Information Security Risks Assessment Result for Clinical Laboratory According to Control Criteria in ISO 27001


  • Eddy Susanto Universitas Bina Nusantara
  • Nilo Legowo Universitas Bina Nusantara



ISO 27001, Information Security, Clinical Laboratory, Risk Management


Information is part of an information system that is important to be protected in terms of confidentiality, integrity and availability, in order to increase its reliability. Moreover, information containing personal and health data is definitely available in the clinical laboratory. This becomes a consideration for clinical laboratory management to prepare for the development of its service system in digital transformation. This study aims to assess the information security risks that still arise in a clinical laboratory accredited to ISO 15189 and certified to ISO 9001, as a preparation for digital-based services. By using the ISO 27001 approach which is embedded in the qualitative method in this study, risk assessment is carried out by identification, analysis and evaluation through interviews with process owners at clinical laboratories in Jakarta. As a result, it was found that the Busdev&IT Department had the most information security risks (35 risks out of 384 total risks), which required further treatment based on the established risk appetite. Therefore, vigilance on the use of information systems in the laboratory needs to be improved in terms of information security.

Author Biographies

Eddy Susanto, Universitas Bina Nusantara

Information System Management

Nilo Legowo, Universitas Bina Nusantara

Information System Management


Aagaard, A. (2019). Digital Business Models. Springer International Publishing.

Amraoui, S., Elmaallam, M., Bensaid, H., & Kriouile, A. (2019). Information Systems Risk Management: Litterature Review. Computer and Information Science, 12(3), 1.

Barafort, B., Mesquida, A.-L., & Mas, A. (2017). Integrating risk management in IT settings from ISO standards and management systems perspectives. Computer Standards & Interfaces, 54, 176–185.

Barafort, B., Mesquida, A.-L., & Mas, A. (2019). ISO 31000-based integrated risk management process assessment model for IT organizations. Journal of Software: Evolution and Process, 31(1), e1984.

Eskaluspita, A. Y. (2020). ISO 27001:2013 for Laboratory Management Information System at School of Applied Science Telkom University. IOP Conference Series: Materials Science and Engineering, 879(1), 012074.

Farn, K.-J., Hwang, J.-M., & Lin, S.-K. (2007). Study on Applying ISO/DIS 27799 to Healthcare Industry’s ISMS. WSEAS TRANSACTIONS on BIOLOGY and BIOMEDICINE, 4(8).

Fisher, G., Wisneski, J. E., & Bakker, R. M. (2020). Value Chain Analysis. In Strategy in 3D (pp. 118–129). Oxford University Press.

Grusho, A. A., Zabezhailo, M. I., Piskovski, V. O., & Timonina, E. E. (2020). Industry 4.0: Opportunities and Risks in the Context of Information Security Problems. Automatic Documentation and Mathematical Linguistics, 54(2), 55–63.

Harkins, M. W. (2016). Managing Risk and Information Security. Apress.

Herzig, T. W. (2019). Information Security in Healthcare: Managing Risk. Taylor & Francis.

Hill, M., & Swinhoe, D. (2021, July 16). The 15 biggest data breaches of the 21st century. Https://Www.Csoonline.Com/Article/2130877/the-Biggest-Data-Breaches-of-the-21st-Century.Html.

International Organization for Standardization. (2013). Information technology — Security techniques — Information security management systems — Requirements (ISO/IEC Standard No. 27001:2013).

International Organization for Standardization. (2018). Risk Management - Guideline (ISO Standard no. 31000:2018).

Meriah, I., & Arfa Rabai, L. ben. (2019). Comparative Study of Ontologies Based ISO 27000 Series Security Standards. Procedia Computer Science, 160, 85–92.

Muzaimi, H., Chew, B. C., & Hamid, S. R. (2017). Integrated management system: The integration of ISO 9001, ISO 14001, OHSAS 18001 and ISO 31000. 020034.

NIST. (2012). Guide for Conducting Risk Assessments (NIST Special Publication 800-30).

Rainer, R. K., Prince, B., Splettstoesser-Hogeterp, I., Sanchez-Rodriguez, C., & Ebrahimi, S. (2020). Introduction to Information Systems. John Wiley & Sons Canada, Ltd.

Satzinger, J. W., Jackson, R. B., & Burd, S. D. (2016). Systems Analysis and Design in a Changing World (7th ed.). Cengage Learning.

Schnitzler, S. (2018). A universal guideline for the implementation of a specific ISMS for all Bavarian universities and universities of applied sciences using the example of the University of Applied Sciences Augsburg [Case Study]. University of Applied Science Hochschule Ausburg.

Sekaran, U., & Bougie, R. (2016). Research Methods For Business: A Skill Building Approach (7th ed.). John Wiley & Sons Ltd.

Suroso, J., & Fakhrozi, M. (2018). Assessment of Information System Risk Management with Octave Allegro at Education Institution. Procedia Computer Science, 135, 202–213.

Suyasa, G. W. A., & Legowo, N. (2019). The Implementation of System Enterprise Risk Management Using Framework ISO 31000. Journal of Theoretical and Applied Information Technology, 97(10).

Wallin, E., & Xu, Y. (2008). Managing Information Security in Healthcare: A Case Study in Region Skåne. Lund University.

Weemaes, M., Martens, S., Cuypers, L., van Elslande, J., Hoet, K., Welkenhuysen, J., Goossens, R., Wouters, S., Houben, E., Jeuris, K., Laenen, L., Bruyninckx, K., Beuselinck, K., André, E., Depypere,

M., Desmet, S., Lagrou, K., van Ranst, M., Verdonck, A. K. L. C., & Goveia, J. (2020). Laboratory information system requirements to manage the COVID-19 pandemic: A report from the Belgian national reference testing center. Journal of the American Medical Informatics Association, 27(8), 1293–1299.

Wheeler, E. (2011). Security Risk Management. Syngress - Elsevier Inc.

Wright, C. (2016). Fundamentals of Information Risk Management Auditing (1st ed.). IT Governance Publishing.

Zhiwei, Y., & Zhongyuan, J. (2012). A Survey on the Evolution of Risk Evaluation for Information Systems Security. Energy Procedia, 17, 1288–1294.