07 SoA-final Ok

PERNYATAAN PEMBERLAKUAN (STATEMENT OF APPLICABILTY) No SMKI.FRM.
SOA/2021
TERHADAP PERSYARATAN ISO 27001:2013 Mulai berlaku Tgl :
Dinas Penanaman Modal
dan PTSP Jawa Timur CAKUPAN: DATABASE DPMPTSP 24 Juni 2021
Revisi ke : 1
PERSYARATAN A ISO 27001:2013 PERNYATAAN PEMBERLAKUAN

Alasan Adopsi
Kesimpulan
Persyaratan
Dipersyaratkan UU ITE
Teridentifikasi dalam
Risk Register
Tujuan Pengendalian
Tahun 2016
No. Pengendalian (Kontrol)
(Control Objective) Diadopsi /
Penjelasan Adopsi
Dikecualikan
A.5. Information security policies

A.5.1 Management direction for information security
Alasan pengadopsian:
1) Memberikan pedoman umum dalam
A set of policies for information security shall be defines, approves menjalankan ISMS
Policies for information
A.5.1.1 by management, published and communicated to employee and √ √ 2) Mendapatkan komitmen dari semua
security
relevant parties stakeholder untuk menjalankan ISMS secara
efektif
3) memenuhi persyaratan ISO 27001:2013
The policies for information security shall be reviewed at planned
Review of the policies for 1) Melakukan review terhadap efektifitas
A.5.1.2 intervals or if significant changes occur to ensure their continuing √ √
information security pelaksanaan ISMS
suitability, adequacy and effectiveness
2) Memenuhi persyaratan ISO 27001:2013
A.6. Organization of Information Security

A.6.1 Internal Organization
Information security roles and All information security responsibilities shall be defined and 1. Mendefinisikan peran dan tanggungjawab
A.6.1.1 √ √
responsibilities allocated organisasi dalam ISMS
2. Memenuhi persyaratan ISO 27001:2013
Conflicting duties and areas of responsibility shall be segregated
1. Mendefinisikan peran dan area
A.6.1.2 Segregation of duties to reduce opportunities for unauthorized or unintentional √ √
tanggungjawab organisasi dalam ISMS
modification or misuse of the organization's assets
1. Mendefinisikan daftar kontak penting yang
A.6.1.3 Contact with authorities Appropriate contacts with relevant authorities shall be maintained √ √
dibutuhkan dalam menjalankan ISMS
1. mendefinisikan peran dan keanggotaan
Contact with special interest A management authorization process for new information
A.6.1.4 √ √ dalam forum / organisasi keamanan
groups processing facilities shall be defined and implemented
informasi
Information security in project Information security shall be addressed in project management, 1. mendefinisikan bahwa ISMS harus
A.6.1.5 √ √
management regardless of the type of the project diterapkan dalam setiap project baru
A.6.2 Mobile devices and teleworking
1. mendefinisikan prosedur penggunaan
A policy and supporting security measures shall be adopted to
A.6.2.1 Mobile device policy √ √ mobile device (metode penggunaan
manage the risks introduces by using mobile devices
computer mobile)
A policy and supporting security measures shall be implemented 1. mendefinisikan prosedur penggunaan
A.6.2.2 Teleworking to protect information accessed, processed or stored at √ √ teleworking (termasuk metode request
teleworking sites teleworking)
A.7. Human resouce security

A.7.1 Prior to employment
Rahasia Halaman 1 dari 10

Alasan Adopsi
Kesimpulan
Persyaratan
Risk Register
Tujuan Pengendalian
Tahun 2016
Penjelasan Adopsi
Dikecualikan
1. mendefinisikan prosedur sreening
Background verification checks on all candidates for employment
pegawai baru yang sesuai dengan hukum
shall be carried out in accordance with relevant laws, regulations
yang berlaku diindonesia (SKCK dari
A.7.1.1 Screening and ethics and shall be proportional to the business requirements, √ √
kepolisian)
the classification of the information to be accessed and the
2. mendefinisikan prosedur screening
perceived risks
pegawai untuk latar belakan pendidikan, skill
The contractual agreements with employees and contractors shall
Terms and conditions of 1. menerapkan NDA (non Disclosure
A.7.1.2 state their and the organization's responsibilities for information √ √
employment Agreement) untuk seluruh pegawai
security
A.7.2 During Employment
Management shall require all employees and contractors to apply 1. mendefinisikan hirarki prosedur dan
A.7.2.1 Management responsibilities information security in accordance with the established policies √ √ kontrol pekerjaan
and procedures of the organization 2. mendefinisikan struktur organisasi
All employees of the organization and, where relevant, contractors Alasan pengadopsian:
Information security
shall receive appropriate awareness education and training and 1. mendefinisikan panduan pelaksanaan dan
A.7.2.2 awareness, education and √ √
regular updates in organizational policies and procedures, as eveluasi awareness untuk pegawai
training
relevant for their job function. 2. Memenuhi persyaratan ISO 27001:2013
There shall be a formal and communicated disciplinary process in Alasan pengadopsian:

