Integrating ISO 27001 and Indonesia's Personal Data Protection Law for Data Protection Requirement Model

  • Arya Adhi Nugraha Universitas Teknologi Digital Indonesia, Indonesia
  • Asyahri Hadi Nasyuha Universitas Teknologi Digital Indonesia, Indonesia
Keywords: ISO 27001:2022, Personal Data Protection Law (PDP Law), Data Security Compliance

Abstract

This research explores the integration of ISO/IEC 27001:2022 with Indonesia's Personal Data Protection (PDP) Law to establish a robust framework for data protection and information security within organizations operating in Indonesia. The research addresses the challenges of aligning the comprehensive information security management systems (ISMS) standard of ISO/IEC 27001:2022 with the specific legal requirements of the PDP Law, which governs personal data collection, processing, and protection. Employing the Action Design Research (ADR) methodology, the study involves a thorough review of existing literature, consultations with domain experts, and the development of a structured framework for integration. Key findings highlight the complementary nature of ISO/IEC 27001:2022's risk-based approach and the PDP Law's emphasis on data subject rights, consent management, and breach notification. The integration framework provides organizations with a unified approach to meet both international standards and local regulatory requirements, enhancing overall data protection. The research concludes with insights and recommendations for organizations seeking to navigate the complex landscape of data protection compliance, emphasizing the importance of harmonizing security measures with legal mandates to build a comprehensive and effective data protection strategy.

Downloads

Download data is not yet available.

References

V. Hooper and J. McKissack, “The emerging role of the CISO,” Business Horizons, vol. 59, no. 6, pp. 585-591, 2016.

M. Monica, D. Kurniawan, and R. Prabowo, “Analisis Manajemen Risiko Sistem Informasi Pengelolaan Data English Proficiency Test (EPT) dan Portal Informasi di UPT Bahasa Universitas Lampung Menggunakan Metode ISO 31000,” J. Komputasi, vol. 8, no. 1, pp. 83–90, 2020, doi: 10.23960/komputasi.v8i1.2351.

D. Anjeli, S. T. Faulina, and A. Fakih, “Sistem Informasi Perpustakaan Sekolah Dasar Negeri 49 OKU Menggunakan Embarcadero XE2 Berbasis Client Server,” J. Inform. dan Komput., vol. 13, no. 2, pp. 57–66, 2022.

C. A. Makridis, “Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018,” Journal of Cybersecurity, vol. 7, no. 1, p. tyab021, 2021.

S. N. V. Schweizerische, “Information technology-Security techniques-Information security management systems-Requirements,” ISO/IEC International Standards Organization, 2013.

E. Lachaud, “ISO/IEC 27701 standard: Threats and opportunities for GDPR certification,” Eur. Data Prot. L. Rev., vol. 6, p. 194, 2020.

Y. I. Alzoubi, A. Q. Gill, and A. Al-Ani, “Distributed Agile Development Communication: An Agile Architecture Driven Framework,” J. Softw., vol. 10, no. 6, pp. 681-694, 2015.

M. J. Anwar, A. Q. Gill, and G. Beydoun, “A review of information privacy laws and standards for secure digital ecosystems,” in ACIS 2018-29th Australasian Conference on Information Systems, 2018, pp. 1-10.

G. Bou Ghantous and A. Gill, “DevOps: Concepts, practices, tools, benefits and challenges,” PACIS2017, 2017, pp. 1-12.

A. M. Algarni and Y. K. Malaiya, “A consolidated approach for estimation of data security breach costs,” in 2016 2nd International Conference on Information Management (ICIM), 2016, pp. 26-39.

A. S. Sudarwanto and D. B. B. Kharisma, “Comparative study of personal data protection regulations in Indonesia, Hong Kong and Malaysia,” Journal of Financial Crime, vol. 29, no. 4, pp. 1443-1457, 2022.

Republic of Indonesia, “Undang-Undang Republik Indonesia Nomor 27 Tahun 2022 tentang Perlindungan Data Pribadi,” Indonesian Government, 2022.

City of New York, Active Design Guidelines, 2010.

City of North Vancouver, Active Design Guidelines, 2015.

A. Aptika, “Teguh: Amanat UU, Presiden Tetapkan lembaga OTORITAS PDP,” Ditjen Aptika, 24-Oct-2022.

H. Susanto, M. N. Almunawar, and Y. C. Tuan, “Information security management system standards: A comparative study of the big five,” International Journal of Electrical Computer Sciences IJECSIJENS, vol. 11, no. 5, pp. 23-29, 2011.

Republic of Indonesia, “Undang-Undang Nomor 27 Tahun 2022 Tentang Pelindungan Data Pribadi,” 2022.

R. Von Solms and J. Van Niekerk, “From information security to cyber security,” Computers & Security, vol. 38, pp. 97-102, 2013.

Published
2024-06-14
Abstract views: 599 times
Download PDF: 278 times
How to Cite
Nugraha, A., & Nasyuha, A. (2024). Integrating ISO 27001 and Indonesia’s Personal Data Protection Law for Data Protection Requirement Model. Journal of Information Systems and Informatics, 6(2), 1052-1069. https://doi.org/10.51519/journalisi.v6i2.754