BANK INDONESIA'S IT AUDIT GUIDELINES FOR PAYMENT SERVICE PROVIDERS IN THE SME CATEGORY: AN INTEGRATED ISO 27001:2022 ANNEX A, AND CLOUD-BASED SOLUTION ARCHITECTURE DESIGN

Abstract

Indonesia’s Small-Medium Enterprises (SMEs) face significant challenges complying with Bank Indonesia’s (BI) stringent Payment Service Provider licensing requirements, including cybersecurity mandates (BI 23/6/PBI/2021). This study addresses these barriers by designing a cost-efficient cloud-based solution architecture that harmonizes with ISO 27001:2022 Annex A, and cloud-based to streamline compliance for resource-constrained SMEs. The framework helps prepare SMEs to face IT audits with guidelines that have been adjusted between Bank Indonesia requirements and ISO 27001:2022 Annex A control and replaces complex enterprise architectures with a lightweight, cloud-centric model, leveraging Indonesian cloud providers but still met the requirement from Bank Indonesia. Validation through SME pilot studies demonstrated a reduction in compliance costs compared to traditional approaches, achieved through open-source tools and hybrid cloud deployments. This research contributes to practical implementation guide for SMEs, and cloud-based solution architecture design met by Bank Indonesia requirement. By bridging regulatory complexity with SME realities, this work fosters inclusive growth in Indonesia’s digital economy while advancing secure, scalable payment ecosystems.