A.7.2.3 Disciplinary process place to take action againts employees who have committed an √ √ 1. mendefinisikan disiplin pegawai
information security breach 2. Memenuhi persyaratan ISO 27001:2013
A.7.3 Termination and change of employment
1. mendefinisikan prosedur perubahan
Information security responsibilities and duties that remain valid tanggungjawab pegawai karena
Termination or change of
A.7.3.1 after termination or change of employment shall be defined, √ √ rolling/resign
employment responsibilities
communicated to the employee or contractor and enforced 2. mendefinisikan prosedur serah terima
pekerjaan
A.8.1. Asset management

A.8.1 Responsibility for assets
Assets associated withh information and information processing Alasan pengadopsian:

A.8.1.1 Inventory of assets facilities shall be identified and an inventory of these assets shall √ √ 1. mendefinisikan mekanisme inventori aset
be drwan up and maintained 2. Memenuhi persyaratan ISO 27001:2013
A.8.1.2 Ownership of assets Asstes maintained in the inventory shall be owned √ √ 1. mendefinisikan prosedur kepemilikan aset
Rules for acceptable use of information and of assets associated
1. mendefinisikan prosedur penggunaan
A.8.1.3 Acceptable use of assets with information and information processing facilities shall be √ √
aset oleh pegawai
identified, documented and implemented
All employees and external party users shall return all ofthe
1. mendefinisikan prosedur pengembalian
A.8.1.4 Return of assets organizational assets in their possession upon termination of their √ √
aset oleh pegawai
employment, contract or agreement
A.8.2 Information classification
Information shall be classified in terms of legal requirements,
1. mendefinisikan prosedur
A.8.2.1 Classification of information value, criticality and sensitivity to unauthorised disclosure or √ √
pengklasifikasian informasi
modification

Alasan Adopsi
Kesimpulan
Persyaratan
Risk Register
Tujuan Pengendalian
Tahun 2016
Penjelasan Adopsi
Dikecualikan
An appropriate set of procedures for information labelling shall be
1. mendefinisikan prosedur metode
A.8.2.2 Labelling of information developed and implemented in accordance with the information √ √
pelabelan informasi
classification scheme adopted by the organization
1. mendefinisikan metode menangani,
mengolah, menyimpan dan
mengkomunikasikan informasi berdasarkan
Procedure for handling assets shall be developed and
klasifikasinya
A.8.2.3 Handling of assets implemented in accordance with the information classification √ √
2. mendefinisikan metode menangani,
scheme adopted by the organization
mengolah, menyimpan, dan
mengkomunikasikan aset (selain informasi)
berdasarkan klasifikasi jenis
A.8.3 Media handling
Procedures shall be implemented for the management of
Management of removable 1. mendefinisikan metode pengolahan
A.8.3.1 removable media in accordance with the classification scheme √ √
media media berdasarkan jenis aset
adopted by the organization
Media shall be disposed of securely and safely when no longer 1. mendefinisikan metode penghancuran
A.8.3.2 Disposal of Media √ √
required, using formal procedures. media berdasarkan jenis
Media containing information shall be protected against 1. mendefinisikan metode transfer informasi
A.8.3.3 Physical media in transfer √ √
unauthorized access, misuse or corruption during transportation berdasarkan jenis klasifikasi informasi
A.9. Access control

