Utilizing ISO 27001:2022 to Design Information Security for BPRACo SME Digital Transformation
![](https://jurnal.unidha.ac.id/public/journals/9/crossmark.png)
Abstract
In the digital age of the Industrial Revolution 4.0, organizations like BPRACo must undergo Digital Transformation (DT). A significant challenge is the lack of adequate information security controls, which can lead to DT failure. Smaller banks, such as BPR, face difficulties in adopting effective information security management strategies that are proven for larger institutions. This study aims to identify the application of ISO 27001:2022 standards and develop an information security management system focusing on the most critical annex clauses for SME digital transformation. It also seeks to evaluate and analyze the impact of an information security management system aligned with these key clauses on SME DT success. The research employs a five-stage Design Science Research (DSR). Data were collected through interviews and document analysis, then analyzed using the ISO 27001:2022 framework for Information Security Management Systems (ISMS). The study identified six priority Clause and Annex controls for BPRACo. Based on the gaps, six essential solutions were designed, compiled into an implementation roadmap to enhance BPRACo readiness for full ISMS implementation and certification, supporting DT success in small banks. This research provides valuable insights and practical implications for information security management in small banks.
Downloads
References
K. Schwertner, “Digital transformation of business,” Trakia Journal of Science, vol. 15, no. Suppl.1, pp. 388–393, 2017, doi: 10.15547/tjs.2017.s.01.065.
C. Gong and V. Ribiere, “Developing a unified definition of digital transformation,” Technovation, vol. 102, p. 102217, Dec. 2020, doi: 10.1016/j.technovation.2020.102217.
G. Vial, “Understanding digital transformation: A review and a research agenda,” The Journal of Strategic Information Systems, vol. 28, no. 2, pp. 118–144, Jun. 2019, doi: 10.1016/j.jsis.2019.01.003.
N. Mamuriyah, S. E. Prasetyo, and A. O. Sijabat, “Rancangan Sistem Keamanan Jaringan dari serangan DDoS Menggunakan Metode Pengujian Penetrasi,” Jurnal Teknologi Dan Sistem Informasi Bisnis, vol. 6, no. 1, pp. 162–167, Jan. 2024, doi: 10.47233/jteksis.v6i1.1124.
A. Faidlatul Habibah and I. Irwansyah, “Era Masyarakat Informasi sebagai Dampak Media Baru,” Jurnal Teknologi Dan Sistem Informasi Bisnis, vol. 3, no. 2, pp. 350–363, Jul. 2021, doi: 10.47233/jteksis.v3i2.255.
R. Mulyana, L. Rusu, and E. Perjons, “IT Governance Mechanisms that Influence Digital Transformation: A Delphi Study in Indonesian Banking and Insurance Industry,” in Association for Information Systems (AIS), Pacific Asia Conference on Information Systems (PACIS), AI-IS-ASIA (Artificial Intelligence, Information Systems, in Pacific Asia), Jul. 2022.
R. Mulyana, L. Rusu, and E. Perjons, “IT Governance Mechanisms Influence on Digital Transformation: A Systematic Literature Review,” in Association for Information Systems, AIS Electronic Library (AISeL), Aug. 2021. [Online]. Available: https://aisel.aisnet.org/amcis2021
R. Mulyana, L. Rusu, and E. Perjons, “How Hybrid IT Governance Mechanisms Influence Digital Transformation and Organizational Performance in the Banking and Insurance Industry of Indonesia,” in Association for Information Systems, Lisbon: International Conference on Information Systems Development, 2023, pp. 1–12.
Bq. D. Tarbiyatuzzahrah, R. Mulyana, and A. F. Santoso, “Penggunaan COBIT 2019 GMO dalam Menyusun Pengelolaan Layanan TI Prioritas pada Transformasi Digital BankCo,” JTIM : Jurnal Teknologi Informasi dan Multimedia, vol. 5, no. 3, pp. 218–238, Oct. 2023, doi: 10.35746/jtim.v5i3.400.
Y. W. Dwi, M. Dewi, R. Mulyana, and A. F. Santoso, “Penggunaan COBIT 2019 I&T Risk Management untuk Pengelolaan Risiko Transformasi Digital BankCo,” Jutisi Jurnal Ilmiah Teknik Informatika dan Sistem Informasi, vol. 12, no. 3, pp. 1366–1380, 2023, doi: 10.35889/jutisi.v12i3.1488.
