management authorization process for new information
A.6.1.4 √ √ dalam forum / organisasi keamanan
groups processing facilities shall be defined and implemented
informasi
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Information security in project Information security shall be addressed in project management, 1. mendefinisikan bahwa ISMS harus
A.6.1.5 √ √
management regardless of the type of the project diterapkan dalam setiap project baru
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
1. mendefinisikan prosedur penggunaan
A policy and supporting security measures shall be adopted to
A.6.2.1 Mobile device policy √ √ mobile device (metode penggunaan
manage the risks introduces by using mobile devices
computer mobile)
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
A policy and supporting security measures shall be implemented 1. mendefinisikan prosedur penggunaan
A.6.2.2 Teleworking to protect information accessed, processed or stored at √ √ teleworking (termasuk metode request
teleworking sites teleworking)
2. Memenuhi persyaratan ISO 27001:2013
Dipersyaratkan UU ITE
Teridentifikasi dalam
Risk Register
Tujuan Pengendalian
Tahun 2016
No. Pengendalian (Kontrol)
(Control Objective) Diadopsi /
Penjelasan Adopsi
Dikecualikan
Alasan pengadopsian:
1. mendefinisikan prosedur sreening
Background verification checks on all candidates for employment
pegawai baru yang sesuai dengan hukum
shall be carried out in accordance with relevant laws, regulations
yang berlaku diindonesia (SKCK dari
A.7.1.1 Screening and ethics and shall be proportional to the business requirements, √ √
kepolisian)
the classification of the information to be accessed and the
2. mendefinisikan prosedur screening
perceived risks
pegawai untuk latar belakan pendidikan, skill
3. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
The contractual agreements with employees and contractors shall
Terms and conditions of 1. menerapkan NDA (non Disclosure
A.7.1.2 state their and the organization's responsibilities for information √ √
employment Agreement) untuk seluruh pegawai
security
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Management shall require all employees and contractors to apply 1. mendefinisikan hirarki prosedur dan
A.7.2.1 Management responsibilities information security in accordance with the established policies √ √ kontrol pekerjaan
and procedures of the organization 2. mendefinisikan struktur organisasi
3. Memenuhi persyaratan ISO 27001:2013
All employees of the organization and, where relevant, contractors Alasan pengadopsian:
Information security
shall receive appropriate awareness education and training and 1. mendefinisikan panduan pelaksanaan dan
A.7.2.2 awareness, education and √ √
regular updates in organizational policies and procedures, as eveluasi awareness untuk pegawai
training
relevant for their job function. 2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
1. mendefinisikan prosedur perubahan
Information security responsibilities and duties that remain valid tanggungjawab pegawai karena
Termination or change of
A.7.3.1 after termination or change of employment shall be defined, √ √ rolling/resign
employment responsibilities
communicated to the employee or contractor and enforced 2. mendefinisikan prosedur serah terima
pekerjaan
3. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
A.8.1.2 Ownership of assets Asstes maintained in the inventory shall be owned √ √ 1. mendefinisikan prosedur kepemilikan aset
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Rules for acceptable use of information and of assets associated
1. mendefinisikan prosedur penggunaan
A.8.1.3 Acceptable use of assets with information and information processing facilities shall be √ √
aset oleh pegawai
identified, documented and implemented
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
All employees and external party users shall return all ofthe
1. mendefinisikan prosedur pengembalian
A.8.1.4 Return of assets organizational assets in their possession upon termination of their √ √
aset oleh pegawai
employment, contract or agreement
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Information shall be classified in terms of legal requirements,
1. mendefinisikan prosedur
A.8.2.1 Classification of information value, criticality and sensitivity to unauthorised disclosure or √ √
pengklasifikasian informasi
modification
2. Memenuhi persyaratan ISO 27001:2013
Dipersyaratkan UU ITE
Teridentifikasi dalam
Risk Register
Tujuan Pengendalian
Tahun 2016
No. Pengendalian (Kontrol)
(Control Objective) Diadopsi /
Penjelasan Adopsi
Dikecualikan
Alasan pengadopsian:
An appropriate set of procedures for information labelling shall be
1. mendefinisikan prosedur metode
A.8.2.2 Labelling of information developed and implemented in accordance with the information √ √
pelabelan informasi
classification scheme adopted by the organization
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
1. mendefinisikan metode menangani,
mengolah, menyimpan dan
mengkomunikasikan informasi berdasarkan
Procedure for handling assets shall be developed and
klasifikasinya
A.8.2.3 Handling of assets implemented in accordance with the information classification √ √
