INTEGRATING ISO 27001 WITH INDONESIA'S PERSONAL DATA PROTECTION LAW: A GOVERNANCE POLICY MODEL FOR SECURE CUSTOMER ONBOARDING AT BANK XYZ

Abstract

This research investigates compliance gaps in Bank XYZ’s adoption of ISO 27001 alongside Indonesia’s Personal Data Protection Law (PDP Law No. 27/2022) during customer onboarding. As a rapidly growing BUKU 2 Islamic bank, XYZ faces regulatory risks, including fines of up to 2% of annual revenue under Article 57 of the PDP Law. Through a mixed-methods approach—combining document analysis, stakeholder interviews, and validation workshops—the study identified three key issues: delayed breach notifications exceeding 90 hours (violating Article 46), indefinite KYC data retention beyond the 7-year legal limit (Article 44), and weak consent management. These problems were linked to misalignment with ISO 27001 controls and technological constraints. To address this, a hybrid governance framework was developed, integrating ISO 27001, ISO 27701, and CIS Controls. It introduced a 72-hour breach notification process via SIEM, a compliant data retention policy with automated deletion triggers, and clarified roles between DPOs and ISMS leads. Validation workshops with governance leaders at Bank XYZ yielded an average COBIT 2019 maturity average scores ranged from 4.3 to 4.7, confirming feasibility. The framework supports compliance while cutting breach risk by 32% in onboarding, offering a replicable model for other financial institutions in Indonesia.