CHECKLIST IMPLEMENTASI ISO 27001:2013

Dokumentasi
Klausul ISO 27001:2013 Prasyarat Standar ISO 27001:2013 Bukti Pelaksanaan / Records Aktivitas
(Kebijakan/Pedoman/Prosedur)
4. CONTEXT OF THE ORGANIZATION
The organization shall determine external and
internal issues that are relevant to its purpose and
Understanding the organization
4.1 that affect its ability to achieve the intended 1.
and its context
outcome(s) of its information security management
system

The organization shall determine:

a) interested parties that are relevant to the
Understanding the needs and
4.2 information security management system; and 2.
expectations of interested parties
b) the requirements of these interested parties ISMS Context Organization and
relevant to information security. Scope
The organization shall determine the boundaries and
4.3 Determining the scope of the ISMS applicability of the information security management 3.
system to establish its scope.

The organization shall establish, implement, maintain

Information Security Management and continually improve an information security
4.4 4.
System management system, in accordance with the
requirements of this International Standard.

5. LEADERSHIP

ISMS Policy

Kebijakan / Pedoman / Prosedur

1.
ISMS
The organization shall establish, implement, maintain
and continually improve an information security. Top
5.1 Leadership and commitment management shall demonstrate leadership and
commitment with respect to the information security Bukti pelaksanaan Sosialisasi 2.
management system.

3.

Pengukuran ISMS Objectives 5.

Kebijakan / Pedoman / Prosedur

1.
ISMS
Kebijakan, Pedoman, Prosedur terkait ISMS
Top management shall establish an information di lingkup SQG OCBC-NISP
5.2 Policy
security policy. * Daftar dokumen ada di Document
Controller
 CHECKLIST IMPLEMENTASI ISO 27001:2013

Dokumentasi
Klausul ISO 27001:2013 Prasyarat Standar ISO 27001:2013 Bukti Pelaksanaan / Records Aktivitas
(Kebijakan/Pedoman/Prosedur)
Kebijakan, Pedoman, Prosedur terkait ISMS
Top management shall establish an information di lingkup SQG OCBC-NISP
5.2 Policy Bukti pelaksanaan Sosialisasi 2.
security policy. * Daftar dokumen ada di Document
Controller

Daftar Dokumentasi ISMS 3.

Top management shall ensure that the

Organization Roles and responsibilities and authorities for roles relevant to
5.3 1. Memo Struktur Organisasi ISMS 1.
Responsibility information security are assigned and
communicated.

6. PLANNING
Actions to address risk and
6.1
opportunities

1. Risk Profile
When planning for the information security
management system, the organization shall consider
the issues referred to in 4.1 and the requirements 2. Statement of Applicability (SoA)
6.1.1 General
referred to in 4.2 and determine the risks and
opportunities 3. ISMS Objectives
that need to be addressed
Program Implementasi / Rencana
4.
Kerja ISMS

Information security risk The organization shall define and apply an Risk and Control Self Assessment Sub
6.1.2 Risk Register 1.
assessment information security risk assessment process Policy

The organization shall define and apply an

6.1.3 Information security risk treatment Risk and Control Self Assessment Risk Treatment Plan 1.
information security risk treatment process

ISMS Objectives 1.
Information security objectives and The organization shall establish information security
6.2
planning to achieve them objectives at relevant functions and levels Hasil Pengukuran Pencapaian
2.
ISMS Objectives
7. SUPPORT
The organization shall determine and provide the
resources needed for the establishment,
Struktur Organisasi SGQ & Uraian
7.1 Resources implementation, maintenance and continual Awareness and Communication
Deskipsi Kerja Personil / Pegawai
improvement of the information security
management system.
 CHECKLIST IMPLEMENTASI ISO 27001:2013

Dokumentasi
Klausul ISO 27001:2013 Prasyarat Standar ISO 27001:2013 Bukti Pelaksanaan / Records Aktivitas
(Kebijakan/Pedoman/Prosedur)

The organization shall:

a) determine the necessary competence of person(s)
doing work under its control that affects its
information security performance;
1.
b) ensure that these persons are competent on the
basis of appropriate education, training, or 1. Matriks Kompetensi
7.2 Competence experience; Awareness and Communication
c) where applicable, take actions to acquire the 2. Rencana Pelatihan Pegawai
necessary competence, and evaluate the
2.
effectiveness
of the actions taken; and
d) retain appropriate documented information as
evidence of competence.

Persons doing work under the organization’s control

shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the 1. Materi & bukti Pelaksanaan
-
information security management system, including Awareness
7.3 Awareness Awareness and Communication -
the benefits of improved information security
performance; and 2. Materi Kuisioner ISMS
-
c) the implications of not conforming with the
-
information security management system
requirements.

The organization shall determine the need for

internal and external communications relevant to the
information security management system including:
a) on what to communicate;
7.4 Communication b) when to communicate; Awareness and Communication Tabel Komunikasi
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be
effected.

7.5 Documented information Documentation Control

 CHECKLIST IMPLEMENTASI ISO 27001:2013

Dokumentasi
Klausul ISO 27001:2013 Prasyarat Standar ISO 27001:2013 Bukti Pelaksanaan / Records Aktivitas
(Kebijakan/Pedoman/Prosedur)

The organization’s information security management

system shall include:
a) documented information required by this
7.5.1 General International Standard; and Documentation Control
b) documented information determined by the
organization as being necessary for the effectiveness
of the information security management system.

When creating and updating documented information

the organization shall ensure appropriate:
7.5.2 Creating and updating a) identification and description Documentation Control
b) format and media ; and
c) review and approval for suitability and adequacy.

Documented information required by the information

security management system and by this
International Standard shall be controlled.
1. Daftar Dokumentasi ISMS
7.5.3 Control of documented information Documented information of external origin, Documentation Control
2. Histori Perubahan Dokumen
determined by the organization to be necessary for
the planning and operation of the information security
management system, shall be identified as
appropriate, and controlled

8. OPERATIONS

The organization shall plan, implement and control

1.
the processes needed to meet information security ISMS Objectives
2.
requirements, and to implement the actions Program Implementasi / Rencana
8.1 Operational Planning and Control ISMS Objectives and Planning
determined in 6.1. The organization shall also Kerja ISMS
3.
implement plans to achieve information security Hasil Pengukuran ISMS Objectives
objectives determined in 6.2

The organization shall perform information security

Information Security Risk risk assessments at planned intervals or when
8.2 1. Risk Register
assessment significant changes are proposed or occur, taking
account of the criteria established in 6.1.2a - Risk and Control Self Assessment Sub
Policy
- Risk and Control Self Assessment
 CHECKLIST IMPLEMENTASI ISO 27001:2013

Dokumentasi
- Risk and Control Self Assessment Sub
Klausul ISO 27001:2013 Prasyarat Standar ISO 27001:2013 Bukti Pelaksanaan / Records Aktivitas
(Kebijakan/Pedoman/Prosedur)
Policy
- Risk and Control Self Assessment
The organization shall implement the information
8.3 Information Security Risk treatment 1. Risk Treatment Plan (RTP)
security risk treatment plan

