📋 Daftar Isi
1. Pengenalan ISO 27001
ISO/IEC 27001 adalah standar internasional untuk Information Security Management System (ISMS) — yaitu kerangka kerja sistematis untuk mengelola keamanan informasi dalam suatu organisasi. Standar ini dikembangkan bersama oleh International Organization for Standardization (ISO) dan International Electrotechnical Commission (IEC).
Versi terbaru yang berlaku adalah ISO/IEC 27001:2022 yang dirilis pada Oktober 2022, menggantikan versi 2013. Versi baru ini mengalami perubahan signifikan terutama pada Annex A yang direstrukturisasi dari 114 kontrol menjadi 93 kontrol yang dikelompokkan dalam 4 tema utama.
Mengapa ISO 27001 Penting?
| Manfaat | Penjelasan |
|---|---|
| Perlindungan Data | Melindungi data sensitif organisasi dari ancaman internal dan eksternal |
| Kepercayaan Pelanggan | Menunjukkan komitmen terhadap keamanan informasi — meningkatkan kepercayaan |
| Kepatuhan Regulasi | Membantu memenuhi persyaratan GDPR, UU PDP, PCI DSS, dan regulasi lainnya |
| Pengurangan Risiko | Pendekatan terstruktur untuk mengidentifikasi dan mengelola risiko keamanan |
| Daya Saing | Sertifikasi ISO 27001 menjadi persyaratan dalam tender bisnis B2B |
| Kultur Keamanan | Membangun kultur keamanan informasi di seluruh organisasi |
| Bisnis Continuity | Memastikan kelangsungan bisnis melalui manajemen risiko yang efektif |
ISO 27001 dalam Keluarga Standar ISO 27000
| Standar | Fokus |
|---|---|
| ISO 27000 | Overview dan vocabulary — definisi istilah |
| ISO 27001 | ISMS Requirements — persyaratan sertifikasi |
| ISO 27002 | Code of practice — panduan implementasi kontrol |
| ISO 27005 | Information security risk management |
| ISO 27017 | Cloud security controls |
| ISO 27018 | Protection of PII in cloud |
| ISO 27701 | Privacy information management (GDPR) |
| ISO 22301 | Business continuity management |
Diagram: ISO 27001 dalam Ekosistem Organisasi
┌────────────────────────────────────────────────────────────┐ │ ORGANISASI │ │ │ │ ┌──────────────────────────────────────────────────────┐ │ │ │ CONTEXT OF THE ORGANIZATION │ │ │ │ (Clause 4) — Pemahaman konteks internal/eksternal │ │ │ └──────────────────────────────┬───────────────────────┘ │ │ │ │ │ ┌──────────────────────────────▼───────────────────────┐ │ │ │ ISMS │ │ │ │ │ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────────────┐ │ │ │ │ │ PLAN │ │ DO │ │ Annex A Controls │ │ │ │ │ │ │ │ │ │ (93 Controls) │ │ │ │ │ │ • Risk │ │ • Implem │ │ 4 Tema: │ │ │ │ │ │ Assess │ │ • Train │ │ • Organizational │ │ │ │ │ │ • Policy │ │ • Operate│ │ • People │ │ │ │ │ │ • Obj │ │ │ │ • Physical │ │ │ │ │ └──────────┘ └──────────┘ │ • Technological │ │ │ │ │ ┌──────────┐ ┌──────────┐ └──────────────────┘ │ │ │ │ │ CHECK │ │ ACT │ │ │ │ │ │ │ │ │ │ │ │ │ │ • Audit │ │ • Improv │ │ │ │ │ │ • Monitor│ │ • Correct│ │ │ │ │ │ • Review │ │ │ │ │ │ │ └──────────┘ └──────────┘ │ │ │ └──────────────────────────────────────────────────────┘ │ │ │ └────────────────────────────────────────────────────────────┘
2. ISMS — Information Security Management System
ISMS adalah kerangka kerja yang terdiri dari kebijakan, prosedur, pedoman, dan sumber daya terkait yang digunakan untuk mengelola risiko keamanan informasi. ISMS bukan sekadar tools teknologi, tetapi merupakan pendekatan holistik yang mencakup people, process, dan technology.
