Integrating ISO, CIPP and CMMI Frameworks for Data Privacy Compliance: A System-Level Maturity Assessment with PDCA-Based Architecture in a KBMI Group IV Bank

Authors

  • Delfindra Faiz Noorhadi Islamic University of Indonesia, Indonesia
  • Mukhammad Andri Setiawan Islamic University of Indonesia, Indonesia
Pages Icon

DOI:

https://doi.org/10.63158/journalisi.v8i3.1623

Keywords:

CIPP, CMMI Maturity Assessment, PDP Law Compliance, Privacy Engineering, Banking Information Systems

Abstract

This study examines the organizational and technical readiness of a systemically important Indonesian bank (KBMI Group IV) in responding to the enactment of the Personal Data Protection (PDP) Law, which necessitates robust privacy engineering and system architecture adaptation. This maturity assessment is conducted as a single-case study based on empirical data collected from two primary respondents: a Business Branch Manager and a Department Head Application Developer. To comprehensively evaluate the system, this study integrates a multi-model framework. First, the Context, Input, Process and Product (CIPP) model qualitatively measures the organization's governance, resources, workflows and policy impacts. These qualitative findings are then translated into CMMI-based process maturity scores. The observed empirical findings reveal an overall maturity score of 3.69, positioning the organization at Level 3 (Defined) as an institutional baseline rather than a sector-wide indicator. The observed findings also expose a regulatory conflict between the PDP Law's 'Right to be Forgotten' and mandatory financial data retention regulations. To address these observed gaps, the study proposes two framework outputs: a comprehensive mapping matrix that aligns regulatory requirements with ISO 27001 and ISO 27701 standards and a conceptual PDCA-based system architecture utilizing data masking and pseudonymization. Although the proposed framework is developed within the context of a single institution, it offers a valuable preliminary foundation for evaluating technical privacy compliance in the banking sector, subject to further validation across a broader range of financial institutions.

Downloads

Download data is not yet available.

Author Biographies

  • Delfindra Faiz Noorhadi, Islamic University of Indonesia

    Department of Informatics, Faculty of Industrial Technology, Universitas Islam Indonesia

  • Mukhammad Andri Setiawan, Islamic University of Indonesia

    Department of Informatics, Faculty of Industrial Technology, Universitas Islam Indonesia

References

[1] A. Chukwudi Tabitha, E. Patience, O. Tawo, and A. Oluwatoyin, “Data security strategies to avoid data breaches in modern information systems,” World Journal of Advanced Research and Reviews, vol. 20, no. 3, pp. 2122–2144, Dec. 2023, doi: 10.30574/wjarr.2023.20.3.2515.

[2] Direktorat Operasi Keamanan Siber, Lanskap Keamanan Siber Indonesia 2024. Jakarta: Badan Siber dan Sandi Negara (BSSN), 2024.

[3] M. R. Syailendra, G. Lie, and A. Sudiro, “Personal data protection law in Indonesia: Challenges and opportunities,” Indonesia Law Review, vol. 14, no. 2, pp. 56–72, Aug. 2024, doi: 10.15742/ilrev.v14n2.4.

[4] M. D. Algamar, A. B. Munir, and Hendro, “Managing Indonesian data breach notification in the financial services sector: A case for one-stop notification model,” Journal of Central Banking Law and Institutions, vol. 3, no. 3, pp. 547–584, Sep. 2024, doi: 10.21098/jcli.v3i3.271.

[5] A. Wibowo, W. Alawiyah, and Azriadi, “The importance of personal data protection in Indonesia’s economic development,” Cogent Soc. Sci., vol. 10, no. 1, pp. 1–13, Jan. 2024, doi: 10.1080/23311886.2024.2306751.

[6] C. Liu and M. A. Babar, “Corporate cybersecurity risk and data breaches: A systematic review of empirical research,” Australian Journal of Management, vol. 51, no. 1, pp. 62–92, Nov. 2024, doi: 10.1177/03128962241293658.