2. mendefinisikan metode menangani,
scheme adopted by the organization
mengolah, menyimpan, dan
mengkomunikasikan aset (selain informasi)
berdasarkan klasifikasi jenis
3. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Procedures shall be implemented for the management of
Management of removable 1. mendefinisikan metode pengolahan
A.8.3.1 removable media in accordance with the classification scheme √ √
media media berdasarkan jenis aset
adopted by the organization
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Media shall be disposed of securely and safely when no longer 1. mendefinisikan metode penghancuran
A.8.3.2 Disposal of Media √ √
required, using formal procedures. media berdasarkan jenis
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Media containing information shall be protected against 1. mendefinisikan metode transfer informasi
A.8.3.3 Physical media in transfer √ √
unauthorized access, misuse or corruption during transportation berdasarkan jenis klasifikasi informasi
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
1. mendefinisikan prosedur penggunaan hak
An access control policy shall be established, documented, and akses
A.9.1.1 Access control policy reviewed based on business and information security √ √ 2. mendefinisikan prosedur tatacara
requirements permintaan hak akses
mendefinisikan prosedur review hak akses
4. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Access to networks and Users shall only provided with access to the network and network 1. mendefinisikan hak akses secara fisik dan
A.9.1.2 √ √
network services services that they have been specifically authorized to use login ke area network
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
User registration and de- A formal user registration and de-registration process shall be 1. mendefinisikan tatacara penggunaan id
A.9.2.1 √ √
registration implemented to enable assigment of access rights user
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
A formal user access provisioning process shall be implemented
1. mendefinisikan prosedur pemberian,
A.9.2.2 User access provisioning to assign or revoke access rights for all user types to all systems √ √
penghapusan, pemblokiran hak akses
and services
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Management of privileged The allocation and use of privileges access rights shall be 1. mendefinisikan prosedur pemberian ,
A.9.2.3 √ √
access rights restricted and controlled penghapusan hak akses istimewa
2. Memenuhi persyaratan ISO 27001:2013
Dipersyaratkan UU ITE
Teridentifikasi dalam
Risk Register
Tujuan Pengendalian
Tahun 2016
No. Pengendalian (Kontrol)
(Control Objective) Diadopsi /
Penjelasan Adopsi
Dikecualikan
Alasan pengadopsian:
Management of secret 1. mendefinisikan prosedur persyaratan
The allocation of secret authentication information shall be
A.9.2.4 authentication information of √ √ password di organisasi, terutama di
controlled through a formal management process
users aplikation development
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
1. mendefinisikan prosedur metode review
A.9.2.5 Review of user access rights Asset owner shall review users' access rights at regular intervals √ √
hak akses / interval yang diperlukan
2. Memenuhi persyaratan ISO 27001:2013
The access rights of all employees and external party users to Alasan pengadopsian:
Removal or adjustment of information and information processing facilities shall be removed 1. mendefinisikan prosedur penghapuran
A.9.2.6 √ √
access rights upon termination of their employment, contract or agreement, or hak akses karena resign, atau rolling
adjusted upon change 2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Use of secret authentication Users shall be required to follow the organization's practices in the 1. mendefinisikan prosedur penggunaan hak
A.9.3.1 √ √
information use of secret authentication information akses
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Access to information and application system functions shall be 1. mendefinisikan prosedur pembatasan hak
A.9.4.1 Information access restriction √ √
restricted in accordance with the access control policy akses
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Where required by the access control policy access to systems 1. mendefinisikan penerapan enkripsi
A.9.4.2 Secure log-on procedures √ √
and applications shall be controlled by a secure log-on procedure password dan SSL
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
1. mendefinisikan persyaratan password di
Password Management Password management system shall be intercative and shall
A.9.4.3 √ √ organisasi, terutama di aplikation
system ensure quility passwords
development
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
The use of utility programs that might be capable of overriding 1. mendefinisikan metode penggunaan
User privileged utility
A.9.4.4 system and application controls shall be restricted and tightly √ √ program utility password (seperti :
programs
controlled. ccleaner,dll)
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Acces control to program 1. mendefinisikan metode akses source