2.1 Tiga Pilar Keamanan Informasi (CIA Triad)
| Pilar | Deskripsi | Contoh |
|---|---|---|
| Confidentiality (Kerahasiaan) | Informasi hanya dapat diakses oleh pihak yang berwenang | Enkripsi data, access control, classification data |
| Integrity (Integritas) | Informasi akurat, lengkap, dan tidak dimodifikasi tanpa izin | Hash verification, digital signatures, audit trails |
| Availability (Ketersediaan) | Informasi tersedia saat dibutuhkan oleh pihak berwenang | Backup, redundancy, disaster recovery, DDoS protection |
2.2 Komponen ISMS
Komponen Utama ISMS
# ============================================ # KOMPONEN UTAMA ISMS # ============================================ # 1. INFORMATION SECURITY POLICY # - Kebijakan keamanan informasi tingkat tinggi # - Disetujui oleh top management # - Menetapkan tujuan dan kerangka kerja keamanan # 2. RISK ASSESSMENT & TREATMENT # - Identifikasi aset informasi # - Identifikasi ancaman dan kerentanan # - Analisis dan evaluasi risiko # - Pilih kontrol untuk mengelola risiko # 3. STATEMENT OF APPLICABILITY (SoA) # - Daftar kontrol yang dipilih dari Annex A # - Alasan pemilihan atau pengecualian # - Status implementasi setiap kontrol # 4. RISK TREATMENT PLAN (RTP) # - Rencana implementasi kontrol yang dipilih # - Timeline, penanggung jawab, anggaran # - Milestone dan target # 5. SECURITY CONTROLS # - Kontrol teknis (firewall, enkripsi, dll.) # - Kontrol manajerial (kebijakan, prosedur, dll.) # - Kontrol fisik (access control, CCTV, dll.) # - Kontrol people (training, awareness, dll.) # 6. INTERNAL AUDIT PROGRAM # - Audit berkala terhadap implementasi ISMS # - Verifikasi kepatuhan terhadap standar # - Identifikasi ketidaksesuaian (non-conformity) # 7. MANAGEMENT REVIEW # - Review berkala oleh top management # - Evaluasi efektivitas ISMS # - Keputusan perbaikan dan alokasi sumber daya # 8. CONTINUAL IMPROVEMENT # - PDCA cycle — terus menerus meningkatkan ISMS # - Learning from incidents # - Benchmarking dengan best practices
3. Siklus PDCA & Clauses ISO 27001
3.1 Struktur Clauses ISO 27001:2022
ISO 27001 menggunakan High-Level Structure (HLS) yang sama dengan standar ISO lainnya. Struktur ini memudahkan integrasi dengan standar lain seperti ISO 9001 (Quality) dan ISO 22301 (Business Continuity).
| Clause | Judul | Deskripsi |
|---|---|---|
| 4 | Context of the Organization | Memahami konteks organisasi, pihak berkepentingan, dan ruang lingkup ISMS |
| 5 | Leadership | Komitmen top management, kebijakan keamanan, dan penugasan peran |
| 6 | Planning | Penanganan risiko, penetapan tujuan keamanan, dan perencanaan perubahan |
| 7 | Support | Sumber daya, kompetensi, awareness, komunikasi, dan dokumentasi |
| 8 | Operation | Implementasi operasional: risk assessment, risk treatment, dan kontrol |
| 9 | Performance Evaluation | Monitoring, pengukuran, analisis, internal audit, dan management review |
| 10 | Improvement | Nonconformity, corrective action, dan continual improvement |
