• Rifia Andita Faculty of Management, Universitas Nasional, Indonesia
  • Faizan Aditya National Cyber and Crypto Agency, Indonesia
Keywords: risk management, public service organizations, information security


For an organization, information security is a priority. Within the rapid growth of information technology, information becomes easier to access, processed, and used in organization globally. Using information systems in government will improve efficiency, effectiveness, transparency, and accountability in respect of good governance. Regarding the use of information technology sometimes it does not align with its purpose, because there is uncertainty or particular risk that must be faced in using IT. The study conducts a systematic literature review (SLR) to understand the steps and frameworks for information security risk management. Data sources such as IEEE Xplore, ScienceDirect, Proquest, and ACM from 2009 to 2023 are used to obtain literature. Sixteen papers were obtained to complete this study. This research identifies three frameworks that can be used in information security risk management: ISO 27005, NIST SP 800-30, and Cobit 5 For Risk. stages in information security risk management in general are Context Formation, Risk Identification, Risk Assessment, Risk Treatment, and Risk Monitoring.


Download data is not yet available.


H. Malhotra, R. Bhargava and M. Dave, "Challenges related to information security and its implications for evolving e-government structures: A comparative study between India and African countries," in International Conference on Inventive Computing and Informatics (ICICI), Coimbatore, 2017.

D. Kaye, "The importance of information," Management Decision, Vol. 33 Issue: 5, pp. 5-12, 1995.

M. E. Whitman and H. J. Mattord, "Principles of information security," in Principles of Information Security, Cengage, 2011.

R. Sarno and I. Iffano, Sistem manajemen keamanan informasi (Berbasis ISO 27001), Surabaya: ITS Press, 2009.

M. Ciampa, Security awareness : Applying practical security in your world, 3rd ed, Boston: Couse Technology, 2010.

Kautsarina and H. Gautama, "Information security readiness of government institution in Indonesia," in International Conference on Information and Communication Technology (ICoICT), 2014.

Y. Y. L. Helgesson, "Managing risks on critical IT systems in public service organizations," in International Conference on Computational Science and Engineering, 2009.

H. Okonofua and S. Rahman, "Evaluating the risk management plan and addressing factors for successes in government agencies," in International Conference on Trust, Security and Privacy in Computing and Communications and 12th IEEE International Conference on Big Data Science and Engineering, 2018.

J. V. B. d. l. Paz and L. A. R. Picon, A Systematic Review of Risk Management Methodologies for Complex Organizations in Industry 4.0 and 5.0, Chihuahua: Systems, Infrastructure, and Industry 5.0, 2023.

A. Kurniati, L. E. Nugroho and M. N. Rizal, Information Technology Risk Management on e-Government: Systematic Literature Review, Yogyakarta: Jurnal Ilmu Pengetahuan dan Teknologi Komunikasi, 2020.

A. Alijoyo and A. F. M. S. Fisabilillah, Risk Management Implementation in Public Sector Organizations: A Case Study of Indonesia, Common Ground Research Networks, 2021.

A. Olechowski, J. Oehmen, W. Seering and M. Ben-Daya, The Professionalization of Risk Management: What Role Can the ISO 31000 Risk Management Principles Play?, Cambridge: International Journal of Project Management34 (8): 1568–78, 2016.

J. Masso, F. J. Pino, C. Pardo, F. García and M. Piattini, Risk Management in the Software Life Cycle: A Systematic Literature Review, Ciudad Real: Computer Standards and Interfaces71 (March 2019): 103431, 2020.

L. Y. Banowosari and B. A. Gifari, System Analysis and Design Using Secure Software Development Life Cycle Based On ISO 31000 and STRIDE. Case Study Mutiara Ban Workshop, Depok: IEEE, 2020.

M. A. Fikri, F. A. Putra, Y. Suryanto and K. Ramli, sk Assessment Using NIST SP 800-30 Revision 1 and ISO 27005 Combination Technique in Profit-Based Organization: Case Study of ZZZ Information System Application in ABC Agency, Jakarta: Procedia Computer Science161: 1206–15, 2019.

M. Brunner, C. Sauerwein, M. Felderer and R. Breu, Risk Management Practices in Information Security: Exploring the Status Quo in the DACH Region, Innsbruck: Computers and Security, 2020.

