Analisis Risiko Keamanan Informasi pada Website Perusahaan Menggunakan ISO/IEC 27001 dan ISO/IEC 27005

Muhammad Goldvin Wijayakusuma, Nurhadi Surojudin, Sanudin ‎

Abstract


Website Document Management System (DMS) yang menyimpan dokumen sensitif seperti rekaman ISMS dan risk register kini menjadi infrastruktur inti operasional di banyak organisasi, namun eksposur risikonya terhadap aspek kerahasiaan, integritas, dan ketersediaan belum banyak diteliti secara teknis. Penelitian ini bertujuan untuk menganalisis risiko keamanan informasi pada Website DMS perusahaan menggunakan ISO/IEC 27005:2022 sebagai kerangka penilaian risiko dan ISO/IEC 27001:2022 Annex A sebagai acuan pemetaan kontrol. Penelitian berbasis standar sebelumnya umumnya mengandalkan wawancara atau kuesioner, tidak menyasar DMS dengan sensitivitas aset tinggi, dan menggunakan versi ISO pra-2022, sehingga temuan teknisnya sulit diverifikasi. Data dikumpulkan melalui wawancara terstruktur 18 pertanyaan kepada tiga peran pengelola sistem, observasi antarmuka aplikasi, dan validasi teknis non-invasif menggunakan SecurityHeaders.com serta inspeksi Response Header. Dari enam kategori aset dan sepuluh risiko berbasis CIA, lima dikategorikan tinggi (skor 12–15), empat sedang (skor 6–10), dan satu rendah. Validasi teknis mengungkap tiga temuan: inkonsistensi RBAC antara lapisan frontend dan backend sesuai OWASP A01:2021, kegagalan implementasi Security Header dengan grade F sesuai OWASP A05:2021, serta eksposur versi server nginx/1.18.0 pada Response Header. Pemetaan ke Annex A menghasilkan lima rekomendasi pengendalian mencakup kontrol 5.15, 8.5, 8.9, 8.13, serta 5.30 dan 8.14. Penelitian ini menunjukkan bahwa validasi teknis dapat diintegrasikan ke dalam alur ISO/IEC 27005:2022 untuk menghasilkan temuan yang lebih dapat diverifikasi dibandingkan pendekatan berbasis survei pada konteks DMS. Implikasi metodologisnya adalah potensi adopsi validasi teknis non-invasif sebagai bagian standar penilaian risiko pada sistem informasi sensitif serupa.

Keywords


Analisis Risiko; (Corporate Website; DMS; ISO/IEC 27001; ISO/IEC 27005; Keamanan Informasi).

Full Text:

PDF

References


S. Sternad Zabukovšek, S. Jordan, and S. Bobek, “Managing Document Management Systems’ Life Cycle in Relation to an Organization’s Maturity for Digital Transformation,” Sustainability, vol. 15, no. 21, p. 15212, Oct. 2023, doi: 10.3390/su152115212.

L. Xing, “Secure Official Document Management and intelligent Information Retrieval System based on recommendation algorithm,” International Journal of Intelligent Networks, vol. 5, pp. 110–119, 2024, doi: 10.1016/j.ijin.2024.02.003.

Firoz Mohammed Ozman, “Systematic literature review on ‘secure document management systems (DMS),’” World J. Adv. Eng. Technol. Sci., vol. 15, no. 1, pp. 1460–1469, Apr. 2025, doi: 10.30574/wjaets.2025.15.1.0146.

Badan Siber dan Sandi Negara Republik Indonesia, “Lanskap Keamanan Siber Indonesia 2023.” Accessed: Mar. 05, 2026. [Online]. Available: https://bssn.go.id/laporan-keamanan-siber-indonesia/

S. Bag, S. Sarkar, and I. Bose, “Enhancing cybersecurity risk assessment using temporal knowledge graph-based explainable decision support system,” Decision Support Systems, vol. 198, p. 114526, Nov. 2025, doi: 10.1016/j.dss.2025.114526.

F. A. Shaikh and M. Siponen, “Information security risk assessments following cybersecurity breaches: The mediating role of top management attention to cybersecurity,” Computers & Security, vol. 124, p. 102974, Jan. 2023, doi: 10.1016/j.cose.2022.102974.

OWASP Top 10 Team, “OWASP Top 10:2021. The Ten Most Critical Web Application Security Risks,” OWASP Foundation. Accessed: Jan. 04, 2026. [Online]. Available: https://owasp.org/Top10/2021/

OWASP Top 10 Team, “OWASP Top 10:2025, Application Security Risks,” OWASP Foundation. Accessed: Jan. 04, 2026. [Online]. Available: https://owasp.org/Top10/

N. A. Chandra, K. Ramli, A. A. P. Ratna, and T. S. Gunawan, “Information Security Risk Assessment Using Situational Awareness Frameworks and Application Tools,” Risks, vol. 10, no. 8, p. 165, Aug. 2022, doi: 10.3390/risks10080165.

D. E. R. Hidayatullah, R. Kunthi, and R. Harwahyu, “Design and Analysis of Information Security Risk Management Based on ISO 27005: Case Study on Audit Management System (AMS) XYZ Internal Audit Department,” IJECBE, vol. 2, no. 3, Sep. 2024, doi: 10.62146/ijecbe.v2i3.81.

M. N. Irfan, S. Ramadhania, S. Hadi, and P. T. Pungkasanti, “ISO/IEC 27005-Based E-Learning Risk Management with Blockchain Architecture: A Case Study of Semarang University,” journalisi, vol. 7, no. 3, pp. 2898–2919, Sep. 2025, doi: 10.51519/journalisi.v7i3.1265.