A. Rahmadana, R. Mulyana, and A. F. Santoso, “Pemanfaatan COBIT 2019 Information Security Dalam Merancang Manajemen Keamanan Informasi Pada Transformasi BankCo,” Jutisi Jurnal Ilmiah Teknik Informatika dan Sistem Informasi, vol. 12, no. 3, pp. 1226–1229, 2023, doi: 10.35889/jutisi.v12i3.1513.
N. Riznawati, R. Mulyana, and A. F. Santoso, “SEIKO : Journal of Management & Business Pendayagunaan COBIT 2019 DevOps dalam Merancang Manajemen Pengembangan TI Agile pada Transformasi Digital BankCo,” SEIKO : Journal of Management & Business, vol. 6, no. 2, pp. 2023–223, 2023.
M. A. Andyas, R. Mulyana, and W. A. Nurtrisha, “Manajemen Keamanan Informasi Untuk Transformasi Digital Insurco Berbasis COBIT 2019 Focus Area Information Security,” ZONAsi: Jurnal Sistem Informasi, vol. 5, no. 3, pp. 452–467, Oct. 2023, doi: 10.31849/zn.v5i3.15275.
A. Viamianni, R. Mulyana, and F. Dewi, “COBIT 2019 Information Security Focus Area Implementation For Reinsurco Digital Transformation,” JIKO (Jurnal Informatika dan Komputer), vol. 6, no. 2, Aug. 2023, doi: 10.33387/jiko.v6i2.6366.
R. A. Prayudi, R. Mulyana, and R. Fauzi, “SEIKO : Journal of Management & Business Pengendalian Digitalisasi FintechCo Melalui Perancangan Pengelolaan Keamanan Informasi Berbasis COBIT 2019 Information Security Focus Area,” SEIKO : Journal of Management & Business, vol. 6, no. 2, pp. 388–406, 2023.
R. Mulyana, L. Rusu, and E. Perjons, “Key ambidextrous IT governance mechanisms for successful digital transformation: A case study of Bank Rakyat Indonesia (BRI),” Digital Business, vol. 4, no. 2, p. 100083, 2024, doi: https://doi.org/10.1016/j.digbus.2024.100083.
R. Siregar and E. Sudarmanto, “Beyond Traditional Boundaries: Embracing Digital Transformation for Enhanced Management Efficiency at Micro and Small Business Enterprises,” West Science Interdisciplinary Studies, vol. 01, no. 06, pp. 267–279, 2023, doi: http://dx.doi.org/10.58812/wsis.v1i6.99.
T. Hess, C. Matt, A. Benlian, and F. Wiesböck, “Options for Formulating a Digital Transformation Strategy,” MIS Quarterly Executive, vol. 15, no. 2, pp. 103–119, 2016.
S. Riyanto and E. Ariyanto, “Digital Transformation in the Indonesian Banking Industry: Impact on Employee Engagement,” vol. 12, no. 4, 2020, [Online]. Available: www.ijicc.net
M. Lubis, M. Kartiwi, and S. Zulhuda, “Current State of Personal Data Protection in Electronic Voting: Criteria and Indicator for Effective Implementation,” TELKOMNIKA (Telecommunication Computing Electronics and Control), vol. 16, no. 1, p. 290, Feb. 2018, doi: 10.12928/telkomnika.v16i1.7718.
H. Haikal, R. H. Ananza, I. Darmawan, and R. Mulyana, “Perancangan Tata Kelola Keamanan Informasi Sistem Pemerintahan Berbasis Elektronik (SPBE) Menggunakan Standar ISO 27001:2013 (Studi Kasus: Diskominfotik Kabupaten Bandung Barat),” 2019.
S. M. T. Situmeang, “Penyalahgunaan Data Pribadi Sebagai Bentuk Kejahatan Sempurna Dalam Perspektif Hukum Siber,” SASI, vol. 27, no. 1, p. 38, Mar. 2021, doi: 10.47268/sasi.v27i1.394.
