Adopting ISO/IEC 27005:2011-based Risk Treatment Plan to Prevent Patients Data Theft

Laura Cassandra Hamit, Haslina Md. Sarkan, Nurulhuda Firdaus Mohd Azmi, Mohd Naz’ri Mahrin, Suriayati Chuprat, Yazriwati Yahya


The concern raised in late 2017 regarding 46.2 million mobile device subscribers’ data breach had the Malaysian police started an investigation looking for the source of the leak.  Data security is fundamental to protect the assets or information by providing its confidentiality, integrity and availability not only in the telecommunication industry but also in other sectors.  This paper attempts to protect the data of a patient-based clinical system by producing a risk treatment plan for its software products.  The existing system is vulnerable to information theft, insecure databases, needy audit login and password management.  The information security risk assessment consisting of identifying risks, analyzing and evaluating them were conducted before a risk assessment report is written down.  A risk management framework was applied to the software development unit of the organization to countermeasure these risks.  ISO/IEC 27005:2011 standard was used as the basis for the information security risk management framework.  The controls from Annex A of ISO/IEC 27001:2013 were used to reduce the risks.  Thirty risks have been identified and 7 high-level risks for the product have been recognized.  A risk treatment plan focusing on the risks and controls has been developed for the system to reduce these risks in order to secure the patients’ data.  This will eventually enhance the information security in the software development unit and at the same time, increase awareness among the team members concerning risks and the means to handle them.


data security; risk management; information security; ISO/IEC 27005; risk assessment plan.

Full Text:



R. Latiff and J. Wagstaff, “Malaysia investigating reported leak of 46 million mobile users’ data,” Thomson Reuters, 2017. [Online]. Available: [Accessed: 25-Jun-2018].

R. M. Alhajri, S. J. Alsunaidi, R. Zagrouba, A. M. Almuhaideb, and M. A. Alqahtani, “Dynamic interpretation approaches for information security risk assessment,” 2019 Int. Conf. Comput. Inf. Sci. ICCIS 2019, pp. 1–6, 2019.

F. M. Dedolph, “The Neglected Management Activity : Software Risk Management,” vol. 8, no. 3, pp. 91–95, 2003.

K. Beckers, S. Faßbender, M. Heisel, J. C. Küster, and H. Schmidt, “Supporting the development and documentation of ISO 27001 information security management systems through security requirements engineering approaches,” Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics), vol. 7159 LNCS, no. 256980, pp. 14–21, 2012.

J. Breier and F. Schindler, “Assets Dependencies Model in Information Security Risk Management,” pp. 405–412, 2014.

A. Iqbal, H. Suhaimi, T. Manji, Y. Goto, and J. Cheng, “A Systematic Management Method of ISO Information Security Standards for Information Security Engineering Environments,” pp. 370–384, 2011.

S. Patino, E. F. Solis, S. G. Yoo, and R. Arroyo, “ICT Risk Management Methodology Proposal for Governmental Entities Based on ISO/IEC 27005,” 2018 5th Int. Conf. eDemocracy eGovernment, ICEDEG 2018, pp. 75–82, 2018.

T. Kosub, “Components and challenges of integrated cyber risk management,” pp. 615–634, 2015.

A. Madhavi and S. Lincke, “Security Risk Assessment in Electronic Health Record System,” 2018 IEEE Technol. Eng. Manag. Conf. TEMSCON 2018, pp. 1–4, 2018.

D. J. Tjirare and F. B. Shava, “A Gap Analysis of the ISO / IEC 27000 Standard Implementation in Namibia,” pp. 1–10, 2017.

T. Faculty, A. Susanto, T. Faculty, and T. Faculty, “Assessment of ISMS Based On Standard ISO / IEC 27001 : 2013 at DISKOMINFO Depok City,” 2013.

G. Wangen, “Information Security Risk Assessment: A Method Comparison,” Computer (Long. Beach. Calif)., vol. 50, no. 4, pp. 52–61, 2017.