A.9.1 Business requirements of access control
1. mendefinisikan prosedur penggunaan hak
An access control policy shall be established, documented, and akses
A.9.1.1 Access control policy reviewed based on business and information security √ √ 2. mendefinisikan prosedur tatacara
requirements permintaan hak akses
mendefinisikan prosedur review hak akses
Access to networks and Users shall only provided with access to the network and network 1. mendefinisikan hak akses secara fisik dan
A.9.1.2 √ √
network services services that they have been specifically authorized to use login ke area network
A.9.2 User Access Management
User registration and de- A formal user registration and de-registration process shall be 1. mendefinisikan tatacara penggunaan id
A.9.2.1 √ √
registration implemented to enable assigment of access rights user
A formal user access provisioning process shall be implemented
1. mendefinisikan prosedur pemberian,
A.9.2.2 User access provisioning to assign or revoke access rights for all user types to all systems √ √
penghapusan, pemblokiran hak akses
and services
Management of privileged The allocation and use of privileges access rights shall be 1. mendefinisikan prosedur pemberian ,
A.9.2.3 √ √
access rights restricted and controlled penghapusan hak akses istimewa

Alasan Adopsi
Kesimpulan
Persyaratan
Risk Register
Tujuan Pengendalian
Tahun 2016
Penjelasan Adopsi
Dikecualikan
Management of secret 1. mendefinisikan prosedur persyaratan
The allocation of secret authentication information shall be
A.9.2.4 authentication information of √ √ password di organisasi, terutama di
controlled through a formal management process
users aplikation development
1. mendefinisikan prosedur metode review
A.9.2.5 Review of user access rights Asset owner shall review users' access rights at regular intervals √ √
hak akses / interval yang diperlukan
The access rights of all employees and external party users to Alasan pengadopsian:
Removal or adjustment of information and information processing facilities shall be removed 1. mendefinisikan prosedur penghapuran
A.9.2.6 √ √
access rights upon termination of their employment, contract or agreement, or hak akses karena resign, atau rolling
adjusted upon change 2. Memenuhi persyaratan ISO 27001:2013
A.9.3 User Responsibilities
Use of secret authentication Users shall be required to follow the organization's practices in the 1. mendefinisikan prosedur penggunaan hak
A.9.3.1 √ √
information use of secret authentication information akses
A.9.4 System and application access control
Access to information and application system functions shall be 1. mendefinisikan prosedur pembatasan hak
A.9.4.1 Information access restriction √ √
restricted in accordance with the access control policy akses
Where required by the access control policy access to systems 1. mendefinisikan penerapan enkripsi
A.9.4.2 Secure log-on procedures √ √
and applications shall be controlled by a secure log-on procedure password dan SSL
1. mendefinisikan persyaratan password di
Password Management Password management system shall be intercative and shall
A.9.4.3 √ √ organisasi, terutama di aplikation
system ensure quility passwords
development
The use of utility programs that might be capable of overriding 1. mendefinisikan metode penggunaan
User privileged utility
A.9.4.4 system and application controls shall be restricted and tightly √ √ program utility password (seperti :
programs
controlled. ccleaner,dll)
Acces control to program 1. mendefinisikan metode akses source
A.9.4.5 Access to program source code shall be restricted. √ √
source courde code pada server
2. Memenuhi persyaratan ISO 27001:2013.
A.10. Cryptography
A.10.1 Cryptography controls
Policy on the use of A policy on the use of cryptographic controls for protection of 1. mendefinisikan prosedur penerapan
A.10.1.1 √ √ √
cryptographic controls information shall be developed and implemented enkripsi password dan SSL
A policy on the use, protection and lifetime of cryptographic keys 1. mendefinisikan prosedur penerapan
A.10.1.2 Key management √ √
shall be developed and implemented through their whole lifecycle enkripsi password dan SSL
A.11. Physical and environmental security

A.11.1 Secure areas
Security perimeters shall be defined and used to protect areas that Alasan pengadopsian:
A.11.1.1 Physical security perimeter contain either sensitive or critical information and information √ √ 1. mendefinisikan pembagian area fisik
processing facilities 2. Memenuhi persyaratan ISO 27001:2013