M. F. Safitra, M. Lubis, and A. Widjajarto, “Security Vulnerability Analysis using Penetration Testing Execution Standard (PTES): Case Study of Government’s Website,” in Proceedings of the 2023 6th International Conference on Electronics, Communications and Control Engineering, New York, NY, USA: ACM, Mar. 2023, pp. 139–145. doi: 10.1145/3592307.3592329.
R. Ndegeya and R. Uwase, “Adapting ISO/ IEC 27001 Information Security Management Standard to SMEs,” Luleå University of Technology, Department of Computer Science, Electrical and Space Engineering, 2022.
B. Panjaitan, L. Abdurrahman, and R. Mulyana, “Pengembangan Implementasi Sistem Manajemen Keamanan Informasi Berbasis Iso 27001: 2013 Menggunakan Kontrol Annex: Studi Kasus: Data Center Pt. Xyz,” in eProceedings of Engineering, eProceedings of Engineering, 2021.
OJK, “Standar Penyelenggaraan Teknologi Informasi Bagi Bank Perkreditan Rakyat Dan Bank Pembiayaan Rakyat Syariah,” Otoritas Jasa Keuangan. Accessed: Nov. 15, 2023. [Online]. Available: https://ojk.go.id/id/regulasi/Pages/POJK-tentang-Standar-Penyelenggaraan-Teknologi-Informasi-bagi-Bank-Perkreditan-Rakyat-dan-Bank-Pembiayaan-Rakyat-Syariah.aspx
“ISO/IEC 27001:2022,” ISO. Accessed: Jan. 06, 2024. [Online]. Available: https://www.iso.org/standard/27001
A. R. Hevner, S. T. March, J. Park, and S. Ram, “Design Science in Information Systems Research,” Minnesota: Management Information Systems Research Center, University of Minnesota, Mar. 2004, pp. 75–105.
I. Patricia, D. Ph, and L. R. Ness, “Are We There Yet? Data Saturation in Qualitative Research,” Walden Faculty and Staff Publications, 2015. [Online]. Available: https://scholarworks.waldenu.edu/facpubs/455
BPRACo, “Transkrip Interview BPRACo,” Jun. 2024.
M. Denscombe, The Good Research Guide for Small Scale Research Projects, Fourth. New York: Open University Press, 2010.
R. K. Yin, “Discovering the Future of the Case Study. Method in Evaluation Research,” Eval Pract, vol. 15, no. 3, pp. 283–290, Oct. 1994, doi: 10.1177/109821409401500309.
OJK, “Peraturan Otoritas Jasa Keuangan Republik Indonesia Nomor 7 Tahun 2024,” ojk.go.id. Accessed: Jul. 05, 2024. [Online]. Available: https://ojk.go.id/id/regulasi/Pages/POJK-7-Tahun-2024-Bank-Perekonomian-Rakyat-dan-Bank-Perekonomian-Rakyat-Syariah.aspx
M. Antunes, M. Maximiano, R. Gomes, and D. Pinto, “Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal,” Journal of Cybersecurity and Privacy, vol. 1, no. 2, pp. 219–238, 2021, doi: 10.3390/jcp1020012.
ISO 27005, “Information technology-Security techniques-Information security risk management,” 2018.
W. S. Basri and A. L. Ayu, “Risk Management in Information Systems: Applying ISO 31000:2018 and ISO/IEC 27001:2022 Controls at PMI’s Central Clinic,” International Journal for Applied Information Management, vol. 4, no. 1, pp. 1–13, Apr. 2024, doi: 10.47738/ijaim.v4i1.70.
A. K. Shenton, “Strategies for ensuring trustworthiness in qualitative research projects,” Education for Information, vol. 22, pp. 63–75, 2004, doi: 10.3233/EFI-2004-22201.
R. Mulyana, L. Rusu, and E. Perjons, “Key Ambidextrous IT Governance Mechanisms Influence on Digital Transformation and Organizational Performance in Indonesian Banking and Insurance,” in Pacific Asia Confefence on Information Systems, Ho Chi Minh , Jul. 2024.
![Creative Commons License](http://i.creativecommons.org/l/by/4.0/88x31.png)
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under an Attribution 4.0 International (CC BY 4.0) that allows others to share — copy and redistribute the material in any medium or format and adapt — remix, transform, and build upon the material for any purpose, even commercially with an acknowledgment of the work's authorship and initial publication in this journal.