DESIGNING A THIRD-PARTY RISK MANAGEMENT POLICY FOR PT XYZ USING ISO 31000, NIST CSF 2.0, ISO/IEC 27701, CIS CONTROLS V8, AND UU PDP

Abstract

Businesses are leaning more on third-party vendors when advancing their digital transformation, yet this dependency exposes them to heightened cybersecurity and privacy threats. For PT XYZ, a financial institution in Indonesia, the challenges are intensified by strict privacy requirements set by the Personal Data Protection Law (UU PDP). This study identifies critical governance gaps in PT XYZ, including the absence of standardized due diligence, lack of vendor monitoring, and insufficient data protection clauses in contracts. Using a mixed-methods approach such as document review, surveys, and interviews. This research integrates ISO 31000, NIST CSF 2.0, ISO/IEC 27701, and CIS Controls v8 to design a risk-based third-party management framework. Findings highlight three priority areas: implementing structured vendor onboarding, establishing continuous monitoring, and enforcing contractual obligations for data protection and secure deletion. Validation by internal stakeholders and external experts confirmed the framework’s feasibility, regulatory alignment, and operational relevance. The research concludes that PT XYZ can adopt this integrated policy framework that will enhance the cybersecurity posture, align completely with UU PDP, and provide a replicable governance model for other financial institutions.