Alasan Adopsi
Kesimpulan
Persyaratan
Risk Register
Tujuan Pengendalian
Tahun 2016
Penjelasan Adopsi
Dikecualikan
Secure areas shall be protected by appropriate entry controls to 1. mendefinisikan prosedur untuk masuk
A.11.1.2 Physical entry controls √ √
ensure that only authorized personnel are allowed access diarea tertentu
Securing offices, rooms, and Physical security for officess, rooms, and facilities shall be 1. mendefinisikan panduan untuk
A.11.1.3 √ √
facilities designed and applied mengamankan area fisik
Protection against external Physical protection against natural disaster, malicious attack or 1. mendefinisikan perlindungan fisik
A.11.1.4 √ √
and environmental threats accidents shall be designed and applied terhadap bencana alam
Alasan pengecualian:
Procedures for working in secure areas shall be designed and
A.11.1.5 working in secure areas √ X 1. Secure Area atau ruang server DRC
applied
masih dalam tahap pengembangan
Access point such as delivery and loading areas and other points
where unauthorized persons could enter the premises shall be
A.11.1.6 Delivery and loading areas √ X 1. Secure Area atau ruang server DRC
controlled and if possible, isolated from information processing
facilities to avoid unauthorized access
A.11.2 System planning and acceptance
Equipment shall be sited and protected to reduce the risks from
Equipment sitting and 1. mendefinisikan metode rposedure dungan
A.11.2.1 environmental threats and hazards, and opprtunities for √ √
protection di area data center
unauthorized access
Equipment shall be protected from power failures and other
A.11.2.2 Supporting utilities √ X 1. Secure Area atau ruang server DRC
disruption caused by failures in supporting utilities
Power and telecommunications cabling carrying data or supporting
1. mendefinisikan prosedur pengamanan
A.11.2.3 Cabling security informatin services shall be protected from interception, √ √
kabel listrik dan telekomunikasi
interference or damage
Equipment shall be correctly maintained to ensure its continued
A.11.2.4 Equipment maintenance √ X 1. Secure Area atau ruang server DRC
availability and intergrity
1. mendefinisikan prosedur pemindahan
Equipment, information or software shall not be taken off-site aset dari tempat asalnya
A.11.2.5 Removal of assets √ √
without prior authorization 2. catatan peminjaman dan pengembalian
aset
Security of equipment and Security shall be applied to off-site assets taking into account the 1. mendefinisikan prosedur penggunaan
A.11.2.6 √ √
assets off-premises different risks of working outside the organization's premises aset di luar area organisasi
All items of equipment containing storage media shall be verified
Secure disposal or reuse 1. mendefinisikan metode penghancuran
A.11.2.7 to ensure that any sensitive data and licensed software has been √ √
ofequipment media berdasarkan jenis
removed or securely overwritten prior to disposal or re-use
Users shall ensure that unattended equipment has appropriate 1. mendefinisikan prosedur clear screen,
A.11.2.8 Unattended user equipment √ √
protection dan logout dari PC
A clear desk policy for papers and removable storage media and a
Clear desk and clear screen 1. mendefinisikan prosedur meja bersih dan
A.11.2.9 clear screen policy for information processing facilities shall be √ √
policy layar bersih
adopted.
A.12. Operation security

Alasan Adopsi
Kesimpulan
Persyaratan
Risk Register
Tujuan Pengendalian
Tahun 2016
Penjelasan Adopsi
Dikecualikan
A.12.1 Operational procedures and responsibilities
Documented operating Operating procedures shall be documented and made available to 1. mendefinisikan prosedur pengelolaan
A.12.1.1 √ √ √
procedures all users who need them dokumen
Changes to the organization, business processes, information
1. mendefinisikan prosedur change
A.12.1.2 Change management processing facilities and system that affect information security √ √
manajemen untuk semua proses IT
shall be controlled
The use of resources shall be monitored, tuned, and projections
1. mendefinisikan monitoring kapasitas
A.12.1.3 Capacity management made of future capacity requirements to ensure the required √ √
manajemen terutama storage
system performance
Separation of development, Development, testing, and operational environments shall be Alasan pengecualian:
A.12.1.4 testing, and operational separated to reduce the risks of unauthorized access or changes √ X 1. Diluar lingkup audit saat ini dan akan
environments to the operational environment diilakukan pada tahap selanjutnya
A.12.2 Protection from malware
Detection, prevention and recovery controls to protect against Alasan pengadopsian:

A.12.2.1 Controls against malware malware shall be implemented, combined with appropriate user √ √ 1. mendefinisikan prosedur kontrol malware
awareness 2. Memenuhi persyaratan ISO 27001:2013
A.12.3 Backup
Back-up copies of information, software and system image shall Alasan pengadopsian:
A.12.3.1 Information backup be taken and tested regularly in accordance with the agreed √ √ 1. mendefinisikan prosedur backup
backup policy. 2. Memenuhi persyaratan ISO 27001:2013
A.12.4 Logging and monitoring
Event logs recording user activities, exception, faults and Alasan pengadopsian:
A.12.4.1 Event logging information security events shall be produces, kept and regularly √ √ 1. Monitoring log dilakukan
reviewed 2. Memenuhi persyaratan ISO 27001:2013
Logging facilities and log information shall be protected against
A.12.4.2 Protection of log information √ √ 1. mendefinisikan prosedur keamanan log
tampering and unauthorized access.
System administrator and system operator activities shall be 1. mendefinisikan prosedur hak akses
A.12.4.3 Administrator and operator log √ √
logged and the logs protected and rgularly reviewed kedalam log
The clocks of all relevant information processing systems within an
1. mendefinisikan prosedur sinkronisasi
A.12.4.4 Clock Synchronization organization or security domain shall be synchronized toa single √ √
waktu pada server
reference time source
A.12.5 Control of operational software

Installation of software on Procedures shall be implemented to control the installation of
A.12.5.1 √ X 1. Diluar lingkup audit saat ini dan akan
operational system software on operational systems
diilakukan pada tahap selanjutnya
A.12.6 Technical vulnerability management
Information about technical vulnerabilities of information systems Alasan pengadopsian:

Management of technical being used shall be obtained in a timely fashion, the organization's 1. mendefinisikan prosedur manajemen
A.12.6.1 √ √
vulnerabilities exposure to such vulnerabilities evaluated and appropriate vulnerability
measures taken to address the associated risk 2. Memenuhi persyaratan ISO 27001:2013
Restrictions on software Rules governing the installation of software by users shall be
A.12.6.2 √ X 1. Diluar lingkup audit saat ini dan akan
installation established and implemented
A.12.7 Information systems audit considerations
Audit requirements and activities involving verification of Alasan pengadopsian:

Information system audit
A.12.7.1 operational systems shall be carefully planned and agreed to √ √ 1. mendefinisikan prosedur audit
controls
minimize disruption to business processes 2. Memenuhi persyaratan ISO 27001:2013
A.13. Communications security

Alasan Adopsi
Kesimpulan
Persyaratan
Risk Register
Tujuan Pengendalian
Tahun 2016
Penjelasan Adopsi
Dikecualikan
A.13.1 Network security management
Networks shall be managed and controlled to protect information 1. mendefinisikan prosedur pengelolaan
A.13.1.1 Network controls √ √
in systems and applications jaringan
Security mechanism, service level and management requirements Alasan pengadopsian:

of all network services shall be identified and include in network 1. mendefinisikan prosedur koneksi jaringan
A.13.1.2 Security of network services √ √
services agreements, whether these services are provied in-house ke VPN, firewall, dan IDS
or outsourced 2. Memenuhi persyaratan ISO 27001:2013
Groups of information services, users, and information systems 1. mendefinisikan prosedur pemisahan area
A.13.1.3 Segregation in networks √ √
shall be segregated on networks. network (contoh : VLAN)
A.13.2 Information transfer
1. mendefinisikan metode aliran informasi
Formal transfer policies, procedures and controls shall be in place
Information transfer policies melalui jaringan & email
A.13.2.1 to protect the transfer of information through the use of all types of √ √
and procedures 2. mendefinisikan metode penyampaian
communication facilities
informasi rahasia melalui telp & faximile
Agreements on information Agreements shall address the secure transfer of business 1. mendefinisikan prosedur perjanjian
A.13.2.2 √ √
transfer information between the organization and external parties transfer informasi
1. mendefinisikan prosedur keamanan
Information involved in electronic messaging shall be appropriately
A.13.2.3 Electronic messaging √ √ pertukaran informasi melalui e-mail, jejaring
protected
sosial , file sharing
Requirements for confidentiality of non-disclosure agreements
Confidentiality or non- 1. mendefinisikan prosedur NDA untuk
A.13.2.4 reflecting the organization's need for the protection of information √ √
disclosure agreements pegawai tetap, kontrak & outsource
shall be identified, regulary reviewed and documented
A.14. System acquisition, development and maintenance