A.9.4.5 Access to program source code shall be restricted. √ √
source courde code pada server
2. Memenuhi persyaratan ISO 27001:2013.
A.10. Cryptography
A.10.1 Cryptography controls
Alasan pengadopsian:
Policy on the use of A policy on the use of cryptographic controls for protection of 1. mendefinisikan prosedur penerapan
A.10.1.1 √ √ √
cryptographic controls information shall be developed and implemented enkripsi password dan SSL
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
A policy on the use, protection and lifetime of cryptographic keys 1. mendefinisikan prosedur penerapan
A.10.1.2 Key management √ √
shall be developed and implemented through their whole lifecycle enkripsi password dan SSL
2. Memenuhi persyaratan ISO 27001:2013
Security perimeters shall be defined and used to protect areas that Alasan pengadopsian:
A.11.1.1 Physical security perimeter contain either sensitive or critical information and information √ √ 1. mendefinisikan pembagian area fisik
processing facilities 2. Memenuhi persyaratan ISO 27001:2013
Dipersyaratkan UU ITE
Teridentifikasi dalam
Risk Register
Tujuan Pengendalian
Tahun 2016
No. Pengendalian (Kontrol)
(Control Objective) Diadopsi /
Penjelasan Adopsi
Dikecualikan
Alasan pengadopsian:
Secure areas shall be protected by appropriate entry controls to 1. mendefinisikan prosedur untuk masuk
A.11.1.2 Physical entry controls √ √
ensure that only authorized personnel are allowed access diarea tertentu
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Securing offices, rooms, and Physical security for officess, rooms, and facilities shall be 1. mendefinisikan panduan untuk
A.11.1.3 √ √
facilities designed and applied mengamankan area fisik
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Protection against external Physical protection against natural disaster, malicious attack or 1. mendefinisikan perlindungan fisik
A.11.1.4 √ √
and environmental threats accidents shall be designed and applied terhadap bencana alam
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengecualian:
Procedures for working in secure areas shall be designed and
A.11.1.5 working in secure areas √ X 1. Secure Area atau ruang server DRC
applied
masih dalam tahap pengembangan
Access point such as delivery and loading areas and other points
Alasan pengecualian:
where unauthorized persons could enter the premises shall be
A.11.1.6 Delivery and loading areas √ X 1. Secure Area atau ruang server DRC
controlled and if possible, isolated from information processing
masih dalam tahap pengembangan
facilities to avoid unauthorized access
Alasan pengadopsian:
Equipment shall be sited and protected to reduce the risks from
Equipment sitting and 1. mendefinisikan metode rposedure dungan
A.11.2.1 environmental threats and hazards, and opprtunities for √ √
protection di area data center
unauthorized access
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengecualian:
Equipment shall be protected from power failures and other
A.11.2.2 Supporting utilities √ X 1. Secure Area atau ruang server DRC
disruption caused by failures in supporting utilities
masih dalam tahap pengembangan
Alasan pengadopsian:
Power and telecommunications cabling carrying data or supporting
1. mendefinisikan prosedur pengamanan
A.11.2.3 Cabling security informatin services shall be protected from interception, √ √
kabel listrik dan telekomunikasi
interference or damage
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengecualian:
Equipment shall be correctly maintained to ensure its continued
A.11.2.4 Equipment maintenance √ X 1. Secure Area atau ruang server DRC
availability and intergrity
