Information System Audit Based on ISO/IEC 27001: A Case Study of a Culinary Small and Medium Enterprise
DOI:
https://doi.org/10.64803/cessmuds.v1.93Keywords:
ISO/IEC 27001, Information System Audit, Information Security, SMEs, Case StudyAbstract
Small and Medium Enterprises (SMEs) increasingly rely on information systems to support operational efficiency, customer management, and financial transactions. However, limited awareness and resources often cause SMEs to neglect information security governance, exposing them to data breaches and operational risks (ENISA, 2021). This study aims to evaluate the effectiveness of information security controls in a culinary SME using the ISO/IEC 27001 framework. A qualitative case study approach was employed, involving document analysis, interviews, and observation of information system practices within the organization (Yin, 2018). The audit results reveal several gaps in information security implementation, particularly in access control, risk assessment, and incident management. These findings indicate that although basic controls are in place, the SME has not yet aligned its practices with ISO/IEC 27001 requirements. This study contributes by providing a practical audit model for SMEs to improve information security governance in a cost-effective and structured manner (ISO, 2022).
References
Ahmad, A., Bosua, R., & Scheepers, R. (2021). Protecting organizational information assets: A risk-based approach to information security management. Information Management & Computer Security, 29(1), 1–17. https://doi.org/10.1108/IMCS-06-2020-0184
Calder, A., & Watkins, S. (2018). IT Governance: An International Guide to Data Security and ISO/IEC 27001 (6th ed.). Kogan Page.
Creswell, J. W. (2018). Research Design: Qualitative, Quantitative, and Mixed Methods Approaches (5th ed.). Sage Publications.
ENISA. (2021). Cybersecurity for Small and Medium-Sized Enterprises. European Union Agency for Cybersecurity.
Hall, J. A. (2016). Information Technology Auditing and Assurance (4th ed.). Cengage Learning.
Humphreys, E. (2017). Implementing the ISO/IEC 27001 Information Security Management System (3rd ed.). Artech House.
ISACA. (2019). Information Systems Auditing: Tools and Techniques. ISACA Press.
ISO. (2022). ISO/IEC 27001:2022 — Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems — Requirements. International Organization for Standardization.
ISO. (2022). ISO/IEC 27002:2022 — Information Security Controls. International Organization for Standardization.
Laudon, K. C., & Laudon, J. P. (2022). Management Information Systems: Managing the Digital Firm (17th ed.). Pearson Education.
OECD. (2020). SME and Entrepreneurship Policy in the Digital Era. OECD Publishing. https://doi.org/10.1787/3c8b5171-en
Romney, M. B., & Steinbart, P. J. (2021). Accounting Information Systems (15th ed.). Pearson Education.
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217–224. https://doi.org/10.1016/j.im.2013.08.006
Tsohou, A., Karyda, M., & Kiountouzis, E. (2021). Analyzing information security management in small and medium enterprises: A socio-technical perspective. Computers & Security, 105, 102–118. https://doi.org/10.1016/j.cose.2021.102118
Verizon. (2023). Data Breach Investigations Report. Verizon Enterprise Solutions.
Whitman, M. E., & Mattord, H. J. (2021). Principles of Information Security (7th ed.). Cengage Learning.
Yin, R. K. (2018). Case Study Research and Applications: Design and Methods (6th ed.). Sage Publications.
Downloads
Published
Issue
Section
License
Copyright (c) 2025 Mira Agustina, Andini Syahputri, Rizky Natasya, Neng Sri Wardhani (Author)
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
