Indonesia Clearing House (ICH) Retains Implementation ISO 27001 for Second Year

The term "information is an organizational asset" has been recognized by almost all organizations. As a result of the increasing use of technology in organizations, the threat to information becomes important. Threats can come from things that are accidental, unintentional or intentional (those who intend to steal information). The problem is that as we become more and more connected to each other, a leak of information in one place can instantly spread around the world. So the risk of the information leakage becomes so high.

Regarding to this, Indonesia Clearing House (ICH) as a Clearing House continues to strive to become a Futures Clearing House with international security standards, has implemented a comprehensive ISO 27001 which has entered the third stage of the audit cycle.

Once the certification body issues an ISO 27001 certificate to the organization, the certificate is valid for a period of three years, during which the certification body will conduct a supervisory audit to evaluate whether the organization is implementing it properly, and if necessary improvements are being implemented.

What is ISO 27001?

ISO/IEC 27001 is widely known in providing requirements for information security management systems (ISMS), although there are more than a dozen set of standards in the ISO/IEC 27000 . This standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission. (IEC) in 2005 and then revised in 2013. The implementation process allows organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties.

In Indonesia, the government also pays special attention to the issue of personal data security, especially in the growing development of online-based technology as it is today. This must be considered in order to realize good governance or Good Corporate Governance (GCG). Therefore, Indonesia through the National Standardization Agency (BSN) applies SNI ISO/IEC 27001: 2013.

The Purpose and Importance of ISO 27001

ISO 27001 provides a framework to help organizations, of any size or industry, to protect their information in a systematic and cost-effective way, through the implementation of an Information Security Management System (ISMS). The appointed standardization agency is also not only a consultant, but every organization usually wants certification to ISO 27001 and, in this way, can prove to regulators, customers and partners that the organization's operational standards have maximized data protection.

The basic objective of ISO 27001 is to protect three aspects of information:

  • Confidential: only authorized persons have the right to access information.
  • Integrity: only authorized persons can change information.
  • Availability: information must be accessible to authorized persons whenever needed.

Protecting any organization's information also plays a very important role in the successful management and smooth operation of the organization. By obtaining ISO 27001 certification, organizations in general will be able to obtain many benefits including:

  • Convince clients and stakeholders about how the organization manages risk.
  • Enables secure exchange of information.
  • Helping organizations to comply with legal requirements.
  • Help give organizations a competitive advantage.
  • Promote customer satisfaction which increases client retention.
  • Help maintain consistency in the delivery of products or services of each organization.
  • Help manage and minimize risk exposure.

ISO 27001 Certification Implementation and Control

The implementation of ISO 27001 in a company requires cooperation from all parts of the company, both at the top, middle, and bottom levels. The specifications in this ISO cover documentation, management responsibilities, information system audits, continuous improvement and preventive and corrective actions in the company's information security system. ISO 27001 specifies the minimum set of policies, procedures, plans, records and other documented information required to be compliant.

In practice, to achieve ISO 27001 implementation and control certification, several things need to be comprehensively included by each organization. Such as:

  • ·The scope of work projects at the company
  • Commitment and budget in security management
  • Identification of interested parties, legal, regulatory and contractual requirements
  • Conduct a risk assessment
  • Review and implement controls that may be required
  • Develop competence of internal parties to manage projects
  • Doing documentation
  • Conducting training for employees
  • Reporting related to the statement of the risk management plan
  • Measure, monitor, review and audit the ISMS continuously
  • Be corrective and preventive

ISO 27001 controls (also known as protection) consist of 114 controls in 14 groups and 35 control categories. But in general, the main controls of ISO 27001 include the following:

  • • Technical controls, mainly implemented in information systems, use software, hardware, and firmware components that are added to the system. For example, files backup, antivirus software, etc.
  • • Organizational control, implemented by establishing the rules to be followed, and the expected behavior of users, equipment, software, and systems. For example, Access Control Policy, BYOD Policy, etc.
  • • Legal control, exercised by ensuring that rules and expected behavior follow and enforce laws, regulations, contracts and other similar legal instruments to which the organization must comply. For example. NDA (non-disclosure agreement), SLA (service level agreement), etc.
  • • Physical control, mainly implemented by using equipment or devices that have physical interaction with people and objects. For example. CCTV cameras, alarm systems, locks, etc.
  • • Human resource control, implemented by providing people with knowledge, education, skills or experience to enable them to carry out their activities in a safe manner. For example, security awareness training, ISO 27001 internal auditor training, etc.