IT Risk Management Based on ISO 31000 and OWASP Framework using OSINT at the Information Gathering Stage (Case Study: X Company)

Full Text (PDF, 761KB), PP.17-29

Views: 0 Downloads: 0


Anak Agung Bagus Arya Wiradarma 1,* Gusti Made Arya Sasmita 1

1. Udayana University, Bali, Indonesia

* Corresponding author.


Received: 3 Nov. 2019 / Revised: 17 Nov. 2019 / Accepted: 23 Nov. 2019 / Published: 8 Dec. 2019

Index Terms

Information Gathering, OSINT, OWASP, Penetration Testing, ISO 31000


The major IT developments lead to speed and mobility elevation of information access. One of them is using the website to share and gather information. Therefore, the mobility and information disclosure create a harmful vulnerability. Which is the leakage of information, whether organizational or sensitive information, such as bank accounts, phone number and many more. Security testing is necessarily needed on website usage. One of the website security testing method is penetration testing. Supporting framework that can be used in this method is OWASP Testing Guide Version 4. OTG Version 4 has 11 stages cover all aspects of website protection and security. Security testing is nicely done using tools / software. Tools with the concept of OSINT (Open Source Intelligence) are used to get better access and availability by using the characteristics of open source. The IT risk assessment analysis carried out by ISO 31000 framework and based on the results that have been obtained through penetration testing with OWASP framework. Significance & values of this research is finding the best and effective way to making IT risk management guidelines along with the combination of with OWASP & ISO 31000 framework, by doing website security assessment with penetration testing method based on OWASP framework to get the system vulnerabilities and analyze the risks that appears with the ISO 31000 framework. Also, the IT risk management guidelines consist of system improvement recommendations along with evaluation report which obtained from the collaboration analysis the OSINT concept, penetration testing methods, OWASP and ISO 31000 framework.

Cite This Paper

Anak Agung Bagus Arya Wiradarma, Gusti Made Arya Sasmita, "IT Risk Management Based on ISO 31000 and OWASP Framework using OSINT at the Information Gathering Stage (Case Study: X Company)", International Journal of Computer Network and Information Security(IJCNIS), Vol.11, No.12, pp.17-29, 2019. DOI:10.5815/ijcnis.2019.12.03


