Risk Assessment Maturity Level of Academic Information System Using ISO 27001 System Security Engineering-Capability Maturity Model


  • Nurbojatmiko Nurbojatmiko Universitas Islam Negeri Syarif Hidayatullah Jakarta
  • Qurrotul Aini Universitas Islam Negeri Syarif Hidayatullah Jakarta
  • Nabil Cahya Wasiqi Universitas Islam Negeri Syarif Hidayatullah Jakarta
  • Muhammad Fitra Alfajri Universitas Islam Negeri Syarif Hidayatullah Jakarta
  • Zahra Ulinnuha Universitas Islam Negeri Syarif Hidayatullah Jakarta
  • Yuni Kurnia Purwati Universitas Islam Negeri Syarif Hidayatullah Jakarta
  • Indah Kusuma Ayu Universitas Islam Negeri Syarif Hidayatullah Jakarta
  • Natasya Aurora Yasmin Universitas Islam Negeri Syarif Hidayatullah Jakarta




Academic Information Systems, Risk Assessment, Maturity Level, SSE-CMM, ISO/IEC 27001:2005


Risk measurement from standard operating procedures implemented by an institution determines the level of maturity of a service system at that institution. The government's determination of the Tri Dharma of Higher Education consists of education and teaching, research, and community service. These activities must be implemented in the academic information system of every university in Indonesia. Appropriate and fast academic services depend on information technology and adequate and trained human resources (HR). Factors that influence information system security determine the stability of application services. The ISO/IEC 27001:2005 standard is an international benchmark for measuring the level of maturity and security risks of an application. Risk assessment in standard operating procedures in organizations can use the ISO/IEC 27001 standard. This research aims to determine the current level of Academic Information System (AIS) service by measuring maturity and security risks. Three clauses measure the maturity level of information security controls with the ISO 27001 System Security Engineering-Capability Maturity Model (SSE-CMM). These research respondents are educational work units at the Science and Technology Faculty in UIN Syarif Hidayatullah Jakarta. This research method uses quantitative research methods. This research results show the maturity level of information security in the academic information system based on three clauses as the embodiment of the stability of the academic administration activities services at the Science and Technology Faculty. The measurement results reveal that the average score of information security controls on AIS is 3.51, which means good or average standard processing has been carried out following procedures.


Download data is not yet available.


Al-Dhahri, S., Al-Sarti, M., & Abdul, A. (2017). Information Security Management System. International Journal of Computer Applications, 158(7), 29–33. https://doi.org/10.5120/ijca2017912851

Al-Karaki, J. N., Gawanmeh, A., & El-Yassami, S. (2022). GoSafe: On the practical characterization of the overall security posture of an organization's information system using smart auditing and ranking. Journal of King Saud University - Computer and Information Sciences, 34(6), 3079–3095. https://doi.org/10.1016/j.jksuci.2020.09.011

Almeida, R., Lourinho, R., Da Silva, M. M., & Pereira, R. (2018). A model for assessing COBIT 5 and ISO 27001 simultaneously. Proceeding - 2018 20th IEEE International Conference on Business Informatics, CBI 2018, 1(20), 60–69. https://doi.org/10.1109/CBI.2018.00016

Bani-Mustafa, T., Zeng, Z., Zio, E., & Vasseur, D. (2017). A framework for multi-hazards risk aggregation considering risk model maturity levels. 2017 2nd International Conference on System Reliability and Safety, ICSRS 2017, 2018-Janua(2), 429–433. https://doi.org/10.1109/ICSRS.2017.8272859

Barafort, B., Mesquida, A. L., & Mas, A. (2017). Integrating risk management in IT settings from ISO standards and management systems perspectives. Computer Standards and Interfaces, 54, 176–185. https://doi.org/10.1016/j.csi.2016.11.010

Barafort, B., Mesquida, A. L., & Mas, A. (2018). Integrated risk management process assessment model for IT organizations based on ISO 31000 in an ISO multi-standards context. Computer Standards and Interfaces, 60, 57–66. https://doi.org/10.1016/j.csi.2018.04.010

Fazlida, M. R., & Said, J. (2015). Information Security: Risk, Governance and Implementation Setback. Procedia Economics and Finance, 28(April), 243–248. https://doi.org/10.1016/s2212-5671(15)01106-5

Ferraiolo, K. (2000). The Systems Security Engineering Capability Maturity Model. International Systems Security Engineering Association, 64. https://csrc.nist.gov/csrc/media/publications/conference-paper/2000/10/19/proceedings-of-the-23rd-nissc-2000/documents/papers/916slide.pdf

Fomin, V. V., Vries, H. J. de, & Barlette, Y. (2008). ISO/IEC 27001 Information System Management Standard: Exploring The Reasons for Low Adoption. Proceedings of The Third European Conference on Management of Technology (EUROMOT), September.