I. M. M. Putra and K. Mutijarsa, Designing Information Security Risk Management on Bali Regional Police Command Center Based on ISO 27005, Bandung: IEEE, 2021.

O. Ali, A. Shrestha, A. Chatfield and MurrayPeter, Assessing Information Security Risks in the Cloud: A Case Study of Australian Local Government Authorities, Egaila: Government Information Quarterly, 2020.

A. Joshi, L. Bollen, H. Hassink, S. De Haes and W. V. Grembergen, Explaining IT Governance Disclosure through the Constructs of IT Governance Maturity and IT Strategic Role, Maastricht: Information & Management, 2018.

J. D. White, Managing information in the public sector, Routledge, 2007.

ISO/IEC, "International Standard ISO/IEC 27001: 2013," International Organization for Standardization, London, 2013.

ISO/IEC, "International Standard ISO/IEC 27005: 2011," International Organization for Standardization, London, 2011.

NIST, "NIST SP 800-30: Risk management guide for information technology systems," National Institute of Standards and Technology , Gaithersburg, 2002.

B. Kitchenham and S. M. Charters, "Guidelines for performing systematic literature reviews in software engineering," Keele University and Durham University Joint Report, 2007.

L. Zhao, "Study on security risk management in E-government," in International Conference on E-Product E-Service and E-Entertainment, ICEEE, 2010.

F. Baicu and A. M. Baicu, "Risks management relating to information systems security evaluation of IT assets," in Acces la Success, 2012.

L. Liang, W. Ren, J. Song, H. Hu, Q. He and S. Fang, "The state of the art of risk assessment and management for information systems," in 9th International Conference on Information Assurance and Security, IAS, 2014.

S. Prasetyo and Y. G. Sucahyo, "Information security risk management planning: A case study at application module of state asset directorate general of state asset ministry of finance," in International Conference on Advanced Computer Science and Information Systems, 2014.

H. Wijanarka, "IT risk management to support the realization of IT value in public organizations," in International Conference on ICT for Smart Society: "Smart System Platform Development for City and Society, GoeSmart 2014, 2014.

U. McUbe, M. Gerber and R. Von Solms, "Scenario-based IT risk assessment in local government," in ST-Africa Conference, 2016.

F. A. Putra and H. Setiawan, "Design of information security risk management using ISO/IEC 27005 and NIST SP 800-30 revision 1: A case study at communication data applications of XYZ institute," in International Conference on Information Technology Systems and Innovation (ICITSI), 2017.

C. Joshi and U. K. Singh, "Information security risks management framework – A step towards mitigating security risks in university network," in Journal of Information Security and Applications, 2017.

S. Patino, E. F. Solis, S. G. Yoo and R. Arroyo, "ICT risk management methodology proposal for governmental entities based on ISO/IEC 27005," in 5th International Conference on eDemocracy and eGovernment, ICEDEG, 2018.

Y. Supriyadi and C. W. Hardani, "Information system risk scenario using COBIT 5 for risk and NIST SP 800-30 Rev. 1 a case study," in International Conference on Information Technology, Information Systems and Electrical Engineering, ICITISEE, 2018.

H. F. Yoseviano and A. Retnowardhani, "The use of ISO/IEC 27001: 2009 to analyze the risk and security of information system assets: case study in xyz, ltd," in nternational Conference on Information Management and Technology, ICIMTech 2018, 2018.

S. A. Wulandari, A. P. Dewi, M. R. Pohan, D. I. Sensuse, M. Mishbah and Syamsudin, Risk Assessment and Recommendation Strategy Based on COBIT 5 for Risk: Case Study SIKN JIKN Helpdesk Service, Jakarta: Procedia Computer Science, 2019.

T. Weil, "Risk Assessment Methods for Cloud Computing Platforms," in IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC), Milwaukee, 2019.

F. Kitsios, E. Chatzidimitriou and M. Kamariotou, "Developing a Risk Analysis Strategy Framework for Impact Assessment in Information Security Management Systems: A Case Study in IT Consulting Industry," Sustainability, vol. 14, 2022.

A. P. Putra and B. Soewito, "Integrated Methodology for Information Security Risk Management using ISO 27005:2018 and NIST SP 800-30 for Insurance Sector," International Journal of Advanced Computer Science and Applications, vol. 14, no. 4, pp. 625-633, 2023.

How to Cite