Assessing Information Security Risks in Clinical Laboratory in Accordance With ISO/IEC 27001 Standard


  • Eddy Susanto Information Systems Management Department, Bina Nusantara University, Jakarta, Indonesia
  • Nilo Legowo Information Systems Management Department, Bina Nusantara University, Jakarta, Indonesia
  • Benny Ady Prabowo Information Systems Management Department, Bina Nusantara University, Jakarta, Indonesia



ISO/IEC 27001, information security, clinical laboratory, risk management



This study aims to assess the information security risks that still arise in a clinical laboratory accredited to ISO 15189 and certified to ISO 9001, as a preparation for digital-based services.


Using the ISO/IEC 27001 approach which is embedded in the qualitative method in this study, risk assessment is carried out by identification, analysis and evaluation through interviews with process owners at clinical laboratories in Jakarta.



As a result, it was found that the Busdev&IT Department had the most information security risks (35 risks out of 384 total risks), which required further treatment based on the established risk appetite. Therefore, vigilance on the use of information systems in the laboratory needs to be increased in terms of information security.

Research limitations/implications

The research object was in the preparation stage for ISO 27001 certification, but the risk assessment is not only to comply with requirements, that also to have effective information security control among their process to ensure the sensitive information is secured.


This study answers the need for establishment of information security risk control in clinical laboratory.


Aagaard, A. (2019). Digital Business Models. Springer International Publishing.

Amraoui, S., Elmaallam, M., Bensaid, H., & Kriouile, A. (2019). Information Systems Risk Management: Litterature Review. Computer and Information Science, 12(3), 1.

Barafort, B., Mesquida, A.-L., & Mas, A. (2017). Integrating risk management in IT settings from ISO standards and management systems perspectives. Computer Standards & Interfaces, 54, 176–185.

Barafort, B., Mesquida, A.-L., & Mas, A. (2019). ISO 31000-based integrated risk management process assessment model for IT organizations. Journal of Software: Evolution and Process, 31(1), e1984.

Eskaluspita, A. Y. (2020). ISO 27001:2013 for Laboratory Management Information System at School of Applied Science Telkom University. IOP Conference Series: Materials Science and Engineering, 879(1), 012074.

Farn, K.-J., Hwang, J.-M., & Lin, S.-K. (2007). Study on Applying ISO/DIS 27799 to Healthcare Industry’s ISMS. WSEAS TRANSACTIONS on BIOLOGY and BIOMEDICINE, 4(8).

Fisher, G., Wisneski, J. E., & Bakker, R. M. (2020). Value Chain Analysis. In Strategy in 3D (pp. 118–129). Oxford University Press.

Grusho, A. A., Zabezhailo, M. I., Piskovski, V. O., & Timonina, E. E. (2020). Industry 4.0: Opportunities and Risks in the Context of Information Security Problems. Automatic Documentation and Mathematical Linguistics, 54(2), 55–63.

Harkins, M. W. (2016). Managing Risk and Information Security. Apress.

Herzig, T. W. (2019). Information Security in Healthcare: Managing Risk. Taylor & Francis.

Hill, M., & Swinhoe, D. (2021, July 16). The 15 biggest data breaches of the 21st century. Https://Www.Csoonline.Com/Article/2130877/the-Biggest-Data-Breaches-of-the-21st-Century.Html.

IOS. (2013). Information technology — Security techniques — Information security management systems — Requirements (ISO/IEC Standard No. 27001:2013).

IOS. (2018). Risk Management - Guideline (ISO Standard no. 31000:2018).

Meriah, I., & Arfa Rabai, L. ben. (2019). Comparative Study of Ontologies Based ISO 27000 Series Security Standards. Procedia Computer Science, 160, 85–92.

Muzaimi, H., Chew, B. C., & Hamid, S. R. (2017). Integrated management system: The integration of ISO 9001, ISO 14001, OHSAS 18001 and ISO 31000. 020034.

NIST. (2012). Guide for Conducting Risk Assessments (NIST Special Publication 800-30).

Rainer, R. K., Prince, B., Splettstoesser-Hogeterp, I., Sanchez-Rodriguez, C., & Ebrahimi, S. (2020). Introduction to Information Systems. John Wiley & Sons Canada, Ltd.

Satzinger, J. W., Jackson, R. B., & Burd, S. D. (2016). Systems Analysis and Design in a Changing World (7th ed.). Cengage Learning.

Schnitzler, S. (2018). A universal guideline for the implementation of a specific ISMS for all Bavarian universities and universities of applied sciences using the example of the University of Applied Sciences Augsburg [Case Study]. University of Applied Science Hochschule Ausburg.

Sekaran, U., & Bougie, R. (2016). Research Methods For Business: A Skill Building Approach (7th ed.). John Wiley & Sons Ltd.

Suroso, J., & Fakhrozi, M. (2018). Assessment of Information System Risk Management with Octave Allegro at Education Institution. Procedia Computer Science, 135, 202–213.

Suyasa, G. W. A., & Legowo, N. (2019). The Implementation of System Enterprise Risk Management Using Framework ISO 31000. Journal of Theoretical and Applied Information Technology, 97(10).

Wallin, E., & Xu, Y. (2008). Managing Information Security in Healthcare: A Case Study in Region Skåne. Lund University.

Weemaes, M., Martens, S., Cuypers, L., van Elslande, J., Hoet, K., Welkenhuysen, J., Goossens, R., Wouters, S., Houben, E., Jeuris, K., Laenen, L., Bruyninckx, K., Beuselinck, K., André, E., Depypere, M., Desmet, S., Lagrou, K., van Ranst, M., Verdonck, A. K. L. C., & Goveia, J. (2020). Laboratory information system requirements to manage the COVID-19 pandemic: A report from the Belgian national reference testing center. Journal of the American Medical Informatics Association, 27(8), 1293–1299.

Wheeler, E. (2011). Security Risk Management. Syngress - Elsevier Inc.

Wright, C. (2016). Fundamentals of Information Risk Management Auditing (1st ed.). IT Governance Publishing.

Zhiwei, Y., & Zhongyuan, J. (2012). A Survey on the Evolution of Risk Evaluation for Information Systems Security. Energy Procedia, 17, 1288–1294.