Information Security Risk Assessment Using ISO/IEC 27005:2018 in Internet Service Provider Company

Abstract

Information security is a critical concern for Internet Service Provider companies due to their high dependency on

information systems and customer data. PT XYZ has not yet conducted a formal information security risk analysis,

despite its plan to prepare for ISO/IEC 27001 certification. This study aims to assess information security risks at PT

XYZ using the ISO/IEC 27005:2018 framework and to formulate appropriate risk mitigation recommendations. This

research adopts a qualitative descriptive approach with a case study method. Data were collected through literature

studies, interviews, and direct observations of information assets, business processes, and existing security controls at

PT XYZ. The risk analysis process includes context establishment, identification of critical assets based on

confidentiality, integrity, and availability principles, identification of threats and vulnerabilities, risk analysis using

likelihood and impact parameters, risk evaluation, and the development of risk treatment plans. The results indicate

that out of 27 identified information assets, 24 assets are classified as critical. Several identified risks are categorized

as high and very high, which may significantly affect the continuity of the company’s core services, including internet

connectivity, web hosting, and Domain Name System services. Based on these findings, risk mitigation

recommendations are proposed with reference to ISO/IEC 27002:2022 security controls. This study is expected to

support PT XYZ in strengthening its information security posture and to serve as an initial step toward achieving

ISO/IEC 27001 certification.