9. PERFORMANCE EVALUATION

The organization shall evaluate the information

Monitoring, measurement, analysis Formulir Pengukuran Efektivitas
9.1 security performance and the effectiveness of the Measurement
and evaluation Kontrol
information security management system

1. Audit Program
The organization shall conduct internal audits at
2. Audit Plan
9.2 Internal audit planned intervals to provide information on whether Internal Audit
3. Audit Checklist
the information security management system
4. Audit Report

Top management shall review the organization’s

information security management system at planned Risalah Rapat Tinjauan
9.3 Management Review Management Review
intervals to ensure its continuing suitability, adequacy Manajemen (Management Review)
and effectiveness

10. IMPROVEMENT

When a nonconformity occurs, the organization shall:

a) react to the nonconformity, and as applicable:
b) evaluate the need for action to eliminate the
causes of nonconformity, in order that it does not
recur or occur elsewhere;
c) implement any action needed; 1.
d) review the effectiveness of any corrective action
taken; and 2.
Non conformity and corrective e) make changes to the information security Formulir Ketidaksesuaian / Non-
10.1 Nonconformity and Continual Improvement
actions management system, if necessary. Conformity 3.

Corrective actions shall be appropriate to the effects 4.

of the nonconformities encountered.
The organization shall retain documented
information as evidence of:
f) the nature of the nonconformities and any
subsequent actions taken, and
g) the results of any corrective action.
 CHECKLIST IMPLEMENTASI ISO 27001:2013

Dokumentasi
Klausul ISO 27001:2013 Prasyarat Standar ISO 27001:2013 Bukti Pelaksanaan / Records Aktivitas
(Kebijakan/Pedoman/Prosedur)

The organization shall continually improve the

10.2 Continual improvement suitability, adequacy and effectiveness of the Nonconformity and Continual Improvement
information security management system.
27001:2013

Penanggung Jawab / Sept Oktober November

Aktivitas Status
Pelaksana W3 W4 W1 W2 W3 W4 W1 W2 W3 W4

- Top Management
Identifikasi & penetapan isu
- Management
internal & eksternal
Representative

Identifikasi pihak-pihak terkait - Top Management

beserta ekspektasi & - Management
kebutuhannya Representative

- Top Management
Penetapan lingkup implementasi
- Management
ISMS
Representative

Memastikan implementasi ISMS - Top Management

berjalan sesuai ketentuan standar - Management
ISO 27001:2013 Representative

Memastikan Top management

telah memberikan arahan dan
komitmennya untuk ISMS di
Organisasi, dengan:

Memastikan kebijakan & sasaran

ISMS telah ditetapkan & selaras
dgn strategi Organisasi

Memastikan bahwa pentingnya Management

implementasi ISMS di Organisasi Representative
telah disosialisasikan kepada
seluruh pihak relevan

Memastikan ketersediaan sumber

daya terkait implementasi ISMS

Memastikan tujuan & sasaran

ISMS dapat tercapai
Memastikan dokumentasi PJ: Management
(kebijakan, pedoman, prosedur) Representative
ISMS telah ditetapkan PH: ISMS Officer
27001:2013

Penanggung Jawab / Sept Oktober November

Aktivitas Status
Pelaksana W3 W4 W1 W2 W3 W4 W1 W2 W3 W4
PJ: Management
Memastikan dokumentasi ISMS
Representative
telah disosialisasikan.
PH: ISMS Officer
Memastikan dokumentasi ISMS
tersedia & dapat diakses oleh Document Controller
pihak relevan.

- Top Management
Penetapan & pengesahan Memo
- Management
Struktur Organisasi ISMS di SQG.
Representative

Menyusun Risk Profile

Risk Officer Done
berdasarkan hasil Risk Assessment

Management
Identifikasi & penetapan SoA Done
Representative
Identifikasi & penetapan Sasaran Management
Done
ISMS Representative
Menyusun Rencana Kerja Management
Done
Implementasi ISMS Representative
Melakukan identifikasi & penilaian
risiko (risk assessment) beserta Risk Officer Done
review

Melakukan identifikasi & penetapan

rencana tindak lanjut penanganan Risk Officer Done
risiko beserta review

Management
Menetapkan ISMS Objectives Done
Representative
Melakukan pengukuran
ISMS Officer
pencapaian ISMS Objectives

- Management
Melakukan proses analisa
Representative
kebutuhan sumber daya manusia
- SQG Manager
27001:2013

Penanggung Jawab / Sept Oktober November

Aktivitas Status
Pelaksana W3 W4 W1 W2 W3 W4 W1 W2 W3 W4

Melakukan pemeriksanaan &

penilaian kinerja pegawai
berdasarkan matriks kompetensi PJ: Management
(menggunakan aplikasi REKAN) Representative
PH: ISMS Officer
Menyusun Rencana Pelatihan
Pegawai

Melakukan awareness keamanan

informasi melalui:
email
tampilan screen-saver & desktop ISMS Officer
background
sosialisasi berkala
pengisian kuisioner ISMS

Menyusun Tabel Komunikasi ISMS Officer

27001:2013

Penanggung Jawab / Sept Oktober November

Aktivitas Status
Pelaksana W3 W4 W1 W2 W3 W4 W1 W2 W3 W4

Memastikan seluruh kebutuhan &

- ISMS Officer
proses terkait ISMS
- Document Controller
terdokumentasi sesuai ketentuan

Memastikan proses penyusunan

serta penyesuaian/revisi
Document Controller on going cek
dokumentasi ISMS telah sesuai
dengan ketentuan

Melakukan penanganan
dokumentasi ISMS sesuai Document Controller cek
ketentuan

Memastikan pencapaian ISMS

Objectives & pelaksanaan program Management
implementasi ISMS sesuai dengan Representative
ketentuan

Melakukan peninjauan (review)

terhadap Risk Register serta
Risk Officer
pengkinian (update) saat
teridentifikasi adanya risiko baru
27001:2013

Penanggung Jawab / Sept Oktober November

Aktivitas Status
Pelaksana W3 W4 W1 W2 W3 W4 W1 W2 W3 W4

Menindaklanjuti penanganan risiko

sesuai dengan kontrol dan target Risk Officer
waktu yang telah ditetapkan

Melaksanakan dan
mendokumentasikan proses
ISMS Officer
pengukuran, analisis, dan evaluasi
sesuai ketentuan

Melaksanakan Audit Internal sesuai

Internal Auditor
dengan ketentuan

Melaksanakan Tinjauan
Manajemen dengan agenda
Management
pembahasan & proses sesuai
Representative
kerangka pada standar &
ketentuan

Melaporkan setiap ketidaksesuaian

yang terjadi.
Melakukan evaluasi utk
menetapkan tindak lanjut. - All Employee
Melaksanakan tindak lanjut yg - ISMS Officer
telah ditetapkan.
Review efektivitas tindakan
korektif.
27001:2013

Penanggung Jawab / Sept Oktober November

Aktivitas Status
Pelaksana W3 W4 W1 W2 W3 W4 W1 W2 W3 W4
Memastikan implementasi berjalan
PJ: Management
sesuai ketentuan serta melakukan
Representative
review dan upaya peningkatan /
PH: ISMS Officer
improvement.
 CHECKLIST IMPLEMENTASI ISO 2