masih dalam tahap pengembangan
Alasan pengadopsian:
1. mendefinisikan prosedur pemindahan
Equipment, information or software shall not be taken off-site aset dari tempat asalnya
A.11.2.5 Removal of assets √ √
without prior authorization 2. catatan peminjaman dan pengembalian
aset
3. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Security of equipment and Security shall be applied to off-site assets taking into account the 1. mendefinisikan prosedur penggunaan
A.11.2.6 √ √
assets off-premises different risks of working outside the organization's premises aset di luar area organisasi
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
All items of equipment containing storage media shall be verified
Secure disposal or reuse 1. mendefinisikan metode penghancuran
A.11.2.7 to ensure that any sensitive data and licensed software has been √ √
ofequipment media berdasarkan jenis
removed or securely overwritten prior to disposal or re-use
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Users shall ensure that unattended equipment has appropriate 1. mendefinisikan prosedur clear screen,
A.11.2.8 Unattended user equipment √ √
protection dan logout dari PC
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
A clear desk policy for papers and removable storage media and a
Clear desk and clear screen 1. mendefinisikan prosedur meja bersih dan
A.11.2.9 clear screen policy for information processing facilities shall be √ √
policy layar bersih
adopted.
2. Memenuhi persyaratan ISO 27001:2013
Dipersyaratkan UU ITE
Teridentifikasi dalam
Risk Register
Tujuan Pengendalian
Tahun 2016
No. Pengendalian (Kontrol)
(Control Objective) Diadopsi /
Penjelasan Adopsi
Dikecualikan
Alasan pengadopsian:
Documented operating Operating procedures shall be documented and made available to 1. mendefinisikan prosedur pengelolaan
A.12.1.1 √ √ √
procedures all users who need them dokumen
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Changes to the organization, business processes, information
1. mendefinisikan prosedur change
A.12.1.2 Change management processing facilities and system that affect information security √ √
manajemen untuk semua proses IT
shall be controlled
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
The use of resources shall be monitored, tuned, and projections
1. mendefinisikan monitoring kapasitas
A.12.1.3 Capacity management made of future capacity requirements to ensure the required √ √
manajemen terutama storage
system performance
2. Memenuhi persyaratan ISO 27001:2013
Separation of development, Development, testing, and operational environments shall be Alasan pengecualian:
A.12.1.4 testing, and operational separated to reduce the risks of unauthorized access or changes √ X 1. Diluar lingkup audit saat ini dan akan
environments to the operational environment diilakukan pada tahap selanjutnya
A.12.2 Protection from malware
A.12.3 Backup
Back-up copies of information, software and system image shall Alasan pengadopsian:
A.12.3.1 Information backup be taken and tested regularly in accordance with the agreed √ √ 1. mendefinisikan prosedur backup
backup policy. 2. Memenuhi persyaratan ISO 27001:2013
Event logs recording user activities, exception, faults and Alasan pengadopsian:
A.12.4.1 Event logging information security events shall be produces, kept and regularly √ √ 1. Monitoring log dilakukan
reviewed 2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Logging facilities and log information shall be protected against
A.12.4.2 Protection of log information √ √ 1. mendefinisikan prosedur keamanan log
tampering and unauthorized access.
