Manajemen Risiko Keamanan Informasi Menggunakan ISO 27005:2011 pada Sistem Informasi Akademik (SIAK) Universitas Muhammadiyah Sukabumi (UMMI)

Information security is an important part of an academic information system, including Muhammadiyah University of Sukabumi (UMMI). Information security is conducted to protect UMMI assets, especially data and information. Data and information have become an important asset in an organization because it relates to the image of the organization. At this time academic information system at UMMI is built online, causing various threats that may occur. Threats can arise inside or outside. If the threat occurs then the information security aspect will be disrupted and enable the disruption of business process on academic information system of UMMI. The likelihood of this threat is called risk. To minimize losses from risks, risk management should be done well. The risk management method used in risk management in the academic information system of UMMI is ISO 27005. The selection of this method to facilitate the development in the next stage of information security management system on UMMI Academic Information System uses ISO 27000 series. Data collection is done by interview and discussion. The risk management process under ISO 27005 includes four main steps: scope determination, risk assessment, risk treatment and risk acceptance. The result of the risk assessment found 73 possible threat scenarios divided into 3 risk levels, which were 2 low risks, 64 medium risks and 7 high risks. Out of 73 threat scenarios, 47 were made to risk treatment planning. Results of the risk treatment plan, 19 modified risks, 1 risk transferred and 27 risks could be avoided. This risk treatment plan is a recommendation for the leadership of UMMI to conduct risk management.