After last week’s discussion on “what gaps should actually be regulated by regulators?”, this week, I’m diving into various existing technology recommendations based on research that has explored them.

First up: ISO 27001

ISO 27001 seems to be super well-known worldwide in the realm of security technology (forgive me, guys, I just found out about this ISO thanks to KIPP, hehe). But what has it actually done? Based on [this GDPR link] and [this other link], I got a better understanding of why ISO is so essential.

1. ISO 27001 and GDPR

Super relevant to my project since, in a way, it’s like Indonesia’s version of GDPR, especially in the financial sector. Interestingly, the journal I read pointed out that ISO and GDPR share similarities, meaning companies that have already implemented ISO will have an easier time complying with GDPR (yes, ISO really is that meticulous!).

ISO focuses on people, processes, and technology (which, by the way, is also embedded in Bank Indonesia’s regulations, not just GDPR). Another major similarity? The Data Protection Officer (I need to double-check this in BI’s regulations, though). And the most important part? Certification. This serves as proof of compliance with security standards.

That said, GDPR has additional requirements beyond ISO 27001, such as consent, certain rights, and data processing restrictions—which means ISO alone isn’t enough to meet GDPR standards.

2. Case study: Do employees in MSEs actually understand and apply ISO?

Since one of ISO’s three key aspects is people, the real question is: does ISO actually change how people interact with data?

One of the journals I read brought up an interesting theory—“knowledge influences attitudes, which in turn influence behavior.” So? Yep, people need to understand it first!

The research found that ISO helps employees feel more confident in implementing information security and fosters a ‘social pressure’ to comply within the workplace. And—this really clicked with my own thoughts—the journal also highlighted the importance of ongoing education. This means it’s not enough for security standards to be written in big regulatory documents. Even if I propose a framework for technical guidelines, it still won’t be effective unless each PJP (Payment Service Provider) actively promotes and socializes it to their employees.

What about NIST? Should I go deeper into this?

Honestly, I’m a bit torn on whether I should explore NIST further, considering it’s an American government standard(not trying to be political here, but shouldn’t each country have its own standards?).

That said, knowledge-wise, I skimmed some material on NIST, particularly their well-known NIST Cybersecurity Framework (CSF). Turns out, NIST is more technical compared to ISO 27001. The good news? They provide technical guidelines! Which makes it an awesome benchmark reference for my project.

Alright, since this week’s post is already pretty packed, let’s do a deeper dive next week! See you guys!

After previously discussing the Bank Indonesia Regulation (PBI) on Cyber Security and Resilience, in this blog, I want to dive deeper into its derivative regulation, the Member of the Board of Governors Regulation (PADG) on Cyber Security and Resilience (KKS), which provides more detailed guidelines. The key points covered in the PADG include:

1. Purpose & Scope

• Strengthening cyber security and resilience in the financial sector.
• Regulating Payment System Operators (PJP), money market participants, and other entities under BI’s supervision.
• Covering governance, prevention, incident handling, reporting, and sanctions.

2. Cyber Security Governance

• Organizations must develop a KKS strategy & roadmap.
• Conduct regular audits at least once a year (internal or external).
• Provide training & education on cyber security for employees and external partners.

3. Cyber Incident Prevention

• Identify risks & map threats (people, process, technology).
• Protect data & systems (restricted access, encryption, malware detection).
• Conduct real-time threat monitoring & vulnerability testing (at least once a year).

4. Cyber Incident Handling

• Establish a cyber incident response team ready to take action.
• Report incidents to BI (initial notification within 1 hour, full report within 3 days).

5. Sanctions for Violations

• Administrative fines up to IDR 5 million per report.
• Possible sanctions: warnings, temporary suspension, or even license revocation.

6. Collaboration & Information Sharing

• Organizations must share threat information with BI.
• BI has the authority to isolate systems affected by cyberattacks.
• Self-Regulatory Organizations (SROs) are appointed to assist with regulation.

Looking at this regulation, it seems quite comprehensive… but I do see some gaps. So, let’s go back to my dissertation outline.

One key aspect I’m focusing on is the identification and mapping of security standards like ISO 27001, NIST, IEEE, and ECSS. Right now, the KKS regulation does not specify any particular technology standards. My guess? Maybe BI wants to allow PSPs (including PJPs) the flexibility to explore their own technology choices. But is that a good move?

In my opinion, cybersecurity requires clear technical details to address the complexity of modern IT environments. Mtsweni et al. (2018) describe today’s digital landscape as a web of interconnected systems, overlapping processes, and complex organizational structures, much of which operates in a black box. Without well-defined standards, PSPs could implement security measures inconsistently, leading to gaps in protection.

Many studies, including Villalón-Fonseca (2022), emphasize the importance of international standards like ISO 27001, which provides a framework for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). Mandating at least a minimum level of compliance with this standard would be a solid step forward. Interestingly, BI’s regulatory counterpart, OJK, has already taken this approach, explicitly requiring ISO 27001 for banks under SEOJK 29 – 03 – 2022.

If we look deeper into the core principles of ISO/IEC 27001, it follows a process-based approach, involving planning, implementation, monitoring, review, and continuous improvement—all centered around risk management. The KKS regulation does mention cyber risk, but it doesn’t specify a clear methodology or require a Statement of Applicability (SoA). It also doesn’t address information asset classification, which is crucial for ensuring structured data governance. Some of these aspects are mentioned in the PADG, but again, not in much detail.

This raises an important question: is the lack of detail because the PADG simply isn’t designed to regulate at that level? If that’s the case, then my research could provide recommendations on which areas need more clarity, so that PJP operators don’t have to “guess” their way through compliance. The goal is to ensure flexibility, while still aligning with international best practices for data protection.

Reference:

Mtsweni, J., Gcaza, N., & Thaba, M. (2018). A unified cybersecurity framework for complex environments. SAICSIT 2018, 26–28 September, Port Elizabeth, South Africa.

Villalón-Fonseca, R. (2022). The nature of security: A conceptual framework for integral-comprehensive modeling of IT security and cybersecurity. Computers & Security, 120, 102805. https://doi.org/10.1016/j.cose.2022.102805