Integrated Maturity Assessment of Information Security for Land and Building Tax Management System Using National Institute of Standards and Technology Cybersecurity Framework 2.0, International Organization for Standardization/International Electrotechnical Commission 27002:2022, and Cybersecurity Capability Maturity Model 2.1.

Dhenok Prastyaningtyas Paramesvari; Jatmiko Endro  Suseno; Catur Edi  Widodo

doi:10.52436/1.jutif.2026.7.2.5551

Authors

Dhenok Prastyaningtyas Paramesvari Master Program of Information Systems, Postgraduate School, Universitas Diponegoro, Indonesia
Jatmiko Endro Suseno Master Program of Information Systems, Postgraduate School, Universitas Diponegoro, Indonesia
Catur Edi Widodo Master Program of Information Systems, Postgraduate School, Universitas Diponegoro, Indonesia

DOI:

https://doi.org/10.52436/1.jutif.2026.7.2.5551

Keywords:

C2M2 Evaluation, Cybersecurity Maturity, Information Security Assessment, ISO/IEC 27002 Integration, NIST CSF Mapping, Public Sector Tax System

Abstract

Regional tax information systems such as the Sistem Informasi Manajemen Objek Pajak (SISMIOP) are vulnerable to cybersecurity threats due to the sensitivity of taxpayer data and the persistence of ad-hoc security management practices. These conditions pose risks to data confidentiality, integrity, and service availability, potentially undermining public trust and the effectiveness of local government services. This study aims to assess the information security maturity of SISMIOP operated by the Badan Pengelolaan Pendapatan, Keuangan, dan Aset Daerah (BPPKAD) through an integrated application of the NIST Cybersecurity Framework (CSF) 2.0, ISO/IEC 27002:2022, and the Cybersecurity Capability Maturity Model (C2M2) 2.1. A qualitative case study approach was employed. An organizational profile was developed using interviews, observations, and document analysis, followed by mapping 38 relevant NIST CSF subcategories to ISO/IEC 27002 controls and C2M2 capability domains. Security maturity was evaluated using questionnaires and interviews based on the C2M2 Maturity Indicator Levels (MIL0-MIL3), and a gap analysis was conducted against the target maturity level of MIL2. The results show that most cybersecurity functions, Govern, Identify, Detect, Respond, and Recover, remain at MIL1, indicating that practices are performed but not yet formalized or consistently implemented. The Protect function partially achieved MIL2. The largest gaps were identified in governance and risk management domains. Based on these findings, 38 prioritized strategic recommendations were formulated to improve policy formalization, risk management, technical controls, monitoring, and incident handling. This study contributes a practical and replicable multi-framework maturity assessment model to strengthen information security governance in public-sector tax information systems.

Downloads

Download data is not yet available.

References

Kementerian Keuangan Republik Indonesia, “Bahan Ajar Operator Console/SISMIP.” 2017.

Y. Maleh, A. Sahid, dan M. Belaissaoui, “A Maturity Framework for Cybersecurity Governance in Organizations,” Edpacs, vol. 63, no. 6, hal. 1–22, 2021, doi: 10.1080/07366981.2020.1815354.

S. Ajoudanian dan H. R. Aboutalebi, “A capability maturity model for smart city process-aware digital transformation,” J. Urban Manag., no. October 2024, 2025, doi: 10.1016/j.jum.2025.03.001.

ISACA Germany Chapter, Implementation Guideline ISO/IEC 27001:2013. 2016.

SecAware, “Pragmatic ISMS implementation guideline; Putting ISO/IEC 27001 into practice,” 2024.

J. Nikander, O. Manninen, dan M. Laajalahti, “Requirements for cybersecurity in agricultural communication networks,” Comput. Electron. Agric., vol. 179, no. September, hal. 105776, 2020, doi: 10.1016/j.compag.2020.105776.

National Safety and Quality Digital Mental Health Standars, Action Guide: Information security management systems. Australian Commission. (2022). Action Guide: Information security management systems., 2022.

IsecT Limited, “ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls (third edition).” [Daring]. Tersedia pada: https://www-iso27001security-com.

National Institute of Standards and Technology, The NIST Cybersecurity Framework (CSF) 2.0. 2024. doi: https://doi.org/10.6028/NIST.CSWP.29.

U.S. Department Of Energy, Cybersecurity Capability Maturity Model (C2M2). 2022.