Annex A ISO 27001:2013 Prasyarat Standar ISO 27001:2013

A.5 SECURITY POLICY

A.5.1 Management direction for information security

A set of policies for information security shall be

defined, approved by management, published and
A.5.1.1 Policies for information security
communicated to employees and relevant external
parties

The policies for information securit y shall be

Review of the policies for reviewed at planned intervals or if significant
A.5.1.2
information security changes occur to ensure their continuing
suitability, adequacy and effectiveness

A.6 ORGANIZATION OF INFORMATION SECURITY

A.6.1 Internal Organization

Information security roles and All information security responsibilities shall be

A.6.1.1
responsibility; defined and allocated

Conflicting duties and areas of responsibility shall be

segregated to reduce opportunities for unauthorized
A.6.1.2 Segregation of duties;
or unintentional modification or misuse of the
organization’s asset

Appropriate contacts with relevant authorities shall

A.6.1.3 Contact with authorities;
be maintained

Appropriate contacts with special interest groups or

Contact with special interest
A.6.1.4 other specialist security forums and professional
groups;
associations shall be maintained

Information security in project Information security shall be addressed in project

A.6.1.5
management management, regardless of the type of the project.

A.6.2 Mobile Device and Teleworking

A policy and supporting security measures shall be
A.6.2.1 Mobile device policy; adopted to manage the risks introduced by using
mobile devices

A policy and supporting security measures shall be

A.6.2.2 Teleworking. implemented to protect information accessed,
processed or stored at teleworking sites

A.7 HUMAN RESOURCE SECURITY

A.7.1 Prior to Employment

Background verification checks on all candidates for

employment shall be carried out in accordance with
relevant laws, regulations and ethics and shall be
A.7.1.1 Screening;
proportional to the business requirements, the
classification of the information to be accessed and
the perceived risks

The contractual agreements with employees and

Terms and conditions of
A.7.1.2 contractors shall state their and the organization’s
employment
responsibilities for information security

A.7.2 During employment

 Management shall require all employees and
contractors to apply information security in
A.7.2.1 Management responsibilities;
accordance with the established policies and
procedures of the organization

All employees of the organization and, where

relevant, contractors shall receive appropriate
Information security awareness,
A.7.2.2 awareness education and training and regular
education and training;
updates in organizational policies and procedures,
as relevant for their job function

There shall be a formal and communicated

disciplinary process in place to take action against
A.7.2.3 Disciplinary process.
employees who have committed an information
security breach

A.7.3 Termination or change of employment

Information security responsibilities and duties that

Termination or change of remain valid after termination or change of
A.7.3.1
employment responsibilities employment shall be defined, communicated to the
employee or contractor and enforced

A.8 ASSET MANAGEMENT

A.8.1 Responsibility for Assets

Assets associated with information and information

processing facilities shall be identified and an
A.8.1.1 Inventory of assets;
inventory of these assets shall be drawn up and
maintained

A.8.1.2 Ownership of assets; Assets maintained in the inventory shall be owned

Rules for the acceptable use of information and of

assets associated with information and information
A.8.1.3 Acceptable use of assets;
processing facilities shall be identified, documented
and implemented

All employees and external party users shall return

all of the organizational assets in their possession
A.8.1.4 Return of assets.
upon termination of their employment, contract or
agreement
A.8.2 Information classification

Information shall be classified in terms of legal

A.8.2.1 Classification of information; requirements, value, criticality and sensitivity to
unauthorised disclosure or modification

An appropriate set of procedures for information

labelling shall be developed and implemented in
A.8.2.2 Labelling of information;
accordance with the information classification
scheme adopted by the organization

Procedures for handling assets shall be developed

A.8.2.3 Handling of assets. and implemented in accordance with the information
classification scheme adopted by the organization

A.8.3 Media Handling

Procedures shall be implemented for the
management of removable media in accordance with
A.8.3.1 Management of removable media;
the classification scheme adopted by the
organization
 Media shall be disposed of securely when no longer
A.8.3.2 Disposal of media;
required, using formal procedures

Media containing information shall be protected

A.8.3.3 Physical media transfer against unauthorized access, misuse or corruption
during transportation

A.9 ACCESS CONTROL

A.9.1 Business requirement for access control
An access control policy shall be established,
A.9.1.1 Access control policy; documented and reviewed based on business and
information security requirements

Users shall only be provided with access to the

Access to networks and network
A.9.1.2 network and network services that they have been
services
specifically authorized to use
A.9.2 User access management

A formal user registration and de-registration process

User registration and de-
A.9.2.1 shall be implemented to enable assignment of
registration;
access rights

A formal user access provisioning process shall be

A.9.2.2 User access provisioning; implemented to assign or revoke access rights for all
user types to all systems and services

Management of privileged access The allocation and use of privileged access rights
A.9.2.3
rights; shall be restricted and controlled

The allocation of secret authentication information

Management of secret
A.9.2.4 shall be controlled through a formal management
authentication information of users
process

Asset owners shall review users access rights at

A.9.2.5 Review of user access rights;
regular intervals

The access rights of all employees and external

party users to information and information processing
Removal or adjustment of access
A.9.2.6 facilities shall be removed upon termination of their
rights.
employment, contract or agreement, or adjusted
upon change

A.9.3 User responsibilities

Users shall be required to follow the organization’s
Use of secret authentication
A.9.3.1 practices in the use of secret authentication
information
information
A.9.4 System and application access control
Access to information and application system
A.9.4.1 Information access restriction; functions shall be restricted in accordance with the
access control policy
Where required by the access control policy, access
A.9.4.2 Secure log-on procedure; to systems and applications shall be controlled by a
secure log-on procedure

Password management systems shall be interactive

A.9.4.3 Password management system;
and shall ensure quality passwords

The use of utility programs that might be capable of

A.9.4.4 Use of privileged utility programs; overriding system and application controls shall be
restricted and tightly controlled
 Access control to program source
A.9.4.5 Access to program source code shall be restricted
code.

A.10 CRYPTOGRAPHY
A.10.1 Cryptographic controls

A policy on the use of cryptographic controls for

Policy on the use of cryptographic
A.10.1 protection of information shall be developed and
controls;
implemented

A policy on the use, protection and lifetime of

A.10.2 Key management cryptographic keys shall be developed and
implemented through their whole lifecycle

A.11 PHYSICAL AND ENVIRONMENTAL SECURITY

A.11.1 Secure areas

Security perimeters shall be defined and used to

A.11.1.1 Physical security perimeter; protect areas that contain either sensitive or critical
information and information processing facilities

Secure areas shall be protected by appropriate entry

A.11.1.2 Physical entry control; controls to ensure that only authorized personnel are
allowed access

Securing offices, rooms and Physical security for offices, rooms and facilities shall
A.11.1.3
facilities; be designed and applied

Physical protection against natural disasters,

Protecting against external and
A.11.1.4 malicious attack or accidents shall be designed and
environmental threats;
applied

Procedures for working in secure areas shall be

A.11.1.5 Working in secure areas; designed and applied
Not Applicable

Access points such as delivery and loading areas

and other points where unauthorized persons could
A.11.1.6 Delivery and loading areas. enter the premises shall be controlled and, if
possible, isolated from information processing
facilities to avoid unauthorized access

A.11.2 Equipment

Equipment shall be sited and protected to reduce the

A.11.2.1 Equipment siting and protection; risks from environmental threats and hazards, and
opportunities for unauthorized access.