Diagram: PDCA Cycle dalam ISO 27001
┌───────────────────┐
│ PLAN │
│ │
│ • Context (Cl.4) │
│ • Leadership (5) │
│ • Planning (6) │
│ • Support (7) │
│ • Risk Assessment │
└────────┬──────────┘
│
┌─────────────────┼─────────────────┐
│ │ │
┌────────▼─────────┐ │ ┌─────────────▼────────┐
│ ACT │ │ │ DO │
│ │ │ │ │
│ • Improvement │ │ │ • Implement Controls │
│ • Corrective │ │ │ • Operate ISMS │
│ Actions │ │ │ • Training │
│ • Lessons Learned│ │ │ • Security Operations │
└──────────────────┘ │ └───────────────────────┘
│ │ │
│ ┌──────────▼──────────┐ │
│ │ CHECK │ │
│ │ │ │
└──────│ • Internal Audit │──────┘
│ • Monitoring │
│ • Management Review │
│ • Performance KPIs │
└──────────────────────┘
3.2 Clause 4: Context of the Organization
Template — Clause 4: Context Analysis
# ============================================
# CLAUSE 4: CONTEXT OF THE ORGANIZATION
# ============================================
# 4.1 Understanding the Organization and Its Context
# Identifikasi faktor internal dan eksternal yang mempengaruhi ISMS
INTERNAL_FACTORS = {
"organizational_structure": "Struktur organisasi, departemen, unit bisnis",
"culture": "Budaya organisasi — attitude terhadap keamanan",
"resources": "SDM, anggaran, teknologi yang tersedia",
"existing_controls": "Kontrol keamanan yang sudah ada",
"contracts": "Kontrak dengan pihak ketiga, SLA",
"maturity": "Tingkat kematangan keamanan saat ini",
}
EXTERNAL_FACTORS = {
"regulations": "UU PDP, UU ITE, OJK, BI, regulasi sektor",
"market": "Persaingan pasar, kebutuhan pelanggan",
"threats": "Lanskap ancaman cyber saat ini",
"technology": "Perkembangan teknologi dan tren",
"partners": "Ekosistem mitra bisnis dan supply chain",
"geopolitics": "Faktor geopolitik yang mempengaruhi operasi",
}
# 4.2 Interested Parties
# Identifikasi pihak-pihak yang berkepentingan
INTERESTED_PARTIES = [
{"party": "Top Management", "needs": "Governance, risk reporting, ROI"},
{"party": "Employees", "needs": "Training, tools, clear policies"},
{"party": "Customers", "needs": "Data protection, service availability"},
{"party": "Regulators", "needs": "Compliance, audit trails, reporting"},
{"party": "Partners/Vendors", "needs": "Integration security, SLA"},
{"party": "Shareholders", "needs": "Risk management, brand protection"},
]
# 4.3 Scope of ISMS
# Menentukan ruang lingkup ISMS
ISMS_SCOPE = {
"in_scope": [
"Sistem informasi departemen IT",
"Data pelanggan dan data pribadi",
"Infrastructure cloud dan on-premise",
"Aplikasi bisnis utama",
"Jaringan kantor pusat dan cabang",
],
"out_of_scope": [
"Sistem pihak ketiga yang dikelola vendor",
"Proyek pengembangan yang belum di-deploy",
],
"physical_locations": [
"Kantor pusat — Jakarta",
"Data center — BSD",
"Kantor cabang — Surabaya, Bandung",
],
}
4. Risk Assessment & Treatment
Risk assessment adalah jantung dari ISO 27001. Tanpa proses risk assessment yang baik, organisasi tidak akan tahu kontrol apa yang perlu diimplementasikan dan mengapa.
