After last week’s discussion on “what gaps should actually be regulated by regulators?”, this week, I’m diving into various existing technology recommendations based on research that has explored them.
First up: ISO 27001
ISO 27001 seems to be super well-known worldwide in the realm of security technology (forgive me, guys, I just found out about this ISO thanks to KIPP, hehe). But what has it actually done? Based on [this GDPR link] and [this other link], I got a better understanding of why ISO is so essential.
1. ISO 27001 and GDPR
Super relevant to my project since, in a way, it’s like Indonesia’s version of GDPR, especially in the financial sector. Interestingly, the journal I read pointed out that ISO and GDPR share similarities, meaning companies that have already implemented ISO will have an easier time complying with GDPR (yes, ISO really is that meticulous!).
ISO focuses on people, processes, and technology (which, by the way, is also embedded in Bank Indonesia’s regulations, not just GDPR). Another major similarity? The Data Protection Officer (I need to double-check this in BI’s regulations, though). And the most important part? Certification. This serves as proof of compliance with security standards.
That said, GDPR has additional requirements beyond ISO 27001, such as consent, certain rights, and data processing restrictions—which means ISO alone isn’t enough to meet GDPR standards.
2. Case study: Do employees in MSEs actually understand and apply ISO?
Since one of ISO’s three key aspects is people, the real question is: does ISO actually change how people interact with data?
One of the journals I read brought up an interesting theory—“knowledge influences attitudes, which in turn influence behavior.” So? Yep, people need to understand it first!
The research found that ISO helps employees feel more confident in implementing information security and fosters a ‘social pressure’ to comply within the workplace. And—this really clicked with my own thoughts—the journal also highlighted the importance of ongoing education. This means it’s not enough for security standards to be written in big regulatory documents. Even if I propose a framework for technical guidelines, it still won’t be effective unless each PJP (Payment Service Provider) actively promotes and socializes it to their employees.
What about NIST? Should I go deeper into this?
Honestly, I’m a bit torn on whether I should explore NIST further, considering it’s an American government standard(not trying to be political here, but shouldn’t each country have its own standards?).
That said, knowledge-wise, I skimmed some material on NIST, particularly their well-known NIST Cybersecurity Framework (CSF). Turns out, NIST is more technical compared to ISO 27001. The good news? They provide technical guidelines! Which makes it an awesome benchmark reference for my project.
Alright, since this week’s post is already pretty packed, let’s do a deeper dive next week! See you guys!
Leave a Reply