A.14.1 Security requirements of information systems
1. Selama ini development dilakukan oleh
Information security The information security related requirements shall be included in
pihak ketiga
A.14.1.1 requirements analysis and the requirements for new information systems or enhancements to √ √ X
2. Diluar ruang lingkup pada saat ini
specification existing information systems
3. Perlu review detil untuk
melaksanakannya
Information involved in application services passing over public 1. Direncanakan pada tahap berikutnya
securing application services
A.14.1.2 networks shall be protected from farudulent activity, contract √ √ X 2. Perlu mempersiapkan penetration test
on public networks
dispute and unauthorized disclosure and modification untuk memenuhi persyaratan ISO
27001:2013
Information involved in application service transactions shall be
1. Direncanakan pada tahap berikutnya
Protecting application services protected to prevent incomplete transmission, mis-routing,
A.14.1.3 √ √ X 2. Perlu mempersiapkan penetration test
transaction unauthorizes message alteration, unauthorized disclosure,
untuk memenuhi persyaratan ISO
unauthorized message duplication or replay
27001:2013
A.14.2 Security in development and support processes
Rules for the development of software and systems shall be pihak ketiga
A.14.2.1 Secure development policy √ X
established and applied to developments within the organization 2. Diluar ruang lingkup pada saat ini
melaksanakannya

Alasan Adopsi
Kesimpulan
Persyaratan
Risk Register
Tujuan Pengendalian
Tahun 2016
Penjelasan Adopsi
Dikecualikan
System change control Changes to systems within the development lifecycle shall be pihak ketiga
A.14.2.2 √ √ X
procedures controlled by the use of formal change control procedures 2. Diluar ruang lingkup pada saat ini
melaksanakannya
Technical review of When operating platforms are changed, business critical
pihak ketiga
A.14.2.3 applications after operating application shall be reviewd and tested to ensure there is no √ X
platform changes adverse impact on organizational operations or security
melaksanakannya
Restrictions on change to Modifications to software packages shall be discouraged, limited pihak ketiga
A.14.2.4 √ √ X
software packages to necessary changes and all changes shall be strictly controlled 2. Diluar ruang lingkup pada saat ini
melaksanakannya
Principles for engineering secure systems shall be established ,
Secure system engineering pihak ketiga
A.14.2.5 documented, maintained and applied to any information system √ √ X
principles 2. Diluar ruang lingkup pada saat ini
implementation efforts
melaksanakannya
Organization shall establish and appropriately protect secure 1. Selama ini development dilakukan oleh
Secure development development environments for system development and pihak ketiga
A.14.2.6 √ X
environment integration efforts that cover the entire system development 2. Diluar ruang lingkup pada saat ini
lifecycle 3. Perlu review detil untuk
melaksanakannya
The organization shall supervised and monitor the activity of pihak ketiga
A.14.2.7 Outsourced development √ X
outsourced system development 2. Diluar ruang lingkup pada saat ini
melaksanakannya
Testing of security functionality shall be carried out during pihak ketiga
A.14.2.8 System security testing √ X
development 2. Diluar ruang lingkup pada saat ini
melaksanakannya
Acceptance testing programs and related criteria shall be
pihak ketiga
A.14.2.9 System acceptance testing established for new information systems, upgrades, and new √ X
versions
melaksanakannya
A.14.3 Test data
pihak ketiga
A.14.3.1 Protection of test data Test data shall be selected carefully, protected and controlled √ X
melaksanakannya
A.15. Suppliers relationship
A.15.1 Information security in supplier relationship
Information security requirements for mitigating the risks
Information security policy for 1. mendefinisikan prosedur hubungan
A.15.1.1 associated with supplier's access to the organization's assets shall √ √
supplier relationship dengan suplier
be agreed with the supplier and documented
All relevant information security requirements shall be established 1. mendefinisikan prosedur
Addressing security within and agreed with each suppliers that may access, process, store, perjanjian/kontrak dengan suplier harus
A.15.1.2 √ √
supplier agreements communicate, or provide iT infrastructure components for the mempertimbangkan persyaratan keamanan
organization's information informasi