Runzero, “Cybersecurity Capability Maturity Model (C2M2).” [Daring]. Tersedia pada: https://help.runzero.com/docs/compliance/c2m2/

J. D. Christopher dkk., “Cybersecurity Capability Maturity Model (C2M2),” Dep. Homel. Secur., no. February, hal. 1–76, 2014.

B. O. Omoyiola, “The Evolution of Information Security Measurement and Testing,” IOSR J. Comput. Eng., vol. 22, no. 3, hal. 50–54, 2020, doi: 10.9790/0661-2203025054.

T. C. Herath, H. S. B. Herath, dan D. Cullum, An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks, vol. 25, no. 2. Springer US, 2023. doi: 10.1007/s10796-022-10246-9.

R. Kwon, T. Ashley, J. Castleberry, P. McKenzie, dan S. N. Gupta Gourisetti, “Cyber threat dictionary using MITRE ATTCK matrix and NIST cybersecurity framework mapping,” 2020 Resil. Week, RWS 2020, no. January 2021, hal. 106–112, 2020, doi: 10.1109/RWS50334.2020.9241271.

F. W. Zakiy dan N. D. Angresti, “Comparative Analysis of Cybersecurity Maturity Frameworks :,” vol. 01, no. 02, hal. 82–87, 2024.

D. F. Tanjung, O. D. Nurhayati, dan A. Wibowo, “Design Information Security in Electronic-Based Government Systems Using NIST CSF 2.0, ISO/IEC 27001:2022 and CIS Control,” vol. 9, no. 6, 2024.

I. Bashofi dan M. Salman, “Cybersecurity Maturity Assessment Design Using NISTCSF , CIS CONTROLS v8 and ISO / IEC 27002,” 2022 IEEE Int. Conf. Cybern. Comput. Intell., hal. 58–62, 2022, doi: 10.1109/CyberneticsCom55287.2022.9865640.

D. Sulistyowati, F. Handayani, dan Y. Suryanto, “Comparative analysis and design of cybersecurity maturity assessment methodology using nist csf, cobit, iso/iec 27002 and pci dss,” Int. J. Informatics Vis., vol. 4, no. 4, hal. 225–230, 2020, doi: 10.30630/joiv.4.4.482.

M. F. Delgado, D. Esenarro, F. F. J. Regalado, dan M. D. Reátegui, “Methodology Based On The Nist Cybersecurity Framework As A Proposal For Cybersecurity Management In Government Organizations,” Cuad. Desarro. Apl. a las TIC, vol. 10, no. 2, hal. 123–141, 2021.

A. Aminudin dan A. Supriyanto, “Kematangan risiko keamanan informasi layanan TI menggunakan pendekatan NIST dan standar ISO 27001:2013 (Studi kasus: Bapenda Provinsi Jawa Tengah),” AITI J. Teknol. Inf., vol. 21, no. 2, hal. 210–229, 2024.

M. Fadya dan D. N. Utama, “Towards Secure Information Systems: Developing and Implementing an Information Security Evaluation Model Using NIST CSF and COBIT 2019,” TEM J., vol. 14, no. 1, hal. 182–191, 2025, doi: 10.18421/TEM141.

D. Amanda, N. Mutiah, dan S. Rahmayudha, “Analisis Tingkat Kematangan Keamanan Informasi Menggunakan NIST Cybersecurity Framework dan CMMI,” J. Komput. dan Apl., vol. 11, no. 02, hal. 291–302, 2023.

H. G. Afiansyah dan N. A. K. Febriyani, “Penyusunan Kebijakan Pengamanan dan Pengelolaan Infrastruktur Operasi Keamanan Siber Menggunakan NIST CSF 2.0 dan ISO/IEC 27001:2022,” J. Info Kripto, vol. 17, no. 3, hal. 93–99, 2023.

S. Nikhil, G. Gourisetti, M. Mylrea, dan H. Patangia, “Cybersecurity vulnerability mitigation framework through empirical paradigm : Enhanced prioritized gap analysis,” Futur. Gener. Comput. Syst., vol. 105, hal. 410–431, 2020, doi: 10.1016/j.future.2019.12.018.

Departemen Energi AS, “Cybersecurity Capability Maturity Model (C2M2).” [Daring]. Tersedia pada: https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2