4.1 Risk Assessment Process
Framework — Risk Assessment Process
# ============================================
# PROSES RISK ASSESSMENT ISO 27001
# ============================================
# LANGKAH 1: IDENTIFIKASI ASET INFORMASI
# ==========================================
ASSETS = [
{
"id": "A001",
"name": "Database Pelanggan",
"type": "Digital",
"owner": "Head of IT",
"classification": "Confidential",
"description": "Database utama berisi data pribadi pelanggan",
"location": "Cloud AWS - ap-southeast-1",
},
{
"id": "A002",
"name": "Sistem ERP",
"type": "Application",
"owner": "Head of Finance",
"classification": "Confidential",
"description": "Sistem Enterprise Resource Planning",
"location": "On-premise data center",
},
{
"id": "A003",
"name": "Email Server",
"type": "Infrastructure",
"owner": "Head of IT",
"classification": "Internal",
"description": "Server email korporat",
"location": "Microsoft 365",
},
{
"id": "A004",
"name": "Backup Media",
"type": "Physical",
"owner": "IT Operations",
"classification": "Confidential",
"description": "Media backup external",
"location": "Safe deposit box",
},
]
# LANGKAH 2: IDENTIFIKASI ANCAMAN & KERENTANAN
# ==========================================
THREATS = [
{"id": "T001", "name": "Ransomware Attack", "category": "Malicious"},
{"id": "T002", "name": "Insider Threat", "category": "Human"},
{"id": "T003", "name": "DDoS Attack", "category": "Technical"},
{"id": "T004", "name": "Natural Disaster", "category": "Environmental"},
{"id": "T005", "name": "Data Breach", "category": "Technical"},
{"id": "T006", "name": "Social Engineering", "category": "Human"},
]
VULNERABILITIES = [
{"id": "V001", "name": "Unpatched Systems", "asset": "A001"},
{"id": "V002", "name": "Weak Access Control", "asset": "A002"},
{"id": "V003", "name": "No Security Awareness Training", "asset": "All"},
{"id": "V004", "name": "Lack of Backup Testing", "asset": "A004"},
]
# LANGKAH 3: ANALISIS RISIKO
# ==========================================
# Risk = Likelihood x Impact
LIKELIHOOD_SCALE = {
1: "Sangat Rendah — hampir tidak mungkin terjadi",
2: "Rendah — bisa terjadi tapi jarang",
3: "Sedang — bisa terjadi sewaktu-waktu",
4: "Tinggi — kemungkinan besar terjadi",
5: "Sangat Tinggi — hampir pasti terjadi",
}
IMPACT_SCALE = {
1: "Tidak Signifikan — dampak minimal",
2: "Minor — dampak kecil, bisa ditangani",
3: "Moderate — dampak sedang, mempengaruhi operasi",
4: "Major — dampak besar, mempengaruhi bisnis",
5: "Critical — dampak kritis, mengancam kelangsungan bisnis",
}
RISK_MATRIX = {
# Format: (likelihood, impact) → risk level
(5, 5): "CRITICAL (25)", (5, 4): "HIGH (20)", (5, 3): "HIGH (15)",
(5, 2): "MEDIUM (10)", (5, 1): "LOW (5)",
(4, 5): "HIGH (20)", (4, 4): "HIGH (16)", (4, 3): "MEDIUM (12)",
(4, 2): "MEDIUM (8)", (4, 1): "LOW (4)",
(3, 5): "HIGH (15)", (3, 4): "MEDIUM (12)", (3, 3): "MEDIUM (9)",
(3, 2): "LOW (6)", (3, 1): "LOW (3)",
(2, 5): "MEDIUM (10)", (2, 4): "MEDIUM (8)", (2, 3): "LOW (6)",
(2, 2): "LOW (4)", (2, 1): "LOW (2)",
(1, 5): "LOW (5)", (1, 4): "LOW (4)", (1, 3): "LOW (3)",
(1, 2): "LOW (2)", (1, 1): "LOW (1)",
}
4.2 Risk Treatment
Framework — Risk Treatment Options
# ============================================
# RISK TREATMENT OPTIONS
# ============================================
# ISO 27001 mendefinisikan 4 opsi risk treatment:
# 1. MODIFY (Mitigate) — Mengurangi risiko dengan kontrol
# Contoh: Implement firewall untuk mengurangi risiko DDoS
# Paling umum digunakan — sesuai dengan Annex A controls
# 2. AVOID — Menghentikan aktivitas yang menyebabkan risiko
# Contoh: Tidak menyimpan data kartu kredit jika tidak perlu
# Cocok untuk risiko yang terlalu tinggi dan tidak ekonomis
# 3. SHARE — Memindahkan risiko ke pihak lain
# Contoh: Asuransi cyber, outsourcing ke managed security provider
# Risiko tidak hilang, tetapi dampak finansial ditransfer
# 4. RETAIN — Menerima risiko (risk appetite)
# Contoh: Menerima risiko minor yang biaya mitigasinya lebih tinggi
# Harus didokumentasikan dan disetujui oleh management
# ===== CONTOH RISK TREATMENT PLAN =====
RISK_TREATMENT = [
