Back to all our Insights
Knowledge

Information Security Management System (ISMS): Data Protection and Business Security

The Importance of an Information Security Management System (ISMS) in the Digital Business Landscape 

In today’s era of digital transformation, business and technology are almost inseparable. The rapid advancement of technology has become a significant driver for businesses to expand their operations. Without Information Technology, organizations cannot function effectively and efficiently, as the information generated from information systems is crucial for making informed policies and decisions. Discussions about information technology are intrinsically linked to the internet, which acts as an intermediary, facilitating easy access to information. The internet effectively removes barriers of space and time, enabling the seamless dissemination of information without delay, making distance and time no longer primary obstacles in this age. 

Cyber Threats and Information Security Challenges 

The internet was first introduced by the World Wide Web over 30 years ago, and the number of internet users worldwide is astounding. A 2018 survey by We Are Social stated that 55 percent of the global population were active internet users. With a global population of 7.655 billion, this means over 4.176 billion people use the internet. This indicates the internet’s immense role in daily life. 

In Indonesia, according to a survey by the Indonesian Internet Service Providers Association (APJII) at the end of 2017, 54.68 percent of the Indonesian population were active internet users. If the total population of Indonesia is 262 million, then at least 143.26 million people were active internet users. This number has continuously increased from previous years, with 110.2 million internet users in 2015 and 132.7 million in 2016, as shown in Figure 1.1. 

Figure 1.1: Indonesian Internet User Penetration 2017 (APJII Data: 2017) 

 

This data highlights the increasing reliance of individuals, businesses, and all stakeholders on accessing data and information anywhere, anytime. This dependency aims to obtain information that supports increased company effectiveness and efficiency, and helps achieve business objectives. Conversely, as technology and information evolve, threats to information management also escalate. The growth in internet users mentioned above is regrettable because it is not paralleled by an awareness of internet security. This makes systems highly vulnerable to malware threats through existing weaknesses. 

In 2017, known as the era of the Internet of Things (IoT), information security systems were shaken by the WannaCry ransomware malware attack. Between January and December 2018, the most frequent information security incidents were Web Defacement, followed by Malware, Spam, IP Brute Force, Phishing, and others (BSSN- ISSN 2655-8467 Volume 1 Tahun 2018). According to the Security Report by the National Cyber and Crypto Agency (BSSN) in 2018, there were 513,863 cyberattacks in Indonesia, most of which were malware activities, accounting for 12,895,554 incidents. 

This reality underscores the urgency of enhancing information security. Work processes involving internet networks are highly susceptible to malware attacks from malicious parties. To protect company information, these risks must be managed and minimized. 

Companies must implement malware control and malware protection. To prevent malware incidents within a company, it is advisable not to open spam emails from unknown sources or senders. Suspicious emails that may damage computers due to containing viruses, malware, or similar threats will typically be moved to a spam folder. If an opened email contains file attachments, it is best not to download them, or if the sender is unrecognized, the email should be blocked. 

Implementing ISO/IEC 27001:2013 for Information Security 

In accordance with ISO/IEC 27001:2013, companies must safeguard information security from various potential threats. One way to do this is by installing antivirus software on computer devices, which aligns with the implementation of Annex 12.2.1 concerning malware protection. If a company uses a wireless network system, it must ensure that it has technicians capable of securing the network in accordance with Annex 13.1.1 on network security. Companies must also ensure that they always lock routers and encrypt all information in accordance with Annex 10.1.1 on encryption controls. If necessary, always password-protect all computer data networks and hide all systems in accordance with Annex 9.4.3 on password usage. 

Overall, companies must protect information security from various potential threats. Information security can be maintained by installing antivirus software on computer devices and securing networks. If a company uses a wireless network system, it must ensure that it has technicians capable of securing the network. Companies must also ensure that they always lock routers and encrypt all information. If necessary, always password-protect all computer data networks and hide all systems. By hiding data, at the very least, this can prevent potential internal company crime. 

One form of control that can be implemented to minimize external and internal risks and threats is the adoption of an Information Security Management System (ISMS), referencing ISO/IEC 27001:2013. According to ISO/IEC 27001:2013, ISMS is defined as part of an overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, improve, and maintain information security, as well as to preserve the confidentiality, integrity, and availability of information, and to manage and control information security risks within an organization or company. 

Conclusion: Why ISMS is Crucial for Business Continuity 

By implementing ISO/IEC 27001:2013, companies can protect and maintain the confidentiality, integrity, and availability of information, and manage and control information security risks within the organization or company. ISO/IEC 27001:2013 provides assurance to clients and business partners that the company has a robust information security management system in line with international standards. If a company has implemented an Information Security Management System (ISMS), it will be able to control information assets from threats and attacks, indirectly guaranteeing the continuity of business operations. 

Syifa Aulia Sari
IT GRC Consultant
Robere & Associates (Indonesia)

OTHER INSIGHT POSTS
ISO 27001 Logistic Postal Sector
Implementation of ISO/IEC 27001:2022 Now Mandatory for the Postal and Logistics Sector Under Permenkomdigi No. 8 of 2025 Knowledge
Public Trust Through ISO/IEC 27701:2025
Building Public Trust Through ISO/IEC 27701 Implementation Knowledge

Leave a Reply

Consult with us