Equipment shall be protected from power failures

A.11.2.2 Supporting utilities; and other disruptions caused by failures in
supporting utilities

Power and telecommunications cabling carrying data

A.11.2.3 Cabling security; or supporting information services shall be protected
from interception, interference or damage

Equipment shall be correctly maintained to ensure its

A.11.2.4 Equipment maintenance;
continued availability and integrity
 Equipment, information or software shall not be
A.11.2.5 Removal of assets;
taken off-site without prior authorization

Security shall be applied to off-site assets taking into

Security of equipment and assets
A.11.2.6 account the different risks of working outside the
off-premises;
organization’s premises

All items of equipment containing storage media

Secure disposal or reuse of shall be verified to ensure that any sensitive data and
A.11.2.7
equipment; licensed software has been removed or securely
overwritten prior to disposal or re-use

Users shall ensure that unattended equipment has

A.11.2.8 Unattended user equipment;
appropriate protection

A clear desk policy for papers and removable storage

A.11.2.9 Clear desk and clear screen policy. media and a clear screen policy for information
processing facilities shall be adopted

A.12 OPERATIONS SECURITY

A.12.1 Operational procedures and responsibilities

Operating procedures shall be documented and

A.12.1.1 Documented operation procedure;
made available to all users who need them

Changes to the organization, business processes,

A.12.1.2 Change management; information processing facilities and systems that
affect information security shall be controlled

The use of resources shall be monitored, tuned and

A.12.1.3 Capacity management; projections made of future capacity requirements to
ensure the required system performance

Development, testing, and operational environments

Separation of development, testing shall be separated to reduce the risks of
A.12.1.4
and operational environment. unauthorized access or changes to the operational
environment
A.12.2 Protection from malware

Detection, prevention and recovery controls to

A.12.2.1 Control against malware protect against malware shall be implemented,
combined with appropriate user awareness
A.12.3 Backup

Backup copies of information, software and system

A.12.3.1 Information backup images shall be taken and tested regularly in
accordance with an agreed backup policy

A.12.4 Logging and Monitoring

Event logs recording user activities, exceptions,

A.12.4.1 Event logging; faults and information security events shall be
produced, kept and regularly reviewed

Logging facilities and log information shall be

A.12.4.2 Protection of log information; protected against tampering and unauthorized
access

System administrator and system operator activities

A.12.4.3 Administrator and operator log; shall be logged and the logs protected and regularly
reviewed

The clocks of all relevant information processing

systems within an organization or security domain
A.12.4.4 Clock synchonization.
shall be synchronised to a single reference time
source
A.12.5 Control of operational software

Installation of software on Procedures shall be implemented to control the

A.12.5.1
operational systems installation of software on operational system

A.12.6 Technical vulnerability management

Information about technical vulnerabilities of

information systems being used shall be obtained in
Management of technical
A.12.6.1 a timely fashion, the organization’s exposure to such
vulnerabilities;
vulnerabilities evaluated and appropriate measures
taken to address the associated risk

Rules governing the installation of software by users

A.12.6.2 Restrictions on software installation
shall be established and implemented

A.12.7 Information system audit considerations

Audit requirements and activities involving

verification of operational systems shall be carefully
A.12.7.1 Information system audit control
planned and agreed to minimise disruptions to
business processes

A.13 COMMUNICATIONS SECURITY

A.13.1 Network security management

Networks shall be managed and controlled to protect

A.13.1.1 Network controls;
information in systems and applications

Security mechanisms, service levels and

management requirements of all network services
A.13.1.2 Security of network services; shall be identified and included in network services
agreements, whether these services are provided in-
house or outsourced
 Groups of information services, users and
A.13.1.3 Segregation in networks
information systems shall be segregated on networks

A.13.2 Information transfer

Formal transfer policies, procedures and controls
Information transfer policy and shall be in place to protect the transfer of information
A.13.2.1
procedures; through the use of all types of communication
facilities

Agreements shall address the secure transfer of

Agreements on information
A.13.2.2 business information between the organization and
transfer;
external parties

Information involved in electronic messaging shall be

A.13.2.3 Electronic messaging;
appropriately protected

Requirements for confidentiality or non-disclosure

Confidentiality or non disclosure agreements reflecting the organization’s needs for
A.13.2.4
agreements the protection of information shall be identified,
regularly reviewed and documented

A.14 SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

A.14.1 Security requirements of information systems

The information security related requirements shall

Information security requirements be included in the requirements for new information
A.14.1.1
analysis and specification; systems or enhancements to existing information
systems

Information involved in application services passing

Securing application services on over public networks shall be protected from
A.14.1.2
public networks; fraudulent activity, contract dispute and unauthorized
disclosure and modification

Information involved in application service

transactions shall be protected to prevent incomplete
Protecting application services
A.14.1.3 transmission, mis-routing, unauthorized message
transactions
alteration, unauthorized disclosure, unauthorized
message duplication or replay

A.14.2 Security in development and support processes

Rules for the development of software and systems

A.14.2.1 Secure development policy; shall be established and applied to developments
within the organization

Changes to systems within the development lifecycle

A.14.2.2 System change control procedure; shall be controlled by the use of formal change
control procedures

When operating platforms are changed, business

Technical review of applications critical applications shall be reviewed and tested to
A.14.2.3
after operating platform changes; ensure there is no adverse impact on organizational
operations or security

Modifications to software packages shall be

Restrictions on changes to
A.14.2.4 discouraged, limited to necessary changes and all
software packages;
changes shall be strictly controlled
 Principles for engineering secure systems shall be
Secure system engineering
A.14.2.5 established, documented, maintained and applied to
principles;
any information system implement ation efforts

Organizations shall establish and appropriately

protect secure development environments for system
A.14.2.6 Secure development environment;
development and integration efforts that cover the
entire system development lifecycle

The organization shall supervise and monitor the

A.14.2.7 Outsourced development;
activity of outsourced system development

Testing of security functionality shall be carried out

A.14.2.8 System security testing;
during development

Acceptance testing programs and related criteria

A.14.2.9 System acceptances testing shall be established for new information systems,
upgrades and new versions

A.14.3 Test data

Test data shall be selected carefully, protected and

A.14.3.1 Protection of test data
controlled

A.15 SUPPLIER RELATIONSHIP

A.15.1 Information security in supplier relationship
Information security requirements for mitigating the
Information security policy for risks associated with supplier’s access to the
A.15.1.1
supplier relationship; organization’s assets shall be agreed with the
supplier and documented

All relevant information security requirements shall

be established and agreed with each supplier that
Addressing security within supplier
A.15.1.2 may access, process, store, communicate, or provide
agreements;
IT infrastructure components for, the organization’s
information

Agreements with suppliers shall include

requirements to address the information security
Information and communication
A.15.1.3 risks associated with information and
technology supply chain.
communications technology services and product
supply chain
A.15.2 Supplier service delivery management