[7] V. Komandla, “Safeguarding Digital Finance: Advanced Cybersecurity Strategies for Protecting Customer Data in Fintech,” ISAR Journal of Multidisciplinary Research and Studies, vol. 1, no. 2, pp. 62–70, Aug. 2023.

[8] E. O. Paul et al., “Cybersecurity Strategies for Safeguarding Customer’s Data and Preventing Financial Fraud in the United States Financial Sectors,” International Journal on Soft Computing, vol. 14, no. 3, pp. 01–16, Aug. 2023, doi: 10.5121/ijsc.2023.14301.

[9] Otoritas Jasa Keuangan, Peraturan Otoritas Jasa Keuangan Nomor 22 Tahun 2023 tentang Pelindungan Konsumen dan Masyarakat di Sektor Jasa Keuangan. Jakarta: OJK, Dec. 2023.

[10] R. A. Antoine, N. S. Farizqa, A. H. Hasna, and M. Pasaribu, “Penyalahgunaan Data Pribadi dalam Teknologi Transaksi Digital di Industri Perbankan Digital (Studi Kasus PT. Bank Syariah Indonesia),” Jurnal Multidisiplin Ilmu Akademik, vol. 2, no. 1, pp. 316–327, Mar. 2025, doi: 10.61722/jmia.v2i1.3147.

[11] Otoritas Jasa Keuangan, Peraturan Otoritas Jasa Keuangan Nomor 12/POJK.03/2021 tentang Bank Umum. Jakarta: OJK, Jul. 2021.

[12] Otoritas Jasa Keuangan, Peraturan Otoritas Jasa Keuangan Nomor 2/POJK.03/2018 tentang Penerapan Bank Sistemik dan Capital Surcharge. Jakarta: OJK, Mar. 2018.

[13] S. Ellis, S. Sharma, and J. Brzeszczyński, “Systemic risk measures and regulatory challenges,” Journal of Financial Stability, vol. 61, pp. 1–47, Aug. 2022, doi: 10.1016/j.jfs.2021.100960.

[14] E. Sarah Kuzankah, E. Zainab Efe, O. Adedolapo, and A. Abimbola Oluwatoyin, “ISO 27001 in banking: An evaluation of its implementation and effectiveness in enhancing information security,” Finance & Accounting Research Journal, vol. 5, no. 12, pp. 405–425, Dec. 2023, doi: 10.51594/farj.v5i12.684.

[15] K. Ryanto and V. Tundjungsari, “Standardization of Information Security Management in the Banking Sector using the ISO 27001:2022 Framework,” Journal La Multiapp, vol. 5, no. 4, pp. 361–379, Jul. 2024, doi: 10.37899/journallamultiapp.v5i4.1399.

[16] W. Wu, K. Shi, C. H. Wu, and J. Liu, “Research on the Impact of Information Security Certification and Concealment on Financial Performance: Impact of ISO 27001 and Concealment on Performance,” Journal of Global Information Management, vol. 30, no. 3, pp. 1–16, 2022, doi: 10.4018/JGIM.20220701.oa2.

[17] U. Nuruddeen, G. I. O. Aimufua, B. Maijamaa, and S. Bassey, “Assessment of data protection and privacy implementation in financial institutions in Nigeria,” International Journal of Innovative Information Systems & Technology Research, vol. 13, no. 4, pp. 125–134, Dec. 2025, doi: 10.5281/zenodo.17490504.

[18] N. A. Zaguir, G. H. Magalhães, and M. M. Spinola, “Challenges and enablers for GDPR compliance: systematic literature review and future research directions,” IEEE, May 2024, pp. 81608–81630. doi: .1109/ACCESS.2024.3406724.

[19] N. Bilan, R. Negahdari, H. Hazrati, and S. F. Moghaddam, “Examining the quality of the competency-based evaluation program for dentistry based on the CIPP model: A mixed-method study,” J. Dent. Res. Dent. Clin. Dent. Prospects, vol. 15, no. 3, pp. 203–210, May 2021, doi: 10.34172/JODDD.2021.034.