{
"risk_id": "R001",
"risk": "Ransomware mengenkripsi database pelanggan",
"inherent_risk": "HIGH (20)",
"treatment": "MODIFY",
"controls": [
"A.8.13 — Information backup",
"A.8.7 — Protection against malware",
"A.5.29 — ICT readiness for business continuity",
],
"residual_risk": "MEDIUM (8)",
"owner": "CISO",
"deadline": "2026-Q3",
"budget": "Rp 500.000.000",
},
{
"risk_id": "R002",
"risk": "Data breach dari insider threat",
"inherent_risk": "HIGH (15)",
"treatment": "MODIFY",
"controls": [
"A.6.1 — Screening",
"A.6.2 — Terms and conditions of employment",
"A.6.6 — Confidentiality or NDA agreements",
"A.8.3 — Information access restriction",
"A.8.15 — Logging",
],
"residual_risk": "LOW (4)",
"owner": "CISO + HR",
"deadline": "2026-Q2",
"budget": "Rp 200.000.000",
},
]
5. Annex A — 93 Kontrol Keamanan (2022)
Annex A ISO 27001:2022 mengalami restrukturisasi besar dari versi 2013. Kontrol-kontol yang sebelumnya tersebar dalam 14 domain kini dikelompokkan dalam 4 tema utama:
| Tema | Jumlah Kontrol | Fokus |
|---|---|---|
| 5 — Organizational Controls | 37 kontrol | Kebijakan, governance, manajemen aset, supply chain |
| 6 — People Controls | 8 kontrol | SDM, screening, training, awareness, disciplinary |
| 7 — Physical Controls | 14 kontrol | Fisik, perimeter, equipment, media handling |
| 8 — Technological Controls | 34 kontrol | Access control, cryptography, network, development |
5.1 Kontrol Baru di ISO 27001:2022
| ID Kontrol | Nama Kontrol | Tema |
|---|---|---|
| A.5.7 | Threat Intelligence | Organizational |
| A.5.23 | Information Security for Cloud Services | Organizational |
| A.5.30 | ICT Readiness for Business Continuity | Organizational |
| A.7.4 | Physical Security Monitoring | Physical |
| A.8.9 | Configuration Management | Technological |
| A.8.10 | Information Deletion | Technological |
| A.8.11 | Data Masking | Technological |
| A.8.12 | Data Leakage Prevention | Technological |
| A.8.16 | Monitoring Activities | Technological |
| A.8.23 | Web Filtering | Technological |
| A.8.28 | Secure Coding | Technological |
6. Detail Kontrol Annex A per Tema
6.1 Organizational Controls (A.5)
Annex A.5 — Organizational Controls (Ringkasan)
# ============================================ # ANNEX A.5 — ORGANIZATIONAL CONTROLS (37) # ============================================ # Policies for Information Security A.5.1 — Policies for information security A.5.2 — Information security roles and responsibilities A.5.3 — Segregation of duties A.5.4 — Management responsibilities # Organization of Information Security A.5.5 — Contact with authorities A.5.6 — Contact with special interest groups A.5.7 — Threat intelligence [BARU] A.5.8 — Information security in project management A.5.9 — Inventory of information and assets A.5.10 — Acceptable use of information assets A.5.11 — Return of assets A.5.12 — Classification of information A.5.13 — Labelling of information A.5.14 — Information transfer # People Controls (termasuk di organizational) A.5.15 — Access control A.5.16 — Identity management A.5.17 — Authentication information A.5.18 — Access rights A.5.19 — Information security in supplier relationships A.5.20 — Addressing information security within supplier agreements A.5.21 — Managing information security in the ICT supply chain A.5.22 — Monitoring, review, and change management of supplier services A.5.23 — Information security for cloud services [BARU] A.5.24 — Incident management planning and preparation A.5.25 — Assessment and decision on information security events A.5.26 — Response to information security incidents A.5.27 — Learning from information security incidents A.5.28 — Collection of evidence A.5.29 — ICT readiness for business continuity [BARU] A.5.30 — Legal, statutory, regulatory, and contractual requirements A.5.31 — Intellectual property rights A.5.32 — Protection of records A.5.33 — Privacy and protection of PII A.5.34 — Information security independent review A.5.35 — Compliance with policies, rules, and standards A.5.36 — Documented operating procedures A.5.37 — Change management
6.2 Technological Controls (A.8)