L. Rukh and A. A. Malik, “Swiss Army Knife of Software Processes,” in 2017 International Conference on Communication Technologies (ComTech) Swiss, 2017, pp. 3–5.

A. Alwi and K. A. Zainol Ariffin, “Information Security Risk Assessment for the Malaysian Aeronautical Information Management System,” Proc. 2018 Cyber Resil. Conf. CRC 2018, pp. 1–4, 2019.

O. O. Mwambe and I. Echizen, “Security oriented malicious activity diagrams to support information systems security,” Proc. - 31st IEEE Int. Conf. Adv. Inf. Netw. Appl. Work. WAINA 2017, pp. 74–81, 2017.

J. Bayne, “An Overview of Threat and Risk Assessment,” 2002.

G. Stoneurner, A. Goguen, A. Feringa, and N. S. Publication, Risk Management Guide for Information Technology Systems Recommendations of the National Institute of Standards and Technology, vol. 30, no. July. 2002.

R. Bojanc and B. Jerman-Blažič, “An economic modelling approach to information security risk management,” Int. J. Inf. Manage., vol. 28, no. 5, pp. 413–422, 2008.

H. Susanto, F. Bin Muhaya, M. N. Almunawar, and Y. C. Tuan, “Refinement of Strategy and Technology Domains STOPE View on ISO 27001,” arXiv Prepr. arXiv1204.1385, pp. 1–7, 2010.

T. Neubauer, A. Ekelhart, and S. Fenz, “Interactive Selection of ISO 27001 Controls under Multiple Objectives,” in Proceedings of The Ifip Tc 11 23rd International Information Security Conference, Boston, MA: Springer US, 2008, pp. 477–492.

H. S. Group, “The Adoption of IT Security Standards in a Healthcare Environment,” pp. 765–770, 2008.

S. Tritilanunt and S. Ruaysungnoen, “Security Assessment of Information System in Hospital Environment,” pp. 11–16, 2017.

L. Astakhova and I. Zemtsov, “Situational approach to information security,” Proc. - 2018 Ural Symp. Biomed. Eng. Radioelectron. Inf. Technol. USBEREIT 2018, pp. 136–139, 2018.

H. Susanto and M. N. Almunawar, “Information Security Awareness : A Marketing Tools for Corporate ’ s Business Processes,” pp. 1–12, 2012.

G. Wangen, C. Hallstensen, and E. Snekkenes, “A framework for estimating information security risk assessment method completeness: Core Unified Risk Framework, CURF,” Int. J. Inf. Secur., vol. 17, no. 6, pp. 681–699, 2018.

B. ŢIGĂNOAIA, “Some Aspects Regarding the Information Security Management System within Organizations – Adopting the ISO/IEC 27001:2013 Standard,” Stud. Informatics Control, vol. 24, no. 2, pp. 201–210, 2015.

M. McNeil, T. Llansó, and D. Pearson, “Application of capability-based cyber risk assessment methodology to a space system,” pp. 1–10, 2018.


J. W. Candra, O. C. Briliyant, and S. R. Tamba, “ISMS planning based on ISO/IEC 27001:2013 using analytical hierarchy process at gap analysis phase (Case study : XYZ institute),” Proceeding 2017 11th Int. Conf. Telecommun. Syst. Serv. Appl. TSSA 2017, vol. 2018-Janua, no. 4, pp. 1–6, 2018.

A. Longras, T. Pereira, P. Carneiro, and P. Pinto, “On the Track of ISO/IEC 27001:2013 Implementation Difficulties in Portuguese Organizations,” 2018, pp. 886–890.

B. Barafort, A. L. Mesquida, and A. Mas, “Integrating risk management in IT settings from ISO standards and management systems perspectives,” Comput. Stand. Interfaces, vol. 54, no. November 2016, pp. 176–185, 2017.



  • There are currently no refbacks.

Published by INSIGHT - Indonesian Society for Knowledge and Human Development