[1]Benes, L. (2013). OSINT, New Technologies, Education: Expanding Opportunities and Threats. A New Paradigm. Journal of Strategic Security, 6(3Suppl), 22–37.
[2]Crane, L., Gantz, G., Isaacs, S., Jose, D., & Sharp, R. (2013). Introduction to Risk Management: Understanding Agricultural Risk. 39. Retrieved from
[3]Dahl, O. (2005). Using coloured petri nets in penetration testing. 89. Retrieved from
[4]de Oliveira, U. R., Marins, F. A. S., Rocha, H. M., & Salomon, V. A. P. (2017). The ISO 31000 standard in supply chain risk management. Journal of Cleaner Production, 151(March), 616–633.
[5]Dirgahayu, T., Prayudi, Y., & Fajaryanto, A. (2015). Penerapan Metode ISSAF dan OWASP versi 4 Untuk Uji Kerentanan Web Server. Jurnal Ilmiah NERO, 1(3), 190–197. Retrieved from
[6]Edam, H. A. Ü., Ctga, O., Edam, H. A. Ü., Ctga, O., & Üniversitesi, K. H. (2018). Digital Open Source Intelligence and International Security : A Primer Digital Open Source Intelligence and International Security : A Primer. (July).
[7]Fitri, S. D., Setyowati, D. L., & Duma, K. (2019). Implementasi Manajemen Risiko Berdasarkan ISO 31000 : 2009 pada Program Perawatan Mesin di Area Workshop PT . X. 6(1), 16–24.
[8]Ghozali, B., Kusrini, K., & Sudarmawan, S. (2019). Mendeteksi Kerentanan Keamanan Aplikasi Website Menggunakan Metode Owasp (Open Web Application Security Project) Untuk Penilaian Risk Rating. Creative Information Technology Journal, 4(4), 264.
[9]Hasan, A., & Meva, D. (2018). Web Application Safety by Penetration Testing. 4TH International Conference on Cyber Security (ICCS), (January), 159–163.
[10]Hassan, N. A., Hijazi, R., Hassan, N. A., & Hijazi, R. (2018). The Evolution of Open Source Intelligence. Open Source Intelligence Methods and Tools, (1), 1–20.
[11]Hoepman, J.-H. (2014). Privacy Design Strategies. 9, 446–459.
[12]Husein, G. M., & Imbar, R. V. (2015). Analisis Manajemen Resiko Teknologi Informasi Penerapan Pada Document Management System di PT . Jabar Telematika ( JATEL ). 1, 75–87.
[13]Hussain, M. Z., Hasan, M. Z., Taimoor, M., Chughtai, A., Taimoor, M., & Chughtai, A. (2017). Penetration Testing In System Administration. International Journal of Scientific & Technology Research, 6(6), 275–278.
[14]Jenter, D., Rock, M., & Morgenstern, P. H. (2014). Scientific Approach on OSINT Training Program Development based on a Skill-Management-System for European Law Enforcement Agencies.
[15]Kawakita, M., & Shima, S. (2018). Detection, auto analysis of cyber threats using open source intelligence. NEC Technical Journal, 12(2), 80–84.
[16]Lalonde, C., & Boiral, O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management, 14(4), 272–300.
[17]Lubis, A., & Tarigan, A. (2017). Security Assessment of Web ApplicationThrough Penetration System Techniques. Jend. Gatot Subroto Km, 4(100), 296–303. Retrieved from
[18]Petersen, R. L. (2017). Enhancing identification and reporting of potentially harmful public data on Danish organizations by Summary ( English ).
[19]Pratama, E., & Wiradarma, A. (2019). Open Source Intelligence Testing Using the OWASP Version 4 Framework at the Information Gathering Stage ( Case Study : X Company ). (July), 8–12.
[20]Review, A., Mariani, A., & Oldra, S. B. (2015). FRAMEWORK IMPLEMENTATION FOR OWASP. (1).
[21]Sedek, K. A., Osman, N., Osman, M. N., & Jusoff, H. K. (2009). Developing a Secure Web Application Using OWASP Guidelines. Computer and Information Science, 2(4), 137–143.
[22]Sena, A. De. (2019). ISO Standards Applicability and a Case Study About ISO 31000 in a Portuguese Municipality. 4(4), 102–111.
[23]Shanley, A., & Johnstone, et al. (2015). Selection of penetration testing methodologies: A comparison and evaluation. AISMC - Australian Information Security Management Conference, 2015, 65–72.
[24]Stiawan, D., Idris, M. Y., Abdullah, A. H., Aljaber, F., & Budiarto, R. (2017). Cyber-attack penetration test and vulnerability analysis. International Journal of Online Engineering, 13(1), 125–132.
[25]Sukapto, P., Desena, J. D. H., Ariningsih, P. K., & Susanto, S. (2018). Integration of risk engineering by ISO 31000 and safety engineering: A case study in a production floor of sport footwear industry in Indonesia. International Journal of Simulation: Systems, Science and Technology, 19(4), 22.1-22.12.
[26]System, A., & Marx, M. (2014). The Extension and Customisation of the Maltego Data-Mining Environment into.
[27]Yeboah-Ofori, A. (2018). Cyber Intelligence and OSINT: Developing Mitigation Techniques Against Cybercrime Threats on Social Media. International Journal of Cyber-Security and Digital Forensics, 7(1), 87–98.
[28]Young, J., Campbell, K., Fanti, A., Alicea, A., & Weiss, M. (2018). The Development of an Open Source Intelligence Gathering Exercise for Teaching Information Security. Thirteenth Midwest Association for Information Systems Conference, (May 2018).