Annex A.8 — Technological Controls (Ringkasan)
# ============================================ # ANNEX A.8 — TECHNOLOGICAL CONTROLS (34) # ============================================ # User Endpoint Devices A.8.1 — User endpoint devices # Privileged Access Rights A.8.2 — Privileged access rights # Information Access Restriction A.8.3 — Information access restriction # Access to Source Code A.8.4 — Access to source code # Secure Authentication A.8.5 — Secure authentication # Capacity Management A.8.6 — Capacity management # Protection Against Malware A.8.7 — Protection against malware # Technical Vulnerability Management A.8.8 — Management of technical vulnerabilities # Configuration Management A.8.9 — Configuration management [BARU] # Information Deletion A.8.10 — Information deletion [BARU] # Data Masking A.8.11 — Data masking [BARU] # Data Leakage Prevention A.8.12 — Data leakage prevention [BARU] # Information Backup A.8.13 — Information backup # Redundancy of Information Processing A.8.14 — Redundancy of information processing facilities # Logging A.8.15 — Logging # Monitoring Activities A.8.16 — Monitoring activities [BARU] # Clock Synchronization A.8.17 — Clock synchronization # Use of Privileged Utility Programs A.8.18 — Use of privileged utility programs # Installation of Software A.8.19 — Installation of software on operational systems # Network Security A.8.20 — Networks security # Security of Network Services A.8.21 — Security of network services # Segregation of Networks A.8.22 — Segregation of networks # Web Filtering A.8.23 — Web filtering [BARU] # Use of Cryptography A.8.24 — Use of cryptography # Secure Development Life Cycle A.8.25 — Secure development life cycle # Application Security Requirements A.8.26 — Application security requirements # Secure System Architecture and Engineering A.8.27 — Secure system architecture and engineering principles # Secure Coding A.8.28 — Secure coding [BARU] # Security Testing in Development and Acceptance A.8.29 — Security testing in development and acceptance # Outsourced Development A.8.30 — Outsourced development # Separation of Development, Test, and Production A.8.31 — Separation of development, test, and production environments # Change Management A.8.32 — Change management # Test Information A.8.33 — Test information # Protection of Information During Audit Testing A.8.34 — Protection of information during audit testing
7. Dokumen & Kebutuhan ISMS
7.1 Dokumen Wajib ISO 27001
| Dokumen | Klausul | Keterangan |
|---|---|---|
| Scope of ISMS | 4.3 | Ruang lingkup ISMS |
| Information Security Policy | 5.2 | Kebijakan keamanan informasi |
| Risk Assessment Process | 6.1.2 | Metodologi risk assessment |
| Risk Treatment Process | 6.1.3 | Metodologi risk treatment |
| Statement of Applicability (SoA) | 6.1.3 d | Daftar kontrol dan status implementasi |
| Risk Treatment Plan | 6.1.3 e | Rencana implementasi kontrol |
| Security Objectives | 6.2 | Tujuan keamanan informasi terukur |
| Competence Evidence | 7.2 | Bukti kompetensi SDM keamanan |
| Operational Planning & Control | 8.1 | Prosedur operasional |
| Risk Assessment Results | 8.2 | Hasil risk assessment |
| Monitoring & Measurement Results | 9.1 | Hasil monitoring keamanan |
| Internal Audit Program | 9.2 | Program audit internal |
| Management Review Results | 9.3 | Hasil tinjauan manajemen |