Monitoring and review of supplier Organizations shall regularly monitor, review and
A.15.2.1
services; audit supplier service deliver
 Changes to the provision of services by suppliers,
including maintaining and improving existing
Managing changes to supplier information security policies, procedures and
A.15.2.2
services controls, shall be managed, taking account of the
criticality of business information, systems and
processes involved and re-assessment of risks

A.16 INFORMATION SECURITY INCIDENT MANAGEMENT

A.16.1 Management of information security incidents and improvements

Management responsibilities and procedures shall

A.16.1.1 Responsibilities and procedures; be established to ensure a quick, effective and
orderly response to information security incident

Information security events shall be reported through

Reporting informations security
A.16.1.2 appropriate management channels as quickly as
events;
possible

Employees and contractors using the organization’s

information systems and services shall be required to
Reporting informations security
A.16.1.3 note and report any observed or suspected
weaknesses;
information security weaknesses in systems or
services

Information security events shall be assessed and it

Assessment of and decision on
A.16.1.4 shall be decided if they are to be classified as
information security events;
information security incidents

Response to information security Information security incidents shall be responded to

A.16.1.5
incidents; in accordance with the documented procedures

Knowledge gained from analysing and resolving

Learning from information security
A.16.1.6 information security incidents shall be used to reduce
incidents;
the likelihood or impact of future incidents

The organization shall define and apply procedures

for the identification, collection, acquisition and
A.16.1.7 Collection of evidence
preservation of information, which can serve as
evidence

A.17 INFORMATION SECURITY ASPECT ON BUSINESS CONTINUITY MANAGEMENT

A.17.1 Information security continuity

Information security continuity shall be embedded in

Planning information security
A.17.1.1 the organization’s business continuity management
continuity;
systems

The organization should establish, document,

Implementing informations security implement and maintain processes, procedures and
A.17.1.2
continuity; controls to ensure the required level of continuity for
information security during an adverse situation

The organization shall verify the established and

Verify, review and evaluate implemented information security continuity controls
A.17.1.3
informations security continuity at regular intervals in order to ensure that they are
valid and effective during adverse situation

A.17.2 Redundancies

Information processing facilities shall be

Availability of information
A.17.2.1 implemented with redundancy sufficient to meet
processing facilities
availability requirements

A.18 COMPLIENCE
A.18.1 Compliance with legal and contractual requirements
 All relevant legislative statutory, regulatory,
Identification of applicable contractual requirements and the organization’s
A.18.1.1 legislation and contractual approach to meet these requirements shall be
requirements; explicitly identified, documented and kept up to date
for each information system and the organization

Appropriate procedures shall be implemented to

ensure compliance with legislative, regulatory and
A.18.1.2 Intellectual property rights; contractual requirements related to intellectual
property rights and use of proprietary software
products

Records shall be protected from loss, destruction,

falsification, unauthorized access and unauthorized
A.18.1.3 Protection of records;
release, in accordance with legislatory, regulatory,
contractual and business requirements

Privacy and protection of personally identifiable

Privacy and protection of
A.18.1.4 information shall be ensured as required in relevant
personally identifiable information.
legislation and regulation where applicable

Cryptographic controls shall be used in compliance

Regulation of cryptographic
A.18.1.5 with all relevant agreements, legislation and
controls
regulations
A.18.2 Information security reviews

The organization’s approach to managing

information security and its implementation (i.e.
Independent review of information control objectives, controls, policies, processes and
A.18.2.1
security; procedures for information security) shall be
reviewed independently at planned intervals or when
significant changes occur

Managers shall regularly review the compliance of

information processing and procedures within their
Compliance with security policies
A.18.2.2 area of responsibility with the appropriate security
and standard;
policies, standards and any other security
requirements

Information systems shall be regularly reviewed for

A.18.2.3 Technical compliance review compliance with the organization’s information
security policies and standards
CHECKLIST IMPLEMENTASI ISO 27001:2013

Dokumentasi
Bukti Pelaksanaan / Records Aktivitas
(Kebijakan/Pedoman/Prosedur)

Penetapan Kebijakan Keamanan

ISSG 1.
Informasi

Sosialisasi Kebijakan Keamanan

ISSG Bukti pelaksanaan Sosialisasi 2.
Informasi

1. Risalah Rapat Review Dokumen Melaksanakan review berkala

ISSG 1.
2. Histori Perubahan Dokumen terhadap ISSG & ISMS Policy

Penetapan & pengesahan Memo

1. Memo Struktur Organisasi ISMS
Struktur Organisasi ISMS di SQG.

Struktur Organisasi & Uraian Penetapan & pengesahan Struktur

2.
Deskripsi Kerja Organisasi di SQG.

1. Menyusun Daftar Kontak Nomor

Penting
1. Daftar Kontak Nomor Penting 2. Memasang Daftar Kontak Nomor
Penting di lokasi mudah terlihat
oleh seluruh pegawai

Bukti / Daftar Keikutsertaan dalam Mengikuti forum terkait Keamanan

Forum terkait Keamanan Informasi Informasi

1.
Memastikan penerapan kontrol
keamanan informasi telah tercakup
1. Dokumen Kontrak
dalam manajemen proyek
2. NDA
Memastikan pihak-pihak relevan
2.
telah menandatangani NDA

Memastikan pendataan &

Asset Management Formulir Penggunaan Aset Pribadi penggunaan perangkat mobile
telah sesuai ketentuan

Melakukan pendataan user yang

mendapatkan akses VPN dan
Access Control Formulir Deviasi Teleworking
penggunaan mobile device milik
pribadi / perusahaan

Human Resource Security Hasil Screening Pegawai

memastikan proses yang
dijalankan di HC sesuai dengan
panduan yang berlaku terkait
Human Resource Security

Dokumen Kontrak Pegawai / Buku

Human Resource Security
Panduan Peraturan Perusahaan
 1. Bukti pelaksanaan Awareness /
Human Resource Security Sosialisasi Keamanan Informasi.
2. NDA.

1. Melaksanakan sosialisasi /
1. Bukti pelaksanaan Awareness /
awareness keamanan informasi
Human Resource Security Sosialisasi Keamanan Informasi.
2. Menyusun rencana pelatihan &
2. Rencana Pelatihan Pegawai.
melaksanakan pelatihan pegawai

Memastikan adanya aturan di HC

Dokumen KAB (Klasifikasi level, terkait disciplinary process atas
Human Resource Security kategori pelanggaran, dan sanksi penyimpangan yang dilakukan
yang akan diperoleh) sumber daya (karyawan / pihak
ketiga)

Memastikan kontrol keamanan

1. Exit Clearence.
informasi telah diterapkan pada
2. Review perubahan hak akses
Human Resource Security saat terjadinya pemutusan atau
karyawan.
perubahan hubungan kerja
3. NDA.
terhadap pegawai

Asset Management 1. Memastikan informasi serta

perangkat pemroses & penyimpan
informasi telah terinvetarisasi
beserta kepemilikannya ke dalam
aset register.
Asset Management 1. Asset Register 2. Memberi label perangkat kerja
2. Formulir Serah Terima Aset sesuai dengan aset register.
3. Label Aset Melakukan pendataan sarana
3. pendukung yang ada di area SQG.
Asset Management Memastikan penggunaan seluruh
4. perangkat di SQG telah sesuai
dengan ketentuan penggunaan
perangkat.

