Information Security Management Systems (ISMSs) require periodic evaluation to assess their level of compliance with established standards and frameworks. This study evaluates the implementation of an Information Security Management System in an Indonesian cybersecurity services company, with a particular focus on the Compliance Division and the Security Operations Center (SOC). The case study was selected because the organization's ISMS had not been implemented consistently, particularly regarding the regular updating of security policies and operational procedures. As a cybersecurity service provider, the company is expected to conduct periodic compliance assessments to ensure alignment with recognized information security management standards, such as ISO/IEC 27001:2022. The study employed a Gap Analysis approach that combined qualitative and quantitative data. Data were collected through direct observation and a review of internal documentation after obtaining the company's authorization. The results indicate an overall compliance level of 77.5%. Three control areas achieved full compliance: the timely execution of internal audits, incident documentation, and log management. Based on the identified gaps, a set of improvement recommendations was developed to assist the organization in achieving greater compliance with the requirements of ISO/IEC 27001:2022. This study provides practical contributions by demonstrating the application of the ISO/IEC 27001:2022 framework for conducting internal compliance audits of Information Security Management Systems and offering actionable recommendations for strengthening organizational information security governance.

cyber security; gap analysis; information security management system; Internal compliance audit; ISO 27001

N. Nurbojatmiko, M. S. K. Karimiyah, N. M. Asnadi, and R. Anisyah, “ISO 27001 as Information Security Solution in Society 5.0 Era: Systematic Literature Review,” Sinkron, Vol. 9, No. 1, pp. 484–492, Feb. 2025, DOI: 10.33395/sinkron.v9i1.14448.

S. R. Musyarofah and R. Bisma, “Analisis Kesenjangan Sistem Manajemen Keamanan Informasi (SMKI) sebagai Persiapan Sertifikasi ISO/IEC 27001:2013 pada Institusi Pemerintah,” Teknologi, Vol. 11, No. 1, pp. 1–15, Jan. 2021, DOI: 10.26594/teknologi.v11i1.2152.

L. D. A. Jelita, M. N. Al Azam, and A. Nugroho, “Evaluasi Keamanan Teknologi Informasi menggunakan Indeks Keamanan Informasi 5.0 dan ISO/EIC 27001:2022,” Jurnal SAINTEKOM, Vol. 14, No. 1, pp. 84–94, Mar. 2024, DOI: 10.33020/saintekom.v14i1.623.

M. N. H. Siregar and Mardiah, “Analisis Keamanan Data pada Sistem Informasi menggunakan Metode ISO/IEC 27001,” Jurnal Ilmu Komputer dan Teknik Informatika, Vol. 1, No. 2, pp. 58–64, Jul. 2025, DOI: 10.64803/juikti.v1i2.52.

R. Sinaga, “Penerapan ISO/IEC 27001:2022 dalam Tata Kelola Keamanan Sistem Informasi: Evaluasi Proses dan Kendala,” Nuansa Informatika, Vol. 18, No. 2, pp. 46–54, 2024, DOI: 10.25134/ilkom.v18i2.205.

D. Fatih and R. Fathoni Aji, “Evaluasi Keamanan Informasi menggunakan ISO/IEC 27001: Studi Kasus PT XYZ,” Jurnal Sains Komputer & Informatika (J-SAKTI, Vol. 8, No. 2, pp. 58–75, 2024, DOI: 10.30996/jsakti.v8i2.12099.

R. Sinaga, “Pengembangan Model Penilaian Kepatuhan Salah Satu Perguruan Tinggi Terhadap Standar ISO 27001:2022,” Jurnal Teknik Informatika dan Sistem Informasi, Vol. 9, No. 3, Jan. 2024, DOI: 10.28932/jutisi.v9i3.6850.

K. Ryanto and V. Tundjungsari, “Standardization of Information Security Management in the Banking Sector using the ISO 27001:2022 Framework,” Journal La Multiapp, Vol. 5, No. 4, pp. 344–354, Aug. 2024, DOI: 10.37899/journallamultiapp.v5i4.1399.

I. N. A. A. Wibawa, A. A. N. H. Susila, and M. A. Pasirulloh, “Information Security Evaluation at Hospital using Index KAMI 5.0 and Recommendations based on ISO/IEC 27001:2022,” Journal of Information Systems and Informatics, Vol. 6, No. 4, pp. 3070–3086, Dec. 2024, DOI: 10.51519/journalisi.v6i4.949.

E. Riana, M. E. S. Sulistyawati, and O. P. Putra, “Analisis Tingkat Kematangan (Maturity Level) dan PDCA (Plan-Do-Check-Act) dalam Penerapan Audit Sistem Manajemen Keamanan Informasi pada PT Indonesia Game menggunakan Metode ISO 27001:2013,” Journal of Information System Research (JOSH), Vol. 4, No. 2, pp. 632–640, Jan. 2023, DOI: 10.47065/josh.v4i2.2552.

A. Ambarwati and C. Darujati, “Penilaian Risiko Data Sistem Informasi Manajemen Puskesmas dan Aset menggunakan ISO 27005,” Telp, Vol. 10, No. 1, pp. 1–13, 2021, DOI: 10.32520/stmsi.v10i1.995.

Y. Kamil, S. Lund, and M. S. Islam, “Information Security Objectives and the Output Legitimacy of ISO/IEC 27001: Stakeholders’ Perspective on Expectations in Private Organizations in Sweden,” Information Systems and e-Business Management, Vol. 21, No. 3, pp. 699–722, Sep. 2023, DOI: 10.1007/s10257-023-00646-y.

A. Ulya, A. Karima, T. S. A. Sukiman, A. Zulfia, and R. Rahmawati, “Information Security Risk Analysis using ISO 31000:2018 and ISO 27001:2022,” Brilliance: Research of Artificial Intelligence, Vol. 5, No. 2, pp. 843–853, Sep. 2025, DOI: 10.47709/brilliance.v5i2.6564.

J. P. Keinsinyuran, C. Widharto, and M. A. Kartawidjaja, “Evaluasi Statement of Applicability ISO 27001:2022 melalui Audit Surveilans pada Pusat Data Internal,” Jurnal Praktik Keinsinyuran, Vol. 3, No. 2, pp. 135–146, 2026, DOI: 10.25170/jpk.v3i02.7631.

M. Sari et al., “Analisis Tata Kelola TI Perumdam Tirta Siak menggunakan COBIT 2019 dan ISO27001 Analysis IT Governance of Perumdam Tirta Siak using COBIT 2019 and ISO27001,” Sistemasi: Jurnal Sistem Informasi, Vol. 13, pp. 324–334, 2024, DOI: 10.32520/stmsi.v13i1.

M. Lubis, M. I. Luthfi, Rd. R. Saedudin, A. N. Muttaqin, and A. R. Lubis, “The Integration of ISO 27005 and NIST SP 800-30 for Security Operation Center (SOC) Framework Effectiveness in the Non-Bank Financial Industry,” Computers, Vol. 15, No. 1, p. 60, Jan. 2026, DOI: 10.3390/computers15010060.

A. A. Nugraha and A. H. Nasyuha, “Integrating ISO 27001 and Indonesia’s Personal Data Protection Law for Data Protection Requirement Model,” Journal of Information Systems and Informatics, Vol. 6, No. 2, pp. 1052–1069, Jun. 2024, DOI: 10.51519/journalisi.v6i2.754.