| Nonconformities & Corrective Actions | 10.2 | Ketidaksesuaian dan tindakan korektif |
8. Proses Sertifikasi ISO 27001
8.1 Tahapan Sertifikasi
Diagram: Proses Sertifikasi ISO 27001
┌────────────────────────────────────────────────────────────────┐ │ PROSES SERTIFIKASI ISO 27001 │ │ │ │ TAHAP 1: GAP ANALYSIS (Opsional tapi direkomendasikan) │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ • Identifikasi gap antara kondisi saat ini & standar │ │ │ │ • Estimasi waktu dan biaya │ │ │ │ • Prioritas implementasi │ │ │ └──────────────────────────┬───────────────────────────────┘ │ │ ▼ │ │ TAHAP 2: IMPLEMENTASI ISMS (6-18 bulan) │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ • Bangun ISMS sesuai Clause 4-10 │ │ │ │ • Implement Annex A controls │ │ │ │ • Dokumentasi lengkap │ │ │ │ • Training & awareness │ │ │ │ • Risk assessment & treatment │ │ │ │ • Internal audit (minimal 1 siklus penuh) │ │ │ │ • Management review │ │ │ └──────────────────────────┬───────────────────────────────┘ │ │ ▼ │ │ TAHAP 3: STAGE 1 AUDIT (Dokumentasi) │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ • Auditor eksternal review dokumentasi │ │ │ │ • Verifikasi klausul 4-10 │ │ │ │ • Identifikasi ketidaksesuaian mayor │ │ │ │ • Durasi: 2-5 hari │ │ │ │ • Hasil: PASS atau NON-CONFORMITY │ │ │ └──────────────────────────┬───────────────────────────────┘ │ │ ▼ │ │ TAHAP 4: STAGE 2 AUDIT (Implementasi) │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ • Auditor verifikasi implementasi di lapangan │ │ │ │ • Wawancara karyawan, observasi proses │ │ │ │ • Review evidence implementasi kontrol │ │ │ │ • Durasi: 5-15 hari (tergantung ukuran organisasi) │ │ │ │ • Hasil: SERTIFIKASI atau NON-CONFORMITY │ │ │ └──────────────────────────┬───────────────────────────────┘ │ │ ▼ │ │ TAHAP 5: SURVEILLANCE AUDIT (Tahunan) │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ • Audit surveillance tahun 1 dan tahun 2 │ │ │ │ • Memastikan ISMS tetap efektif │ │ │ │ • Durasi: Lebih pendek dari Stage 2 │ │ │ │ • Sertifikat dicabut jika gagal │ │ │ └──────────────────────────┬───────────────────────────────┘ │ │ ▼ │ │ TAHAP 6: RE-CERTIFICATION (3 tahun sekali) │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ • Full audit ulang setiap 3 tahun │ │ │ │ • Review seluruh ISMS │ │ │ │ • Perpanjangan sertifikat │ │ │ └──────────────────────────────────────────────────────────┘ │ │ │ └────────────────────────────────────────────────────────────────┘
8.2 Estimasi Biaya & Timeline
| Item | Organisasi Kecil (<50 karyawan) |
Organisasi Menengah (50-500) |
Organisasi Besar (>500) |
|---|---|---|---|
| Gap Analysis | Rp 50-100 juta | Rp 100-250 juta | Rp 250-500 juta |
| Implementasi | 6-9 bulan | 9-15 bulan | 12-18 bulan |
| Sertifikasi Audit | Rp 80-150 juta | Rp 150-400 juta | Rp 400-800 juta |
| Surveillance (annual) | Rp 40-80 juta | Rp 80-200 juta | Rp 200-400 juta |
| Konsultan | Rp 100-300 juta | Rp 300-800 juta | Rp 800-2000 juta |
9. Best Practices Implementasi
💡 Tips Sukses Implementasi ISO 27001
- Dapatkan buy-in top management — Tanpa komitmen pimpinan, proyek akan gagal
- Mulai dari gap analysis — Pahami posisi saat ini sebelum memulai implementasi
- Gunakan konsultan berpengalaman — Investasi yang menghemat waktu dan uang
- Jangan over-engineer — Implementasi bertahap, fokus pada risiko tinggi dulu
- Otomasi dokumentasi — Gunakan tools GRC untuk mengelola dokumen dan audit
- Training berkelanjutan — Awareness bukan sekadar training tahunan
- Internal audit rutin — Minimal 1 kali setahun, sebelum surveillance audit
- Measurement & KPIs — Ukur efektivitas kontrol dengan metrik yang jelas
- Libatkan seluruh departemen — Keamanan tanggung jawab semua orang
- Dokumentasi yang cukup — Tidak berlebihan, tapi memenuhi persyaratan standar
10. Quiz Pemahaman
Uji pemahaman Anda tentang ISO 27001: