<![CDATA[Information system security forms a fundamental backbone for ensuring the continuity of digital services in the modern era, especially in educational environments that heavily rely on information technology. Educational institutions face serious challenges in maintaining data confidentiality, integrity, and availability due to limited resources, weak policy enforcement, and low user literacy in cybersecurity. This study aims to evaluate the implementation of educational information system security using the ISO/IEC 27001 framework and Gap Analysis approach. The research method employs a qualitative approach with international standard-based evaluation techniques, system observation, and interviews with system administrators. The findings show that out of 14 ISO/IEC 27001 control domains, only 3 domains (21.4%) are fully implemented: access control (A.9), communications security (A.13), and physical security (A.11). The highest security gaps are found in the information security incident management domain (A.16) with 0% implementation, business continuity management domain (A.17) at 15%, and compliance with policies domain (A.18) at 20%. The system has implemented HTTPS protocol, limited two-factor authentication, and Role-Based Access Control (RBAC), but lacks formal security policies, SIEM-based threat monitoring systems, automated backup procedures, and regular security training programs. The gap between actual conditions and ideal standards indicates the need for a holistic approach that integrates technical, managerial, and educational aspects to build a resilient, secure, and sustainable educational information system.]]>