M. L. B. Hikam, F. Dewi, and D. Praditya, “Analisis Manajemen Risiko Informasi Menggunakan Iso/Iec 27005:2018 (Studi Kasus: PT.XYZ),” jipi. jurnal. ilmiah. penelitian. dan. pembelajaran. informatika., vol. 9, no. 2, pp. 728–734, May 2024, doi: 10.29100/jipi.v9i2.4709.

N. Chandra and M. Yusuf, “Penilaian Resiko Keamanan Aplikasi Web Menggunakan Standar Iso/Iec 27005 : 20022 Pada Layanan Organisasi: Penilaian Resiko Keamanan Aplikasi Web Menggunakan Standar Iso/Iec 27005 : 20022 Pada Layanan Organisasi,” CoSciTech, vol. 6, no. 2, pp. 206–213, Sep. 2025, doi: 10.37859/coscitech.v6i2.9994.

M. A. Waqdan, H. Louafi, and M. Mouhoub, “Security Risk Assessment in Iot Environments: A Taxonomy and Survey,” 2025, SSRN. doi: 10.2139/ssrn.5090068.

Firoz Mohammed Ozman, “Systematic literature review on ‘secure document management systems (DMS),’” World J. Adv. Eng. Technol. Sci., vol. 15, no. 1, pp. 1460–1469, Apr. 2025, doi: 10.30574/wjaets.2025.15.1.0146.

I. O. for S. (ISO) International Electrotechnical Commission (IEC), “ISO/IEC 27001:2022. Information security, cybersecurity and privacy protection, Information security, management systems Requirements.” ISO/IEC, Geneva, Switzerland, Oct. 2022. Accessed: Jan. 06, 2026. [Online]. Available: https://www.iso.org/standard/27001

International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), “ISO/IEC 27005:2022, Information security, cybersecurity and privacy protection. Guidance on managing information security risks.” ISO/IEC, Geneva, Switzerland, Oct. 2022. Accessed: Jan. 06, 2026. [Online]. Available: https://standards.iteh.ai/catalog/standards/sist/a81e3455-413d-48cd-9a3c-71cd98fbe1e1/iso-iec-27005-2022

F. Kitsios, E. Chatzidimitriou, and M. Kamariotou, “The ISO/IEC 27001 Information Security Management Standard: How to Extract Value from Data in the IT Sector,” Sustainability, vol. 15, no. 7, p. 5828, Mar. 2023, doi: 10.3390/su15075828.

A. P. Putra and B. Soewito, “Integrated Methodology for Information Security Risk Management using ISO 27005:2018 and NIST SP 800-30 for Insurance Sector,” IJACSA, vol. 14, no. 4, 2023, doi: 10.14569/IJACSA.2023.0140468.

M. S. Sahira, R. Indriati, and A. Ristyawan, “Analisis Risiko Website Sistem Keamanan Informasi Menggunakan Metode Fmea dan Framework ISO/IEC 27002:2022,” J. Sist. Inform. Tek. Inform. Komput., vol. 3, no. 2, pp. 128–138, Jun. 2025, doi: 10.53624/jsitik.v3i2.722.

P. Jatkiewicz, “Assessing cybersecurity methodologies: integrating competitiveness factor for risk analysis and IT system design,” Expert Systems with Applications, vol. 296, p. 129220, Jan. 2026, doi: 10.1016/j.eswa.2025.129220.

H. Artajaya, Julieta, J. Giancarlos, J. V. Moniaga, and A. Chowanda, “Development of a Secure Web Based Application to Automate Data Synchronization and Processing,” Procedia Computer Science, vol. 245, pp. 1175–1181, 2024, doi: 10.1016/j.procs.2024.10.347.

J. Rice and N. Martin, “Managing cybersecurity risks in Small businesses: A simulation-based decision framework,” Technological Forecasting and Social Change, vol. 223, p. 124456, Feb. 2026, doi: 10.1016/j.techfore.2025.124456.

G. Breda and M. Kiss, “Overview of Information Security Standards in the Field of Special Protected Industry 4.0 Areas & Industrial Security,” Procedia Manufacturing, vol. 46, pp. 580–590, 2020, doi: 10.1016/j.promfg.2020.03.084.

M. Fahrurozi, S. A. Tarigan, M. Alam Tanjung, and K. Mutijarsa, “The Use of ISO/IEC 27005: 2018 for Strengthening Information Security Management (A Case Study at Data and Information Center of Ministry of Defence),” in 2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE), Yogyakarta, Indonesia: IEEE, Oct. 2020, pp. 86–91. doi: 10.1109/ICITEE49829.2020.9271748.

F. Casarosa, G. Comandé, and J. Fortuna, “Proposing ELDA methodology: Ethical and Legal by Design and Assessment for cybersecurity solutions,” Computer Law & Security Review, vol. 59, p. 106220, Nov. 2025, doi: 10.1016/j.clsr.2025.106220.

H. M. Melaku, “Context-Based and Adaptive Cybersecurity Risk Management Framework,” Risks, vol. 11, no. 6, p. 101, May 2023, doi: 10.3390/risks11060101.




DOI: https://doi.org/10.55340/jiu.v15i1.2711

Refbacks

  • There are currently no refbacks.


__________________________________________________________________________________________________________________________________________________

SK Accreditation No. 286/DST/C3/HM.01.00/2026 Tanggal 7 April 2026

Editorial Address :

Program Studi Teknik Informatika, Fakultas Teknik, Universitas Dayanu Ikhsanuddin Jl. Dayanu Ikhsanuddin no.124 Baubau, Sulawesi Tenggara 

Jurnal Informatika by Program Studi Teknik Informatika, Fakultas Teknik, Universitas Dayanu Ikhsanuddin Baubau, Indonesia is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Based on work at https://ejournal.unidayan.ac.id/index.php/JIU