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
System administrator and system operator activities shall be 1. mendefinisikan prosedur hak akses
A.12.4.3 Administrator and operator log √ √
logged and the logs protected and rgularly reviewed kedalam log
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
The clocks of all relevant information processing systems within an
1. mendefinisikan prosedur sinkronisasi
A.12.4.4 Clock Synchronization organization or security domain shall be synchronized toa single √ √
waktu pada server
reference time source
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengecualian:
Restrictions on software Rules governing the installation of software by users shall be
A.12.6.2 √ X 1. Diluar lingkup audit saat ini dan akan
installation established and implemented
diilakukan pada tahap selanjutnya
A.12.7 Information systems audit considerations
Dipersyaratkan UU ITE
Teridentifikasi dalam
Risk Register
Tujuan Pengendalian
Tahun 2016
No. Pengendalian (Kontrol)
(Control Objective) Diadopsi /
Penjelasan Adopsi
Dikecualikan
Alasan pengadopsian:
Networks shall be managed and controlled to protect information 1. mendefinisikan prosedur pengelolaan
A.13.1.1 Network controls √ √
in systems and applications jaringan
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Groups of information services, users, and information systems 1. mendefinisikan prosedur pemisahan area
A.13.1.3 Segregation in networks √ √
shall be segregated on networks. network (contoh : VLAN)
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
1. mendefinisikan metode aliran informasi
Formal transfer policies, procedures and controls shall be in place
Information transfer policies melalui jaringan & email
A.13.2.1 to protect the transfer of information through the use of all types of √ √
and procedures 2. mendefinisikan metode penyampaian
communication facilities
informasi rahasia melalui telp & faximile
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Agreements on information Agreements shall address the secure transfer of business 1. mendefinisikan prosedur perjanjian
A.13.2.2 √ √
transfer information between the organization and external parties transfer informasi
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
1. mendefinisikan prosedur keamanan
Information involved in electronic messaging shall be appropriately
A.13.2.3 Electronic messaging √ √ pertukaran informasi melalui e-mail, jejaring
protected
sosial , file sharing
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Requirements for confidentiality of non-disclosure agreements
Confidentiality or non- 1. mendefinisikan prosedur NDA untuk
A.13.2.4 reflecting the organization's need for the protection of information √ √
disclosure agreements pegawai tetap, kontrak & outsource
shall be identified, regulary reviewed and documented
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengecualian:
Information involved in application services passing over public 1. Direncanakan pada tahap berikutnya
securing application services
A.14.1.2 networks shall be protected from farudulent activity, contract √ √ X 2. Perlu mempersiapkan penetration test
on public networks
dispute and unauthorized disclosure and modification untuk memenuhi persyaratan ISO
27001:2013
Alasan pengecualian:
Information involved in application service transactions shall be
1. Direncanakan pada tahap berikutnya
Protecting application services protected to prevent incomplete transmission, mis-routing,
A.14.1.3 √ √ X 2. Perlu mempersiapkan penetration test
transaction unauthorizes message alteration, unauthorized disclosure,
untuk memenuhi persyaratan ISO
unauthorized message duplication or replay
27001:2013
A.14.2 Security in development and support processes
Alasan pengecualian:
1. Selama ini development dilakukan oleh
Rules for the development of software and systems shall be pihak ketiga
A.14.2.1 Secure development policy √ X
established and applied to developments within the organization 2. Diluar ruang lingkup pada saat ini
3. Perlu review detil untuk
melaksanakannya
Dipersyaratkan UU ITE
Teridentifikasi dalam
Risk Register
Tujuan Pengendalian
Tahun 2016
No. Pengendalian (Kontrol)
(Control Objective) Diadopsi /
Penjelasan Adopsi
Dikecualikan
Alasan pengecualian:
1. Selama ini development dilakukan oleh
System change control Changes to systems within the development lifecycle shall be pihak ketiga
A.14.2.2 √ √ X
