Manajemen Sistem Standard ISO 27000

PERKEMBANGAN ISO 27000

Sejak penerbitan pertama ISO/IEC 17799 pada Desember 2000, ISO/IEC selalu sibuk dalam
melakukan standarisasi information security management practices
and requirements. Selanjutnya, penerbitan ISO/IEC 27001 tentang "Information Security
Management System (ISMS) requirements” dan revisi ISO/IEC 17799 pada tahun 2005 adalah
merupakan tonggak utama dalam perjalanan perkembangan standarisasi information security
management.

ISO/IEC 27000 Series juga dikenal sebagai "ISMS Family of Standards” atau istilah
pendeknya "ISO27K”. Standard ISO 27000 Series secara spesifik telah ditetapkan oleh ISO
untuk urusan yang terkait dengan information security. ISO 27000 Series memberikan
rekomendasi tentang information security management, risks dan controls di dalam konteks
Information Security Management System (ISMS) secara keseluruhan, dimana dari segi design
ISO 27000 Series mirip dengan management systems for quality assurance (ISO 9000 Series)
dan environmental protection (ISO 14000 Series).

Untuk melihat perkembangan keluarga ISO 27000 lebih lanjut, silakan simak Rangkuman
tentang ISO 27000 Series.

ISO 27000: Information security management systems — Overview and vocabulary, contains
definitions of information security used as basic terminology in the ISO 27000 series.

ISO 27001: Information security management systems — Requirements, contains supporting

aspects in implementing ISMS of an organization.

ISO 27002: Code of practice for information security management, related to ISO 27001
document, this document contains practical guide for implementing ISMS of an organization.

ISO 27003: Information security management system implementation guidance.

ISO 27004: Information security management — Measurement.

ISO 27005: Information security risk management.

ISO 27006: Requirements for bodies providing audit and certification of information security
management systems.
ISO 27007: Guidelines for information security management systems auditing (focused on the
management system)

ISO 27008: Guidance for auditors on ISMS controls (focused on the information security
controls) – In preparation.

ISO 27010: Information technology — Security techniques — Information security management

for intersector and inter-organisational communications – In preparation.

ISO 27011: Information security management guidelines for telecommunications organizations

based on ISO 27002.

ISO 27013: Information technology — Security techniques — Guidelines on the integrated

implementation of ISO/IEC 27001 and ISO/IEC 20000-1.

ISO 27014: Information security governance framework.

ISO 27015: Information security management guidelines for the finance and insurance sectors.

ISO 27016: Information technology — Security techniques — Information security management

— Organizational economics.

ISO 27017: The suggestion was that ISO 27010 through ISO 27019 will all cover information
security within specific fields and industries – subject to change.

ISO 27018: The suggestion was that ISO 27010 through ISO 27019 will all cover information
security within specific fields and industries - subject to change.

ISO 27019: The suggestion was that ISO 27010 through ISO 27019 will all cover information
security within specific fields and industries - subject to change.

ISO 27020:2010-12 : Standard Dentistry – Brackets and tubes for use in orthodontics…it is not
ISO 27000 series family.

ISO 27025:2010 : Space systems — Programme management — Quality assurance

requirements…it is not ISO 27000 series family.

ISO 27026:2011 : Space systems — Programme management — Breakdown of project

management structures…it is not ISO 27000 series family.

ISO 27027:2008 : Aerospace — Solid-state remote power controllers — General performance

requirements …it is not ISO 27000 series family.

ISO 27031: Guidelines for information and communications technology readiness for business
continuity – In preparation.
ISO 27032: Information technology — Security techniques — Guidelines for cybersecurity.

ISO 27033-1: Information technology — Security techniques —Network security. Part 1:

Overview and Concepts.

ISO 27033-2.2 : Information technology — Security techniques —Network security. Part 2:

Guidelines for the design and implementation of network security.

ISO 27033-3 : Information technology — Security techniques — Network security — Part 3:

Reference networking scenarios — Threats, design techniques and control issues.

ISO 27033-4 : Information technology — Security techniques — Network security — Part 4:

Securing communications between networks using security gateways.

ISO 27033-5 : Information technology — Security techniques — Network security — Part 5:

Securing communications across networks using Virtual Private Network (VPNs).

ISO 27033-6 : Information technology — Security techniques — Network security — Part 6:

Securing IP network access using wireless.

ISO 27033-7 : Information technology — Security techniques — Network security — Part 7:

Wireless

ISO 27034-1 : Information technology — Security techniques — Application security — Part 1:

Overview and concepts.

ISO 27034-2 : Application security — Part 2: Organization normative framework.

ISO 27034-3 : Application security — Part 3: Application security management process.

ISO 27034-4 : Application security — Part 4: Application security validation.

ISO 27034-5 : Application security — Part 5: Protocols and application security controls data
structure.

ISO 27035 : Information technology — Security techniques — Information security incident

management.

ISO 27036-1 : Information technology — Security techniques — Information security for

supplier relationships — Part 1: Overview and concepts

ISO 27036-2 : Information technology — Security techniques — Information security for

supplier relationships — Part 2: Common requirements

ISO 27036-3 : Information technology — Security techniques — Information security for

supplier relationships — Part 3: Guidelines for ICT supply chain security
ISO 27037 : Information technology — Security techniques — Guidelines for identification,
collection, acquisition and preservation of digital evidence – in preparation.

ISO 27038 : Information technology — Security techniques — Specification for Digital

Redaction – in preparation.

ISO 27040 : Information technology — Security techniques — Storage security – in preparation.

ISO 27799: Health Informatics: Information security management in health using ISO/IEC
17799

Tujuan Manajemen sistem 27000 adalah untuk menunjukan secara jelas/nyata bagaimana
kontrol manajemen terhadap keamanan informasi. ISO 27000 didesign untuk memastikan
adanya kontrol keamanan yang memadai dan proposional untuk melindungi asset informasi &
meyakinkan pihak-pihak yang berkepentingan.

Manfaat ISO 27000 adalah :

1. Meningkatkan efektivitas keamanan informasi

2. Diferensiasi pasar
3. Menambah keyakinan mitra bisnis, stakeholders & pelanggan.
4. Satu-satunya standart yang diterima secara global.
5. Menunjukan kepatuhan pada peraturan & hukum yang berlaku
6. Pemantauan yang independen terhadap manajemen keamanan informasi.

Persyaratan ISO 27001:2005

1. Ruang lingkup
2. Acuan normatif
3. Istilah dan Defenisi
4. Sistem Manajemen Keamanan Informasi (SMKI)
5. Tanggung Jawab Manajemen
6. Audit Internal SMKI
7. Tinjauan Manajemen SMKI
8. Peningkatan SMKI
9. Lampiran A : Sasaran Pengendalian
10. Lampiran B : Prinsip OECD & ISO 27001
11. Lampiran C : Kesesuaian dengan ISO 9001 & ISO 14001