[20] S. Kaivanpanah and M. Zarrin, “Evaluation of English for Banking Purposes (EBP) Courses Using Stufflebeam’s Context, Input, Process and Product (CIPP) Model,” Journal of Modern Research in English Language Studies, vol. 12, no. 3, pp. 1–26, 2025, doi: 10.30479/jmrels.2024.20762.2419.

[21] J. Gomes and M. Romão, “Evaluating Maturity Models in Healthcare Information Systems: A Comprehensive Review,” Healthcare, vol. 13, no. 15, pp. 1–48, Jul. 2025, doi: 10.3390/HEALTHCARE13151847.

[22] E. Yassien, “The challenges of capability maturity model integration application in the dynamic environment,” Int. J. Inf. Syst. Change Manag., vol. 12, no. 1, pp. 17–34, 2020, doi: 10.1504/IJISCM.2020.112045.

[23] A. Brezavšček and A. Baggia, “Recent Trends in Information and Cyber Security Maturity Assessment: A Systematic Literature Review,” Systems, vol. 13, no. 1, pp. 1–42, Jan. 2025, doi: 10.3390/systems13010052.

[24] S. A. Mazhar, R. Anjum, A. I. Anwar, and A. A. Khan, “Methods of Data Collection: A Fundamental Tool of Research,” Journal of Integrated Community Health, vol. 10, no. 01, pp. 6–10, Jun. 2021, doi: 10.24321/2319.9113.202101.

[25] Otoritas Jasa Keuangan, Peraturan Otoritas Jasa Keuangan Nomor 51/POJK.04/2020 tentang Pemeliharaan Dokumen oleh Bank Umum sebagai Kustodian. Jakarta: OJK, Dec. 2020.

[26] D. I. Anggraini, P. Oktavia, and H. Putra, “Data Protection Impact Assessment Framework in the Banking Sector in Indonesia to Implement Law of Personal Data Protection,” Journal of Information Systems, vol. 21, no. 1, pp. 15–34, Apr. 2025, doi: 10.21609/jsi.v21i1.1439.

[27] E. Aristianto, M. H. Hilman, and S. Yazid, “Evaluating ISO Standards for Indonesian PDP Law Compliance: A Regulatory Mapping and Literature Review,” Scientific Journal of Informatics, vol. 12, no. 1, pp. 145–158, Feb. 2025, doi: 10.15294/sji.v12i1.21538.

[28] M. Mirtsch, K. Blind, C. Koch, and G. Dudek, “Information security management in ICT and non-ICT sector companies: A preventive innovation perspective,” Computers & Security, vol. 109, pp. 1–23, Jun. 2021, doi: 10.1016/j.cose.2021.102383.

[29] A. Górka–Chowaniec and A. Popek, “Attempt to use the Deming cycle (PDCA) in the process of implementing an information security management system,” International Journal for Quality Research, vol. 19, no. 2, pp. 371–386, Nov. 2025, doi: 10.24874/IJQR19.02-01.

[30] European Data Protection Board, Guidelines 01/2025 on Pseudonymisation. Brussels: EDPB, Jan. 2025.

[31] B. A. Riswandi and A. M. Gultom, “Protecting our most valuable personal data: A comparison of transborder data flow laws in the European Union, United Kingdom, and Indonesia,” Prophetic Law Review, vol. 5, no. 2, pp. 179–206, Dec. 2023, doi: 10.20885/PLR.vol5.iss2.art3.

[32] L. Bradford, M. Aboy, and K. Liddell, “Standard contractual clauses for cross-border transfers of health data after Schrems II,” J. Law Biosci., vol. 8, no. 1, pp. 1–36, Jan. 2021, doi: 10.1093/jlb/lsab007.

[33] J. Henriksen-Bulmer, S. Faily, and S. Jeary, “DPIA in context: Applying DPIA to assess privacy risks of cyber physical systems,” Future Internet, vol. 12, no. 93, pp. 1–23, May 2020, doi: 10.3390/FI12050093.