procedures controlled by the use of formal change control procedures 2. Diluar ruang lingkup pada saat ini
3. Perlu review detil untuk
melaksanakannya
Alasan pengecualian:
1. Selama ini development dilakukan oleh
Technical review of When operating platforms are changed, business critical
pihak ketiga
A.14.2.3 applications after operating application shall be reviewd and tested to ensure there is no √ X
2. Diluar ruang lingkup pada saat ini
platform changes adverse impact on organizational operations or security
3. Perlu review detil untuk
melaksanakannya
Alasan pengecualian:
1. Selama ini development dilakukan oleh
Restrictions on change to Modifications to software packages shall be discouraged, limited pihak ketiga
A.14.2.4 √ √ X
software packages to necessary changes and all changes shall be strictly controlled 2. Diluar ruang lingkup pada saat ini
3. Perlu review detil untuk
melaksanakannya
Alasan pengecualian:
1. Selama ini development dilakukan oleh
Principles for engineering secure systems shall be established ,
Secure system engineering pihak ketiga
A.14.2.5 documented, maintained and applied to any information system √ √ X
principles 2. Diluar ruang lingkup pada saat ini
implementation efforts
3. Perlu review detil untuk
melaksanakannya
Alasan pengecualian:
Organization shall establish and appropriately protect secure 1. Selama ini development dilakukan oleh
Secure development development environments for system development and pihak ketiga
A.14.2.6 √ X
environment integration efforts that cover the entire system development 2. Diluar ruang lingkup pada saat ini
lifecycle 3. Perlu review detil untuk
melaksanakannya
Alasan pengecualian:
1. Selama ini development dilakukan oleh
The organization shall supervised and monitor the activity of pihak ketiga
A.14.2.7 Outsourced development √ X
outsourced system development 2. Diluar ruang lingkup pada saat ini
3. Perlu review detil untuk
melaksanakannya
Alasan pengecualian:
1. Selama ini development dilakukan oleh
Testing of security functionality shall be carried out during pihak ketiga
A.14.2.8 System security testing √ X
development 2. Diluar ruang lingkup pada saat ini
3. Perlu review detil untuk
melaksanakannya
Alasan pengecualian:
1. Selama ini development dilakukan oleh
Acceptance testing programs and related criteria shall be
pihak ketiga
A.14.2.9 System acceptance testing established for new information systems, upgrades, and new √ X
2. Diluar ruang lingkup pada saat ini
versions
3. Perlu review detil untuk
melaksanakannya
A.14.3 Test data
Alasan pengecualian:
1. Selama ini development dilakukan oleh
pihak ketiga
A.14.3.1 Protection of test data Test data shall be selected carefully, protected and controlled √ X
2. Diluar ruang lingkup pada saat ini
3. Perlu review detil untuk
melaksanakannya
A.15. Suppliers relationship
A.15.1 Information security in supplier relationship
Alasan pengadopsian:
Information security requirements for mitigating the risks
Information security policy for 1. mendefinisikan prosedur hubungan
A.15.1.1 associated with supplier's access to the organization's assets shall √ √
supplier relationship dengan suplier
be agreed with the supplier and documented
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
All relevant information security requirements shall be established 1. mendefinisikan prosedur
Addressing security within and agreed with each suppliers that may access, process, store, perjanjian/kontrak dengan suplier harus
A.15.1.2 √ √
supplier agreements communicate, or provide iT infrastructure components for the mempertimbangkan persyaratan keamanan
organization's information informasi
2. Memenuhi persyaratan ISO 27001:2013
Dipersyaratkan UU ITE
Teridentifikasi dalam
Risk Register
Tujuan Pengendalian
Tahun 2016
No. Pengendalian (Kontrol)
(Control Objective) Diadopsi /
Penjelasan Adopsi
Dikecualikan
Alasan pengadopsian:
Information and Agreements with supplier shall include requirement to address the
1. mendefinisikan prosedur apabila ada sub
A.15.1.3 communicatioon technology information security risks associated with information and √ √
kon
supply chain communications technology services and product supply chain
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Monitoring and review of Organization shall regularly monitor, review and audit supplier 1. mendefinisikan review dan monitoring
A.15.2.1 √ √
supplier services services delivery service dari suplier
