International Journal on Advanced Science, Engineering and Information Technology, Vol. 10 (2020) No. 3, pages: 914-919, DOI:10.18517/ijaseit.10.3.10172

Adopting ISO/IEC 27005:2011-based Risk Treatment Plan to Prevent Patients Data Theft

Laura Cassandra Hamit, Haslina Md. Sarkan, Nurulhuda Firdaus Mohd Azmi, Mohd Naz’ri Mahrin, Suriayati Chuprat, Yazriwati Yahya


The concern raised in late 2017 regarding 46.2 million mobile device subscribers’ data breach had the Malaysian police started an investigation looking for the source of the leak.  Data security is fundamental to protect the assets or information by providing its confidentiality, integrity and availability not only in the telecommunication industry but also in other sectors.  This paper attempts to protect the data of a patient-based clinical system by producing a risk treatment plan for its software products.  The existing system is vulnerable to information theft, insecure databases, needy audit login and password management.  The information security risk assessment consisting of identifying risks, analyzing and evaluating them were conducted before a risk assessment report is written down.  A risk management framework was applied to the software development unit of the organization to countermeasure these risks.  ISO/IEC 27005:2011 standard was used as the basis for the information security risk management framework.  The controls from Annex A of ISO/IEC 27001:2013 were used to reduce the risks.  Thirty risks have been identified and 7 high-level risks for the product have been recognized.  A risk treatment plan focusing on the risks and controls has been developed for the system to reduce these risks in order to secure the patients’ data.  This will eventually enhance the information security in the software development unit and at the same time, increase awareness among the team members concerning risks and the means to handle them.


data security; risk management; information security; ISO/IEC 27005; risk assessment plan.

Viewed: 335 times (since Sept 4, 2017)

cite this paper     download