The term "information is an organizational asset" has been recognized by almost all organizations. As a result of the increasing use of technology in organizations, the threat to information becomes important. Threats can come from things that are accidental, unintentional or intentional (those who intend to steal information). The problem is that as we become more and more connected to each other, a leak of information in one place can instantly spread around the world. So the risk of the information leakage becomes so high.
Regarding to this, Indonesia Clearing House (ICH) as a futures clearing house continues to strive to become a Futures Clearing House with international security standards, has implemented a comprehensive ISO 27001 which has entered the third stage of the audit cycle.
Once the certification body issues an ISO 27001 certificate to the organization, the certificate is valid for a period of three years, during which the certification body will conduct a supervisory audit to evaluate whether the organization is implementing it properly, and if necessary improvements are being implemented.
ISO/IEC 27001 is widely known in providing requirements for information security management systems (ISMS), although there are more than a dozen set of standards in the ISO/IEC 27000 . This standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and then revised in 2013. The implementation process allows organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties.
In Indonesia, the government also pays special attention to the issue of personal data security, especially in the growing development of online-based technology as it is today. This must be considered in order to realize good governance or Good Corporate Governance (GCG). Therefore, Indonesia through the National Standardization Agency (BSN) applies SNI ISO/IEC 27001: 2013.
ISO 27001 provides a framework to help organizations, of any size or industry, to protect their information in a systematic and cost-effective way, through the implementation of an Information Security Management System (ISMS). The appointed standardization agency is also not only a consultant, but every organization usually wants certification to ISO 27001 and, in this way, can prove to regulators, customers and partners that the organization's operational standards have maximized data protection.
The basic objective of ISO 27001 is to protect three aspects of information:
Protecting any organization's information also plays a very important role in the successful management and smooth operation of the organization. By obtaining ISO 27001 certification, organizations in general will be able to obtain many benefits including:
The implementation of ISO 27001 in a company requires cooperation from all parts of the company, both at the top, middle, and bottom levels. The specifications in this ISO cover documentation, management responsibilities, information system audits, continuous improvement and preventive and corrective actions in the company's information security system. ISO 27001 specifies the minimum set of policies, procedures, plans, records and other documented information required to be compliant.
In practice, to achieve ISO 27001 implementation and control certification, several things need to be comprehensively included by each organization. Such as:
ISO 27001 controls (also known as protection) consist of 114 controls in 14 groups and 35 control categories. But in general, the main controls of ISO 27001 include the following:
by: Risk Management, Indonesia Clearing House