<![CDATA[Information security is a critical concern for Internet Service Provider companies due to their high dependency on information systems and customer data. PT XYZ has not yet conducted a formal information security risk analysis, despite its plan to prepare for ISO/IEC 27001 certification. This study aims to assess information security risks at PT XYZ using the ISO/IEC 27005:2018 framework and to formulate appropriate risk mitigation recommendations. This research adopts a qualitative descriptive approach with a case study method. Data were collected through literature studies, interviews, and direct observations of information assets, business processes, and existing security controls at PT XYZ. The risk analysis process includes context establishment, identification of critical assets based on confidentiality, integrity, and availability principles, identification of threats and vulnerabilities, risk analysis using likelihood and impact parameters, risk evaluation, and the development of risk treatment plans. The results indicate that out of 27 identified information assets, 24 assets are classified as critical. Several identified risks are categorized as high and very high, which may significantly affect the continuity of the company’s core services, including internet connectivity, web hosting, and Domain Name System services. Based on these findings, risk mitigation recommendations are proposed with reference to ISO/IEC 27002:2022 security controls. This study is expected to support PT XYZ in strengthening its information security posture and to serve as an initial step toward achieving ISO/IEC 27001 certification.]]>
Copyrights © 2026
