Risk Management in Information Systems: Applying ISO 31000:2018 and ISO/IEC 27001:2022 Controls at PMI's Central Clinic

PMI Main Clinic is a national association organization in Indonesia engaged in health services. PMI Main Clinic has an information system to support its health service process. One of the information systems is the Clinic Management Information System (Smart Klinik), this information system is used to record patients from the beginning of the patient's arrival to register until the patient gets the medicine. PMI Main Clinic has never implemented information system risk management before. If a risk occurs at the PMI Main Clinic, the PMI Main Clinic can suffer huge losses and hamper the health service process. To find out the possible risks that can occur at PMI, the ISO 31000: 2018 method is used and the control standard uses ISO 27001: 2022. It can be seen from the 22 possible risks, there are 4 possible risks with very high levels, 2 possible risks with high risk levels, 10 possible risks with moderate risk levels, and 6 possible risks with low risk levels. The control recommendations used ISO/EIC 27001:2022 from the result Equipment maintenance, Information backup, Protection against malware, Installation of software on operational systems, Monitoring activities, Web filtering, Network’s security, Security of network services, Segregation of networks, Secure system architecture and engineering principles.