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Management responsibilities and procedures shall be established
Responsibilities and 1. mendefinisikan prosedur penanganan
A.16.1.1 to ensure a quick, effective and orderly response to information √ √
procedures insiden
security incidents
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
1. mendefinisikan prosedur menentukan
Reporting information security Information security events shall be reported through appropriate
A.16.1.2 √ √ tempat melaporkan insiden berdasarkan
events management channels as quickly as possible
permasalahan
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Information security events shall be assessed and it shall be
Assessment of and decision 1. mendefinisikan klasifikasi laporan yang
A.16.1.4 decided if they are to be classified as informatioon security √ √
on information security events termasuk insiden
incidents
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Response to information Information security incidents shall be responded to in accordance 1. mendefinisikan prosedur respon untuk
A.16.1.5 √ √
secuirty incidents with the documented procedures insiden keamanan informasi
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Knowledge gained from analysing and resolving information
Learning from information 1. mendefinisikan prosedur analisa insiden
A.16.1.6 security incidents shall be reduce the likelihood or impact of future √ √
secuirty incidents yang terjadi selama ini
incidents
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
The organization shall define and apply procedures for the
1. mendefinisikan prosedur pengumpulan
A.16.1.7 Collection of evidence identification, collection, acquisition and preservation of √ √
bukti
information, which can serve as evidence
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
The organization shall determine its requirements for information
Planning information security 1. mendefinisikan rencana business
A.17.1.1 security and the continuity of information security management in √ √ √
continuity continuity untuk information security
adverse situation, e.g : during crisis or disaster
2. Memenuhi persyaratan ISO 27001:2013
Dipersyaratkan UU ITE
Teridentifikasi dalam
Risk Register
Tujuan Pengendalian
Tahun 2016
No. Pengendalian (Kontrol)
(Control Objective) Diadopsi /
Penjelasan Adopsi
Dikecualikan
Alasan pengadopsian:
1. mendefinisikan prosedur verifikasi ,
The organization shall verify the established and implemented
Verify, review and evaluate review , evaluasi kontrol Business continuity
A.17.1.3 information security continuity controls at regular intervals in order √ √ √
information security continuity 2. mendefinisikan prosedur ujicoba business
to ensure that they valid and effective during adverse situation
continuity
3. Memenuhi persyaratan ISO 27001:2013
A.17.2 Redundancies
Alasan pengadopsian:
Availability of information Information processing facilities shall be implemented with
A.17.2.1 √ √ 1. mendefinisikan redudansi pada organisasi
processing facilities redundancy sufficient to meet availability requirements
2. Memenuhi persyaratan ISO 27001:2013
A.18. Compliance
A.18.1 Compliance with legal and contractual requirements
Alasan pengadopsian:
Records shall be protected from loss, destruction, falsification,
1. mendefinisikan prosedur perlindungan
A.18.1.3 Property of records unauthorized access and unauthorized release, in accordance √ √ √
record
with legislatory, regulatory, contractual and business requirements
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Privacy and protection of privacy and protection of personally identifiable information shall
1. mendefinisikan tatacara perlindungan
A.18.1.4 personally identifiable be ensured as required in relevant legislation and regulation where √ √ √
informasi personal
information applicable
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengadopsian:
Regulation of cryptographic Cryptographic controls shall be used in compliance with all 1. mendefinisikan peraturan tentang
A.18.1.5 √ √
controls relevant agreements, legislation and regulations kriptografi
2. Memenuhi persyaratan ISO 27001:2013
Alasan pengecualian:
Information system shall be regularly reviewed for compliance with
A.18.2.3 Technical compliance review √ √ 1. Diluar lingkup audit saat ini dan akan
the organization's information security policies and standards
diilakukan pada tahap selanjutnya