[34] L. H. Iwaya, A. S. Alaqra, M. Hansen, and S. Fischer-Hübner, “Privacy impact assessments in the wild: A scoping review,” Array, vol. 23, pp. 1–20, Jun. 2024, doi: 10.1016/j.array.2024.100356.

[35] A. T. Ayedh M, A. W. A. Wahab, and M. Y. I. Idris, “Systematic Literature Review on Security Access Control Policies and Techniques Based on Privacy Requirements in a BYOD Environment: State of the Art and Future Directions,” Applied Sciences, vol. 13, no. 14, pp. 1–37, Jul. 2023, doi: 10.3390/app13148048.

[36] L. Bufalieri, M. La Morgia, A. Mei, and J. Stefa, “GDPR: When the right to access personal data becomes a threat," in Proc. IEEE International Conference on Web Services (ICWS), Beijing, China, May 2020, pp. 1–8, doi: 10.1109/ICWS49710.2020.00017.

[37] O. Amaral, M. I. Azeem, S. Abualhaija, and L. C. Briand, “NLP-Based Automated Compliance Checking of Data Processing Agreements Against GDPR," in IEEE Transactions on Software Engineering, vol. 49, no. 9, pp. 4282-4303, Sept. 2023, doi: 10.1109/TSE.2023.3288901.

[38] W. Gregory Voss and H. Bouthinon-Dumas, “EU General Data Protection Regulation Sanctions in Theory and in Practice,” Santa Clara High Technology Law Journal, vol. 37, no. 1, pp. 1–97, Jan. 2021.

[39] M. F. Safitra, M. Lubis, and H. Fakhrurroja, “Counterattacking Cyber Threats: A Framework for the Future of Cybersecurity,” Sustainability, vol. 15, no. 18, pp. 1–32, Sep. 2023, doi: 10.3390/su151813369.

[40] Lachaud, E, ISO/IEC 27701: Threats and Opportunities for GDPR Certification (January 15, 2020). Available at SSRN: https://ssrn.com/abstract=3521250.

[41] M. J. Anwar and A. Q. Gill, “Developing an Integrated ISO 27701 and GDPR based Information Privacy Compliance Requirements Model,” in ACIS 2020 Proceedings, Wellington: Australasian Conference on Information Systems, 2020, pp. 1–12.

[42] M. Khoje, “Securing Data Platforms: Strategic Masking Techniques for Privacy and Security for B2B Enterprise Data,” International Journal of Computer Trends and Technology, vol. 71, no. 11, pp. 46–54, Nov. 2023, doi: 10.14445/22312803/ijctt-v71i11p107.

Downloads

Published

2026-06-22

Issue

Vol. 8 No. 3 (2026): June

Section

Articles

License

Copyright (c) 2026 Journal of Information Systems and Informatics

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors Declaration

  1. The Authors certify that they have read, understood, and agreed to the Journal of Information Systems and Informatics (JournalISI) submission guidelines, policies, and submission declaration. The submission has been prepared using the provided template.
  2. The Authors certify that all authors have approved the publication of this manuscript and that there is no conflict of interest.
  3. The Authors confirm that the manuscript is their original work, has not received prior publication, is not under consideration for publication elsewhere, and has not been previously published.
  4. The Authors confirm that all authors listed on the title page have contributed significantly to the work, have read the manuscript, attest to the validity and legitimacy of the data and its interpretation, and agree to its submission.
  5. The Authors confirm that the manuscript is not copied from or plagiarized from any other published work.
  6. The Authors declare that the manuscript will not be submitted for publication in any other journal or magazine until a decision is made by the journal editors.
  7. If the manuscript is finally accepted for publication, the Authors confirm that they will either proceed with publication immediately or withdraw the manuscript in accordance with the journal’s withdrawal policies.
  8. The Authors agree that, upon publication of the manuscript in this journal, they transfer copyright or assign exclusive rights to the publisher, including commercial rights