Asset Management

Melakukan identifikasi klasifikasi

informasi:
1. Kriteria klasifikasi Informasi
- Publik
Classification and Handling Information 2. Daftar Aset Informasi berikut
- Internal
klasifikasinya
- Confidential
- Strictly Confidential

Melakukan pelabelan informasi

sesuai ketentuan & klasifikasinya:
Seluruh informasi telah diberi label
Classification and Handling Information Hardcopy: Dicap dibag. Cover
sesuai ketentuan & klasifikasinya
Softcopy: Ditulis dibag. kiri bawah
footer

1. Menyimpan dokumen hardcopy di

1. lemari yg dapat dikunci.
Daftar Dokumen & Lokasi
2. Menyimpan dokumen softcopy
Classification and Handling Information Penyimpanan
2. sesuai ketentuan
Daftar & Log Pelaksanaan Backup
3. Melakukan backup sesuai dengan
ketentuan

Memastikan pengelolaan &

Asset Management Formulir Deviasi penggunaan removable media
telah sesuai dgn ketentuan
 1. Formulir Permohonan
Memastikan proses pemusnahan
Asset Management Pemusnahan Aset
media telah sesuai dgn ketentuan.
2. Fomulir Pemusnahan Aset

Memastikan media penyimpan

informasi telah diberikan
pengamanan memadai pada saat
digunakan untuk memindahkan
Asset Management Checklist Implementasi informasi. Contoh:
- menggunakan pengamanan dgn
password pd flashdisk.
- pengiriman surat fisik
menggunakan amplop bersegel.

Menetapkan prosedur terkait

1. User Access Matrix (UAM)
Access Control kontrol akses & melakukan review
2. Formulir Review UAM
secara berkala

Memastikan hak akses user ke

Access Control Formulir Review Hak Akses jaringan telah sesuai dgn
ketentuan

Memastikan proses pendaftaran

Access Control akses baru & penghapusan akses
telah sesuai dgn ketentuan

1. Formulir Permohonan Hak Akses Memastikan proses pemberian

Access Control
2. Memo Penunjukan Administrator akses telah sesuai dgn ketentuan

Memastikan kontrol thdp alokasi

Access Control Formulir Review Hak Akses hak akses khusus telah sesuai dgn
ketentuan
Memastikan alokasi otentifikasi
Access Control informasi telah sesuai dgn
ketentuan

Melakukan review hak akses fisik &

Access Control Formulir Review Hak Akses
logical

Menyesuaikan akses sesuai

Access Control Formulir Review Hak Akses dengan daftar user dan melakukan
review hak akses

Menggunakan 'strong password'

Access Control Checklist Implementasi
sesuai dgn ketentuan

Memastikan kontrol akses ke

1. Formulir Review Hak Akses
Access Control informasi & sistem informasi telah
2. UAP
sesuai dgn ketentuan
Memastikan akses ke sistem &
Access Control Checklist Implementasi aplikasi telah dikontrol melalui
prosedur secure log-on

Memastikan sistem dapat

Access Control Checklist Implementasi mengakomodasi ketentuan
password secara interaktif

Melakukan kontrol pembatasan

1. Daftar Software yg Diizinkan. penggunaan program utility yg
Access Control
2. Formulir Deviasi dapat melewati / membatalkan
kontrol sistem yg telah ada
 Memeriksa kesesuaian hak akses
Access Control Formulir Review Hak Akses
ke penyimpanan source code

Penetapan kebijakan &

implementasi penggunaan
IS Operation and Security
kriptografi utk kontrol pengamanan
informasi

Penetapan kebijakan &

IS Operation and Security implementasi pengelolaan kunci
kriptografi (cryptographic keys)

Menetapkan batas wilayah area

Physical and Environmental Security kedalam 3 kategori: Public,
Restricted, Secured

Berkoodinasi dgn Satpam utk

memastikan setiap tamu yg akan
Physical and Environmental Security memasuki area Restricted &
1. Formulir Permohonan Akses Secured telah terdaftar pd Buku
2. Log / Buku Tamu Tamu & diberikan ID Visitor

Memastikan kontrol akses

Physical and Environmental Security Fingerprint ID berfungsi sesuai
ketentuan

1. Memastikan kontrol akses

Fingerprint ID berfungsi sesuai
1. Checklist Implementasi ketentuan.
Physical and Environmental Security 2. Record CCTV sd 30 hari 2 Memastikan CCTV berfungsi
sebelumnya dengan baik dgn area pantau
CCTV dpt mencakup seluruh area
kerja.

Formulir maintenance supporting Memastikan APAR dpt berfungsi

Physical and Environmental Security utilities dgn baik serta pemeriksaan riwayat
pemeliharaan rutin

Rekaman CCTV min. sd. 30 hari Memastikan aktivitas pekerjaan di

Physical and Environmental Security sebelumnya wilayah secure area dpt terpantau
Not Applicable & sesuai dgn ketentuan

Berkoordinasi dgn satpam utk

memastikan kontrol pengamanan
Physical and Environmental Security
telah diterapkan pada pintu akses
melalui delivery & loading area

Memastikan penempatan
perangkat kerja yg aman dari
Physical and Environmental Security potensi risiko gangguan &
ancaman lingkungan serta akses
tdk terotorisasi

Laporan Pemeliharaan Rutin utk Melakukan pemeriksaan status

Asset Management
Genset pemeliharaan rutin utk genset

Memeriksa alur perkabelan baik

data maupun daya listrik utk
Physical and Environmental Security
memastikan keamanan fisik &
fungsional

1. Formulir Kerusakan Aset

Melaksanakan pemeliharaan rutin
Physical and Environmental Security 2. Formulir Rekapitulasi Perbaikan
utk perangkat kerja.
Aset
 1. Jika perangkat kerja, informasi,
atau software akan dibawa keluar
area kerja, pastikan telah terdapat
proses permohonan, persetujuan,
dan serah terima yg
Physical and Environmental Security 1. Formulir Serah Terima Aset terdokumentasi formal.
2. Jika perangkat kerja akan
dipindahtangankan atau
dimusnahkan, pastikan informasi &
lisensi telah dihapus dan/atau
dibackup terlebih dahulu

1. Tidak meninggalkan perangkat

kerja tanpa pengawasan saat
bekerja diluar kantor atau ketika
membawa perangkat kerja keluar
Physical and Environmental Security Checklist Implementasi kantor.
2. Jika harus meninggalkan
perangkat kerja, simpan di tempat
yg aman seperti misal Safe Deposit
Box.

