Integrated Methodology for Information Security Risk Management using ISO 27005:2018 and NIST SP 800-30 for Insurance Sector

The development of Information and Communication Technology (ICT) in the Industrial Revolution 4.0 era shows very fast and disruptive developments that encourage increased use of Information Technology (IT) services within organizations. However, there is a risk of creating vulnerabilities and threats to owned information systems. Plans and strategies are required to implement information security risk management to address vulnerabilities in threat events. This research is a case study of the Enterprise Resource Planning System in the Insurance Sector. The proposed methodologies for integrating information security risk management using ISO/IEC 27005:2018 as a risk management framework and NIST SP 80030 Rev. 1 as guidance for risk assessments. The risk evaluation stage is the process of comparing the results of the risk analysis with the risk criteria to then determine whether the risk rating is acceptable or tolerable. For risk treatment and control using the ISO/IEC 27002:2022 framework. Keywords—Risk management; information security; ISO/IEC 27005; NIST SP 800-30; ISO/IEC 27002

[1]  Md Haris Uddin Sharif,et al.  A literature review of financial losses statistics for cyber security and future trend , 2022, World Journal of Advanced Research and Reviews.

[2]  K. Mutijarsa,et al.  Designing Information Security Risk Management on Bali Regional Police Command Center Based on ISO 27005 , 2021, 2021 3rd East Indonesia Conference on Computer and Information Technology (EIConCIT).

[3]  Isaac Appiah‐Otoo,et al.  The impact of ICT on economic growth-Comparing rich and poor countries , 2021 .

[4]  K. Mutijarsa,et al.  The Use of ISO/IEC 27005: 2018 for Strengthening Information Security Management (A Case Study at Data and Information Center of Ministry of Defence) , 2020, 2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE).

[5]  Francisco J. Pino,et al.  Risk management in the software life cycle: A systematic literature review , 2020, Comput. Stand. Interfaces.

[6]  A. Kodaka,et al.  Business Continuity Management: A Preliminary Systematic Literature Review Based on ScienceDirect Database , 2020 .

[7]  Ruth Breu,et al.  Risk Management Practices in Information Security: Exploring the Status Quo in the DACH Region , 2020, Comput. Secur..

[8]  Akemi Takeoka Chatfield,et al.  Assessing information security risks in the cloud: A case study of Australian local government authorities , 2020, Gov. Inf. Q..

[9]  Jukka Heikkilä,et al.  Business continuity of business models: Evaluating the resilience of business models for contingencies , 2019, Int. J. Inf. Manag..

[10]  Modelling Risk Management Process According to ISO Standard , 2019, International Journal of Recent Technology and Engineering.

[11]  José M. Fernandez,et al.  Risk assessment of cyber-attacks on telemetry-enabled cardiac implantable electronic devices (CIED) , 2019, Int. J. Inf. Sec..

[12]  Shawon S. M. Rahman,et al.  Evaluating the Risk Management Plan and Addressing Factors for Successes in Government Agencies , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[13]  Fandi Aditya Putra,et al.  Design of information security risk management using ISO/IEC 27005 and NIST SP 800-30 revision 1: A case study at communication data applications of XYZ institute , 2017, 2017 International Conference on Information Technology Systems and Innovation (ICITSI).

[14]  D. Jorgenson,et al.  The ICT revolution, world economic growth, and policy issues , 2016 .

[15]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[16]  F. Berssaneti,et al.  Critical Success Factors of Risk Management with the Advent of ISO 31000 2018 - Descriptive and Content Analyzes , 2019, Procedia Manufacturing.

[17]  Fandi Aditya Putra,et al.  Risk Assessment Using NIST SP 800-30 Revision 1 and ISO 27005 Combination Technique in Profit-Based Organization: Case Study of ZZZ Information System Application in ABC Agency , 2019, Procedia Computer Science.

[18]  Ping Wang,et al.  Integrated Methodology for Information Security Risk Assessment , 2018 .

[19]  Jan Simota,et al.  Aspects of Risk Management Implementation for Industry 4.0 , 2017 .