Measuring effectiveness of control of information security management system based on SNI ISO/IEC 27004: 2013 standard

Abstract

Abstract One of the keys to the successful implementation of information security management in an organization is the selection and implementation of an information security management system control that is good and in accordance with the needs of the organization, the information security management system control can be adopted based on ISO/IEC 27001: 2013 standard document. To ensure the success of information security controls, it is necessary to measure the effectiveness of each control applied. SNI ISO/IEC 27004: 2013 is a standard that provides guidance on the development and use of measures and measurements to assess the effectiveness of controls and control groups in the information security management system as stated in the ISO/IEC 27001 standard, but to do the measurement process, required objects and measurement attributes and metrics, which are not explained in detail in the ISO ISO/IEC 27004: 2013 standard. This study aims to assist in measuring the effectiveness of information security management control by generating the flow of steps in determining the object and measurement parameters and the metrics used based on the provisions contained in the ISO ISO/IEC 27004: 2013 standard.