Melakukan format media

penyimpanan informasi sebelum
Asset Management 1. Formulir Serah Terima Aset
dilakukan pemusnahan dan/atau
penggunaan kembali

Mengaktifkan Screensaver Lock

dengan menekan windows + L
Asset Management Checklist Implementasi
setiap kali akan meninggalkan
meja kerja
1.
Memastikan tdk ada dokumen
dan/atau removable media yg
memuat informasi bersifat
Physical and Environmental Security
Confidential atau lebih tinggi yg
tersimpan di meja kerja tanpa
penjagaan

2. Mengaktifkan Screensaver Lock

dengan menekan windows + L
Physical and Environmental Security
setiap kali akan meninggalkan
meja kerja

Memastikan seluruh prosedur &

keluaran prosesnya
IS Operation and Security 1. Daftar Dokumentasi ISMS terdokumentasi secara formal serta
mudah diakses oleh pihak relevan
yg membutuhkan

Memastikan setiap proses

Formulir RFC & Dokumentasi perubahan yg berdampak pd
IS Operation and Security
terkait keamanan informasi dpt terkelola
sesuai ketentuan

Hasil Analisa Kebutuhan & Melaksanakan analisa kebutuhan

IS Operation and Security
Perencanaan Pegawai & perencanaan pegawai

Melakukan pemisahan antara

Server Pengembangan, Server
Information System Development Checklist Implementasi
Pengujian, dan Server
Operasional/Produksi

1. Instalasi s/w Anti Virus

2. Update Anti Virus secara berkala
IS Operation and Security Status Anti Virus
3. Pengaturan scan & full-scan
secara otomatis
 1. Melakukan backup informasi
Daftar Informasi yg perlu di-backup
secara berkala sesuai ketentuan.
IS Operation and Security berikut metode dan periode
2. Melakukan uji restore secara
backup-nya
berkala.

1. Mengaktifkan Syslog yang meliputi

log login failure.
IS Operation and Security Event Log
2. Memastikan Event Log disimpan
dan ditinjau secara berkala.

Menempatkan fasilitas logging &

IS Operation and Security menyimpan informasi terkait di
tempat yg aman.

1. Menyimpan log aktivitas

Administrator Sistem & Operator
Log Aktivitas Administrator &
IS Operation and Security Sistem.
Operator Sistem
2. Melakukan review log aktivitas
secara berkala.

Melakukan sinkronisasi waktu pada

IS Operation and Security
setiap perangkat IT.

1.
Memastikan software yg di-install
di perangkat kerja sesuai dgn
1. Daftar Software yg Diizinkan. Daftar Software yg Diizinkan.
IS Operation and Security
2. Formulir Deviasi 2. Mengajukan permohonan khusus
apabila ada permintaan software di
luar Daftar Software yg Diizinkan.

1. Melaksanakan Vurnelability
Laporan Vurnerability Assessment.
IS Operation and Security Assessment (VA) & Penetration
Laporan Penetration Test.
2. Test secara berkala

Mengatur user previllage pd sistem

operasi setiap perangkat kerja /
IS Operation and Security notebook utk memastikan user tdk
dapat melakukan sendiri instalasi
software diluar yg telah ditentukan.

Memastikan proses pengendalian

dalam proses audit sistem
informasi, mencakup pembatasan
IS Operation and Security
hak akses auditor, perencanaan
dan implementasi audit sistem
informasi.

Communications Security / Network Service Melakukan pengelolaan keamanan

Process jaringan sesuai ketentuan.

Memastikan kontrol keamanan

Communications Security / Network Service
telah diterapkan pada layanan
Process
jaringan yg digunakan SQG.
 Melakukan pemisahan / grouping
Communications Security / Network Service
jaringan sesuai kebutuhan
Process
Organisasi.

Menetapkan kebijakan & prosedur

Communications Security / Network Service serta penerapan kontrol
Process pengamanan dlm proses
perpindahan informasi.

Memastikan pihak eksternal

Communications Security / Network Service 1. Kontrak mematuhi ketentuan dlm
Process 2. NDA pelaksanaan proses perpindahan
informasi.

1. Menerapkan kontrol pengamanan

dalam pengiriman informasi melalui
email.
Communications Security / Network Service
2. Memastikan fungsional sistem
Process
ekripsi otomatis utk pengiriman
informasi bersifat confidential atau
lenih tinggi melalui email.

Communications Security / Network Service Memastikan setiap pihak terkait

NDA
Process telah menandatangani NDA.

Memastikan bahwa persyaratan

keamanan informasi telah tercakup
Information System Development SRS
dalam SRS dan diimplementasikan
pada saat pengembangan

Implementasi kontrol pengamanan

antara lain: Enkripsi, Firewall, VPN,
utk pengamanan informasi pada
Information System Development Checklist Implementasi
layanan aplikasi yang
menggunakan atau dapat diakses
melalui jaringan internet publik.

Implementasi kontrol pengamanan

Information System Development Checklist Implementasi untuk transasksi pada layanan
sistem informasi

Menetapkan dan melaksanakan

prosedur pengembangan sistem
Prosedur Pengembangan Sistem
Information System Development informasi dengan mencakup
Informasi
ketentuan persyaratan keamanan
informasi.

Memastikan setiap perubahan

pada saat proses pengembangan
Information System Development Formulir RFC sistem informasi telah sesuai
dengan ketentuan Change
Management.

Melakukan review dan pengujian

Information System Development Laporan Review dan Pengujian setiap kali dilakukan perubahan /
penyesuaian platform.

Memastikan setiap perubahan

terhadap sistem informasi telah
Information System Development Formulir RFC
sesuai dengan ketentuan Change
Management.
 Menetapkan dan melaksanakan
prosedur pengembangan sistem
Prosedur Pengembangan Sistem
Information System Development informasi dengan mencakup
Informasi
ketentuan persyaratan keamanan
informasi.

Melakukan kontrol pengamanan

lingkungan area kerja dan Server
Information System Development Checklist Implementasi
Pengembangan antara lain dengan
kontrol akses fisik dan logical.

1.
Memastikan bahwa klausul terkait
keamanan informasi telah tercakup
pada Kontrak dan/atau SLA
dengan Vendor.
1. Kontrak 2.
Memastikan bahwa vendor dan
Information System Development 2. SLA
pihak-pihak terkait telah
3. NDA
menandatangani NDA.
3.
Memantau dan mengawasi proses
pengembangan agar tetap sesuai
dengan kontrak dan/atau SLA.

Melakukan Pengujian
fungsionalitas keamanan terhadap
Information System Development Laporan Pengujian
sistem informasi yang sedang
dikembangan

Melakukan User Acceptance Test

Information System Development Laporan UAT
(UAT)

1. Memeriksa kesesuaian hak akses

terhadap Data Pengujian.
2. Menyimpan Data Pengujian di
1. Review Hak Akses
Information System Development server atau media dengan kontrol
2. Log Penggunaan Data Pengujian
akses tertentu.
3. Mencatat log penggunaan Data
Pengujian.

Supplier Management / Vendor

Management

Supplier Management / Vendor Memastikan klausul terkait

1. Kontrak / SLA.
Management keamanan informasi telah
2. NDA.
tercantum pada setiap kontrak
3. Daftar Vendor.
kerjasama.

Supplier Management / Vendor

Management

1. Laporan Review / Monitoring

Vendor / Supplier.
Supplier Management / Vendor Melakukan review terhadap Vendor
2. MoM dengan Vendor / Supplier
Management / Supplier
terkait pembahasan kinerja
layanan.
 Memastikan proses pengelolaan
Supplier Management / Vendor perubahan terkait layanan vendor /
SLA
Management supplier berjalan sesuai dengan
ketentuan.