Guerreiro, S., Ferreira, J. F., Fonseca, T., & Correia, M. (2022). Integrating an academic management system with blockchain: A case study. Blockchain: Research and Applications, 3(4), 1–10. https://doi.org/10.1016/j.bcra.2022.100099

Królikowski, T., & Ubowska, A. (2021). TISAX - Optimization of IT risk management in the automotive industry. Procedia Computer Science, 192(25), 4259–4268. https://doi.org/10.1016/j.procs.2021.09.202

Kurniawan, E., & Riadi, I. (2018). Security level analysis of academic information systems based on standard ISO 27002: 2003 using SSE-CMM. ArXiv, abs/1802.03613.

Lopez-Leyva, J. A., Kanter-Ramirez, C. A., & Morales-Martinez, J. P. (2020). Customized diagnostic tool for the security maturity level of the enterprise information based on ISO/IEC 27001. Proceedings - 2020 8th Edition of the International Conference in Software Engineering Research and Innovation, CONISOFT 2020, 147–153. https://doi.org/10.1109/CONISOFT50191.2020.00030

Ma, L., Liu, Y., & Ran, C. (2024). Framework for intellectual property information services in academic libraries: Example from the United States and China. Journal of Academic Librarianship, 50(1), 102830. https://doi.org/10.1016/j.acalib.2023.102830

Marican, M. N. Y., Razak, S. A., Selamat, A., & Othman, S. H. (2023). Cyber Security Maturity Assessment Framework for Technology Startups: A Systematic Literature Review. IEEE Access, 11(November 2022), 5442–5452. https://doi.org/10.1109/ACCESS.2022.3229766

Mohamad Stambul, M. A., & Razali, R. (2011). An assessment model of information security implementation levels. Proceedings of the 2011 International Conference on Electrical Engineering and Informatics, ICEEI 2011, July. https://doi.org/10.1109/ICEEI.2011.6021561

Monev, V. (2020). Organisational Information Security Maturity Assessment Based on ISO 27001 and ISO 27002. 2020 34th International Conference on Information Technologies, InfoTech 2020 - Proceedings, September, 17–18. https://doi.org/10.1109/InfoTech49733.2020.9211066

Peciña, K., Estremera, R., Bilbao, A., & Bilbao, E. (2011). Physical and Logical Security management organization model based on ISO 31000 and ISO 27001. Proceedings - International Carnahan Conference on Security Technology, 1–5. https://doi.org/10.1109/CCST.2011.6095894

Roy, P. P. (2020). A High-Level Comparison between the NIST Cyber Security Framework and the ISO 27001 Information Security Standard. 2020 National Conference on Emerging Trends on Sustainable Technology and Engineering Applications, NCETSTEA 2020, 53(June), 27001–27003. https://doi.org/10.1109/NCETSTEA48365.2020.9119914

Shen, L., Du, X., Cheng, G., & Wei, X. (2021). Capability Maturity Model (CMM) method for assessing the performance of low-carbon city practice. Environmental Impact Assessment Review, 87(January), 106549. https://doi.org/10.1016/j.eiar.2020.106549

Shi, X., Baba, T., Osagawa, D., Fujishima, M., & Ito, T. (2019). Maturity Assessment: A Case Study Toward Sustainable Smart Manufacturing Implementation. Proceedings - 2019 IEEE International Conference on Smart Manufacturing, Industrial and Logistics Engineering, SMILE 2019, June, 155–158. https://doi.org/10.1109/SMILE45626.2019.8965284

Syreyshchikovaa, N. V., Pimenova, D. Y., Mikolajczykb, T., & Moldovan, L. (2019). 2019_Information Safety Process Development According to IS? 27001.pdf (pp. 278–285).

Tan, W., Sauser, B., & Ramirez-Marquez, J. (2010). Analyzing Component Importance in System Maturity Assessment. IEEE Transaction on Engineering Management, 58(2), 275–294.

Tanovic, A., & Marjanovic, I. S. (2019). Development of a new improved model of ISO 20000 standard based on recommendations from ISO 27001 standard. 2019 42nd International Convention on Information and Communication Technology, Electronics and Microelectronics, MIPRO 2019 - Proceedings, May 20(42), 1503–1508. https://doi.org/10.23919/MIPRO.2019.8756843

Volk, D. R., & Mazanis, J. C. (2017). Sustainment maturity levels and health assessment metrics to drive supportability. Proceedings - Annual Reliability and Maintainability Symposium, 17. https://doi.org/10.1109/RAM.2017.7889738

Yasin, M., Akhmad Arman, A., Edward, I. J. M., & Shalannanda, W. (2020). Designing information security governance recommendations and roadmap using COBIT 2019 Framework and ISO 27001:2013 (Case Study Ditreskrimsus Polda XYZ). Proceeding of 14th International Conference on Telecommunication Systems, Services, and Applications, TSSA 2020, 2013(95), 3–7. https://doi.org/10.1109/TSSA51342.2020.9310875.




How to Cite

Nurbojatmiko, N., Aini, Q., Wasiqi, N. C., Alfajri, M. F., Ulinnuha, Z., Purwati, Y. K., Ayu, I. K., & Yasmin, N. A. (2024). Risk Assessment Maturity Level of Academic Information System Using ISO 27001 System Security Engineering-Capability Maturity Model . Journal of Applied Engineering and Technological Science (JAETS), 5(2), 941–54. https://doi.org/10.37385/jaets.v5i2.2971