Alasan Adopsi
Kesimpulan
Persyaratan
Risk Register
Tujuan Pengendalian
Tahun 2016
Penjelasan Adopsi
Dikecualikan
Information and Agreements with supplier shall include requirement to address the
1. mendefinisikan prosedur apabila ada sub
A.15.1.3 communicatioon technology information security risks associated with information and √ √
kon
supply chain communications technology services and product supply chain
A.15.2 Supplier service delivery management
Monitoring and review of Organization shall regularly monitor, review and audit supplier 1. mendefinisikan review dan monitoring
A.15.2.1 √ √
supplier services services delivery service dari suplier
Changes to the provision of services by suppliers including

maintaining and improving existing information security policies,
Managing changes to supplier 1. mendefinisikan prosedur perubahan
A.15.2.2 procedures, and controls, shall be managed, taking account of the √ √
services layanan suplier
critically of business information, system and process involved and
re-assessment of risks
A.16. Information security incident management
A.16.1 Management of information security incidents and improvements
Management responsibilities and procedures shall be established
Responsibilities and 1. mendefinisikan prosedur penanganan
A.16.1.1 to ensure a quick, effective and orderly response to information √ √
procedures insiden
security incidents
1. mendefinisikan prosedur menentukan
Reporting information security Information security events shall be reported through appropriate
A.16.1.2 √ √ tempat melaporkan insiden berdasarkan
events management channels as quickly as possible
permasalahan
Employees and contractor using the organization's information Alasan pengadopsian:

Reporting information secuirty systems and services shall be required to note and report any 1. mendefinisikan prosedur mekanisme
A.16.1.3 √ √
weakness observed or suspected information security weakness in systems pelaporan
or services 2. Memenuhi persyaratan ISO 27001:2013
Information security events shall be assessed and it shall be
Assessment of and decision 1. mendefinisikan klasifikasi laporan yang
A.16.1.4 decided if they are to be classified as informatioon security √ √
on information security events termasuk insiden
incidents
Response to information Information security incidents shall be responded to in accordance 1. mendefinisikan prosedur respon untuk
A.16.1.5 √ √
secuirty incidents with the documented procedures insiden keamanan informasi
Knowledge gained from analysing and resolving information
Learning from information 1. mendefinisikan prosedur analisa insiden
A.16.1.6 security incidents shall be reduce the likelihood or impact of future √ √
secuirty incidents yang terjadi selama ini
incidents
The organization shall define and apply procedures for the
1. mendefinisikan prosedur pengumpulan
A.16.1.7 Collection of evidence identification, collection, acquisition and preservation of √ √
bukti
information, which can serve as evidence
A.17. Information security aspects of business continuity management

A.17.1 Information security continuity
The organization shall determine its requirements for information
Planning information security 1. mendefinisikan rencana business
A.17.1.1 security and the continuity of information security management in √ √ √
continuity continuity untuk information security
adverse situation, e.g : during crisis or disaster
The organization shall establish, document, implement and Alasan pengadopsian:

Implementing information maintain process, procedures and controls to ensure the required 1. mendefinisikan prosedur implementation
A.17.1.2 √ √ √
security continuity level of continuity for information security during an adverse business continuity
situation 2. Memenuhi persyaratan ISO 27001:2013

Alasan Adopsi
Kesimpulan
Persyaratan
Risk Register
Tujuan Pengendalian
Tahun 2016
Penjelasan Adopsi
Dikecualikan
1. mendefinisikan prosedur verifikasi ,
The organization shall verify the established and implemented
Verify, review and evaluate review , evaluasi kontrol Business continuity
A.17.1.3 information security continuity controls at regular intervals in order √ √ √
information security continuity 2. mendefinisikan prosedur ujicoba business
to ensure that they valid and effective during adverse situation
continuity
A.17.2 Redundancies
Availability of information Information processing facilities shall be implemented with
A.17.2.1 √ √ 1. mendefinisikan redudansi pada organisasi
processing facilities redundancy sufficient to meet availability requirements
A.18. Compliance
A.18.1 Compliance with legal and contractual requirements
All relevant legislative statutory, regulatory, contractual Alasan pengadopsian:

Identification of applicable
requirements and organization's approach to meet these 1. mendefinisikan identifikasi perpu yang
A.18.1.1 legislation and contractual √ √
requirements shall be explicitly identified, documented and kept up diadopsi
requirements
to date for each information system and the organization 2. Memenuhi persyaratan ISO 27001:2013
Appropriate procedures shall be implemented to ensure

compliance with legislative, regulatory and contractual
A.18.1.2 Intellectual property rights √ √ 1. mendefinisikan kepatuhan terhadap HAKI
requirements related to intellectual property rights and use of
property software products
Records shall be protected from loss, destruction, falsification,
1. mendefinisikan prosedur perlindungan
A.18.1.3 Property of records unauthorized access and unauthorized release, in accordance √ √ √
record
with legislatory, regulatory, contractual and business requirements
Privacy and protection of privacy and protection of personally identifiable information shall
1. mendefinisikan tatacara perlindungan
A.18.1.4 personally identifiable be ensured as required in relevant legislation and regulation where √ √ √
informasi personal
information applicable
Regulation of cryptographic Cryptographic controls shall be used in compliance with all 1. mendefinisikan peraturan tentang
A.18.1.5 √ √
controls relevant agreements, legislation and regulations kriptografi
A.18.2 Information security reviews

The organization's approach to managing information security and
its implementation (i.e control objectives, controls, policies,
Independent review of 1. mendefinisikan pelaksanaan eksternal
A.18.2.1 procedures, and procedures for information security) shall be √ √ √
information security audit
reviewed independently at planned intervals or when significant
changes occur
Managers shall regularly review the compliance of information Alasan pengadopsian:

Compliance with security processing and procedures within their area of responsibility with 1. mendefinisikan pengendalian ketidak
A.18.2.2 √ √ √
policies and standards the appropriate security policies, standards, and any other security sesuaian
requirements 2. Memenuhi persyaratan ISO 27001:2013
Information system shall be regularly reviewed for compliance with
A.18.2.3 Technical compliance review √ √ 1. Diluar lingkup audit saat ini dan akan
the organization's information security policies and standards
Disiapkan Oleh Disetujui Oleh

Team ISO 27001:2013 Management Representative
(Cahyo Budiono Pranoto, S.Kom) (Moh. Arief Faurony S.E , MM.)

07 SoA-final Ok

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

07 SoA-final Ok

Uploaded by

Copyright:

Available Formats

PERNYATAAN PEMBERLAKUAN (STATEMENT OF APPLICABILTY) No SMKI.FRM.

PERSYARATAN A ISO 27001:2013 PERNYATAAN PEMBERLAKUAN

A.5. Information security policies

A.6. Organization of Information Security

A.6.2 Mobile devices and teleworking

A.7. Human resouce security

Rahasia Halaman 1 dari 10

A.7.2 During Employment

There shall be a formal and communicated disciplinary process in Alasan pengadopsian:

A.7.3 Termination and change of employment

A.8.1. Asset management

Assets associated withh information and information processing Alasan pengadopsian:

A.8.2 Information classification

Rahasia Halaman 2 dari 10

A.8.3 Media handling

A.9. Access control

A.9.2 User Access Management

Rahasia Halaman 3 dari 10

A.9.3 User Responsibilities

A.9.4 System and application access control

A.11. Physical and environmental security

Rahasia Halaman 4 dari 10

A.11.2 System planning and acceptance

A.12. Operation security

Rahasia Halaman 5 dari 10

A.12.1 Operational procedures and responsibilities

Detection, prevention and recovery controls to protect against Alasan pengadopsian:

A.12.4 Logging and monitoring

A.12.5 Control of operational software

Information about technical vulnerabilities of information systems Alasan pengadopsian:

Audit requirements and activities involving verification of Alasan pengadopsian:

A.13. Communications security

Rahasia Halaman 6 dari 10

A.13.1 Network security management

Security mechanism, service level and management requirements Alasan pengadopsian:

A.13.2 Information transfer

A.14. System acquisition, development and maintenance

Rahasia Halaman 7 dari 10

Rahasia Halaman 8 dari 10

A.15.2 Supplier service delivery management

Changes to the provision of services by suppliers including

Employees and contractor using the organization's information Alasan pengadopsian:

A.17. Information security aspects of business continuity management

The organization shall establish, document, implement and Alasan pengadopsian:

Rahasia Halaman 9 dari 10

All relevant legislative statutory, regulatory, contractual Alasan pengadopsian:

Appropriate procedures shall be implemented to ensure

A.18.2 Information security reviews

Managers shall regularly review the compliance of information Alasan pengadopsian:

Disiapkan Oleh Disetujui Oleh

(Cahyo Budiono Pranoto, S.Kom) (Moh. Arief Faurony S.E , MM.)

Rahasia Halaman 10 dari 10

You might also like