Menetapkan prosedur penanganan

Information Security Incident
insiden keamanan informasi

Melaporkan setiap kejadian

1. Tiket Pelaporan Insiden
Information Security Incident ketidaksesuaian terkait keamanan
2. Formulir Ketidaksesuaian
informasi.

Melaporkan setiap potensi

1. Tiket Pelaporan Insiden
Information Security Incident kerawanan / risiko terkait
2. Formulir Ketidaksesuaian
keamanan informasi.

Melakukan analisa terhadap setiap

pelaporan ketidaksesuaian /
1. Formulir Ketidaksesuaian insiden utk menetapkan klasifikasi
Information Security Incident
2. Risk Register insiden & tindak lanjut yg
diperlukan serta apakah insiden jg
merupakan potensi risiko baru.

Menindaklanjuti setiap insiden yg

Information Security Incident Formulir Ketidaksesuaian dilaporkan sesuai dengan
ketentuan.

1. Tiket Insiden
Mendokumentasikan setiap hasil
Information Security Incident 2. Formulir Ketidaksesuaian
analisa & solusi atas suatu insiden.
3. Review Insiden

Melakukan identifikasi,
1. Tiket Insiden dokumentasi, & penyimpanan
Information Security Incident
2. Formulir Ketidaksesuaian setiap informasi yg dpt menjadi
bukti terkait suatu insiden.

Y MANAGEMENT

Memastikan lingkup keamanan

Business and Information Security informasi telah tercakup dlm
Continuity perencanaan keberlangsungan
bisnis SQG.

1. Business Impact Analysis (BIA)

Business and Information Security 2. Risk Analysis Menyusun perencanaan
Continuity 3. Business Continuity Plan (BCP) keberlangsungan bisnis
4. Skenario BCP

Business and Information Security Laporan Pelaksanaan Simulasi

Melaksanakan Simulasi BCP
Continuity BCP

Memastikan ketersediaan fasilitas

Business and Information Security 1. BIA.
pemroses informasi cadangan
Continuity 2. BCP.
sesuai dgn kebutuhan di SQG.
 Melaksanakan identifikasi &
Daftar Peraturan & Perundang- dokumentasi terkait peraturan &
Complience Security
udangan undang-undang yg relevan dgn
implementasi ISMS di SQG.

1. Melakukan pendataan lisensi

perangkat lunak
1. Daftar Lisensi
Complience Security 2. Melakukan pemeriksaan
2. Formulir PC Checking
penggunaan perangkat lunak di
perangkat Server, PC, Notebook.

Memastikan setiap records dikelola

Complience Security
sesuai dgn ketentuan.

Memastikan setiap informasi

pribadi dikelola sesuai dgn
Complience Security
peraturan & undang-undang yg
berlaku.

Memastikan penggunaan kontrol

Complience Security kriptografi sesuai dgn peraturan &
undang-undang yg berlaku.

1. Laporan Audit Internal Melaksanakan proses Audit

Complience Security
2. Laporan Audit Eksternal Internal & Audit Eksternal

Melaksanakan proses Audit

Complience Security Laporan Audit Kepatuhan
Kepatuhan

Melaksanakan proses Audit

Complience Security Laporan Audit Kepatuhan
Kepatuhan
Penanggung Jawab / Sept Oktober November
Status
Pelaksana W3 W4 W1 W2 W4 W4 W1 W2 W3 W4

- Top Management
- Management
Representative
PJ: Management
Representative
PH: ISMS Officer

- Management
Representative
- ITPS

- Top Management
- Management
Representative

- Top Management
- Management
Representative

ISMS Officer

PJ: Management
Representative
PH: ??

PJ: Management
Representative
PH: ISMS Officer

PJ: Management
Representative
PH: ITPS

PJ: ISMS Officer

PH: IT Sec

PJ: Management
Representative
PH: HC Div

PJ: Management
Representative
PH: HC Div
Management
Representative

ITPS

Management
Representative

PJ: ISMS Officer

PH: HC Div

Asset Manager

Information Owner

Document Controller

- Information Owner
- Document Controller

Asset Manager
- Asset Manager
- TMS

- ISMS Officer
- Information Owner

IT Sec

IT Sec

- HC Div
- IT Sec

- IT Sec
- Application User

IT Sec

IT Sec

- IT Sec
- ISMS Officer
- Application Owner

IT Sec

All Employee

- ISMS Officer
- IT Security

IT Sec

IT Sec

ITPS
PJ:
ISMS Officer
PH:
Administrator

ITPS

IT Sec

PJ: Management
Representative
PH: ISMS Officer

PJ: ISMS Officer

PH: Facility Service

PJ: ISMS Officer

PH: Facility Service

PJ: ISMS Officer

PH: Facility Service

PJ: ISMS Officer

PH: Facility Service

PJ: ISMS Officer

PH: FES Monitoring

PJ: ISMS Officer

PH: Facility Service

PJ: ISMS Officer

PH: FES

PJ: ISMS Officer

PH: FES

PJ: ISMS Officer

PH: FES

PJ: Asset Manager

PH: FES/TMS
PJ: Asset Manager
PH: FES/TMS

PJ: ISMS Officer

PH: FES Monitoring

PJ: Asset Manager

PH: TMS

All Employee

All Employee

All Employee

PJ: ITPS
PH: Document Controller

PJ: Management
Representative
PH: SQG Manager

PJ: Management
Representative
PH: SQG Manager

PJ:
ISMS Officer
PH:
Administrator

PJ: ISMS Officer

PH: FES
PJ: ISMS Officer
PH: Information Owner

PJ: IT Sec
PH: DCM

IT Sec

IT Sec

PJ: IT Sec
PH: DCM

PJ: ISMS Officer

PH: FES

IT Sec

ITPS

ITPS

IT Sec

IT Sec
PJ: IT Sec
PH: DCM

ITPS

PJ: ISMS Officer

PH: ITPS/TMS

PJ: ISMS Officer

PH: IT Sec

PJ: ISMS Officer

PH: ITPS/TMS

PJ:
ISMS Officer
PH:
Tim Development

PJ:
ISMS Officer
PH:
Administrator
IT Security

Administrator
IT Security

IT Policy
Document Controller

ISMS Officer
Tim Development

Administrator
IT Security

ISMS Officer
Tim Development
IT Policy
Document Controller

ISMS Officer

PJ:
ISMS Officer
PH:
Tim Development

PJ:
ISMS Officer
PH:
IT Security
Tim Development

PJ:
ISMS Officer
PH:
Tim Development

PJ:
ISMS Officer
PH:
Tim Development

PJ: ISMS Officer

PH: ITPS/TMS

PJ: ISMS Officer

PH: ITPS/TMS
PJ: ISMS Officer
PH: ITPS/TMS

- Management
Representative
- ITPS

- All Employee
- ISMS Officer

- All Employee
- Vendor / Kontraktor &
pihak terkait lainnya.

- ISMS Officer
- Risk Officer

- ISMS Officer
- Service Desk

- ISMS Officer
- Service Desk

ISMS Officer

ITPS

ITPS

ITPS

Asset Manager
ITPS

ISMS Officer

- ITPS
- Document Controller

ISMS Officer

IT Sec

Management
Representative

- ISMS Officer
- ITPS

ITPS