OJK's Role in Indonesian Financial Services IT Governance
The Otoritas Jasa Keuangan (OJK) is Indonesia's integrated financial services regulator, with supervisory authority over banks, insurance companies, capital markets intermediaries, pension funds, and fintech providers. Post-digitalization of financial services, OJK has made IT governance a core supervisory concern. The integration of IT risk management into consolidated financial regulation reflects a global trend — IT service failures now pose direct risks to financial stability, consumer protection, and market integrity.
OJK's regulatory approach emphasizes proportionality: the IT governance requirements imposed on large systemically important banks differ from those for smaller regional banks or fintech startups. However, across all regulated entities and all service provider categories, OJK's baseline expectation is that IT services are managed through a documented, mature SMS. This expectation has become explicit in POJK 11/2022.
POJK 11/2022: IT Risk Management Framework
POJK 11/2022 on IT Risk Management for Financial Services Institutions establishes seven IT governance pillars: IT strategy, IT governance, IT risk management, IT operations, IT security, IT service management, IT project management, and IT service provider management. Of these, the IT service management pillar aligns directly with ISO 20000 scope.
POJK 11/2022 is principle-based rather than prescriptive. The regulation does not mandate ISO 20000 certification, nor does it reference ISO 20000 explicitly. However, the IT service management requirements described in POJK 11/2022 are functionally identical to ISO 20000 Clause 8 practice areas. This creates a powerful opportunity: an organization with an ISO 20000-certified SMS can demonstrate POJK 11/2022 compliance through the certification evidence base.
POJK 11/2022 IT Service Management Requirements
Incident Management Alignment
POJK 11/2022 requires financial institutions and their IT service providers to establish incident management processes that include timely incident detection, categorization, root cause analysis, and regulatory reporting for major incidents. Incidents affecting financial services must be escalated within specific timeframes and reported to OJK if they meet materiality thresholds.
ISO 20000 Clause 8.6.1 specifies incident management practice requirements including incident detection, categorization, prioritization, response, and resolution tracking. The ISO 20000 incident categorization and major incident designation aligns directly with POJK's incident severity classification and reporting thresholds. An organization with an ISO 20000-certified SMS can demonstrate POJK compliance through its incident management procedure, incident logs, and major incident records.
Problem Management and Corrective Action
POJK 11/2022 requires root cause analysis of recurring incidents and documented corrective action plans. Problem management is identified as a mandatory process component. ISO 20000 Clause 8.6.3 defines problem management as the practice of identifying and managing the underlying causes of incidents. The documented problem register, root cause analysis records, and corrective action tracking required by ISO 20000 directly satisfy POJK's problem management requirements.
Change Management and Authorization
POJK 11/2022 requires documented change management processes including change authorization, impact analysis, testing, rollback procedures, and change documentation. Changes to critical IT infrastructure must be subject to heightened approval controls and must include explicit authorization by IT governance authorities.
ISO 20000 Clause 8.6.5 defines change management practice requirements including change request handling, impact assessment, change authorization, and post-implementation review. The change authorization mechanisms, testing procedures, and rollback capability documented in an ISO 20000 SMS directly demonstrate POJK compliance.
Configuration Management and the CMDB
POJK 11/2022 requires maintained inventory and configuration tracking of IT infrastructure and applications. Configuration management databases (CMDBs) or equivalent CI tracking mechanisms are mandatory. ISO 20000 Clause 8.6.4 specifies configuration management requirements including CI identification, relationship mapping, and change tracking. A maintained CMDB is the standard evidence base for both ISO 20000 and POJK 11/2022 compliance.
Availability and Service Continuity
POJK 11/2022 imposes availability and continuity requirements on IT service providers supporting financial institutions. Service availability targets must be defined, monitored, and reported. Disaster recovery and business continuity capabilities must be established with tested RPO and RTO targets.
ISO 20000 Clauses 8.7.1 (availability management) and 8.7.2 (service continuity management) require availability monitoring, SLA targets, and continuity planning. The monitoring data, availability reports, and continuity testing records generated by an ISO 20000 SMS provide POJK audit evidence.
Service Level Management and IT Service Provider SLAs
POJK 11/2022 requires financial institutions to establish service level agreements with IT service providers that define availability, performance, and security targets. SLAs must include defined remedies for SLA breaches and must be subject to periodic review and measurement.
ISO 20000 Clause 8.2 (service portfolio and service offerings) and Clause 8.3 (relationship management) establish requirements for service definition, SLA design, and relationship monitoring. An ISO 20000-certified MSP or IT service provider manages SLAs through standardized governance practices that satisfy POJK's SLA requirements.
Third-Party IT Risk Management and Due Diligence
A key challenge for Indonesian financial institutions is the obligation to manage the IT risk posed by outsourced IT service providers. POJK 11/2022 requires financial institutions to conduct IT due diligence on service providers prior to engagement, to establish contractual safeguards (SLAs, audit rights, incident reporting, regulatory cooperation), and to conduct ongoing monitoring of service provider IT performance.
This burden is significant. Financial institutions must evaluate IT service management capability, IT security posture, IT operational resilience, and IT governance maturity across multiple providers. Bespoke vendor assessments are time-consuming and expensive. ISO 20000 certification substantially reduces this burden: an independently audited SMS provides credible, third-party evidence that the service provider meets baseline IT service management standards. A financial institution can reference the ISO 20000 certificate as evidence of SMS compliance without conducting extensive proprietary assessments.
OJK Supervisory Examination Practice
OJK IT examinations assess IT service management maturity through documented information review, process walkthroughs, system access testing, and incident case file review. Examination findings commonly identify gaps in incident management (slow incident response, incomplete root cause analysis), change management (unauthorized changes, inadequate testing), configuration management (incomplete CMDB, uncontrolled infrastructure), and availability management (lack of SLA compliance monitoring, poor availability data).
OJK examiners specifically assess whether IT service management practices are documented, whether management has visibility into IT service performance through metrics and reporting, and whether improvement activities are tracked. An ISO 20000-certified SMS provides documentary evidence that addresses these examination concerns directly. The SMS scope statement, procedures, recorded information inventory, and performance metrics provide the artifacts that OJK examiners evaluate.
IT Incident Reporting to OJK
OJK requires financial institutions to report major IT incidents to OJK supervisors within defined notification timelines. Reportable incidents include incidents affecting the confidentiality, integrity, or availability of critical financial data or systems; incidents affecting customer transactions; and incidents affecting the financial institution's ability to deliver regulated services.
The incident definition, incident categorization, and major incident escalation procedures in an ISO 20000 SMS must be designed to capture OJK's reportable incident criteria. The major incident procedure must include decision-making for OJK notification and must be coordinated with the financial institution's regulatory reporting obligations. This is not a gap between ISO 20000 and POJK — rather, it is the integration point where the SMS incorporates regulatory reporting requirements.
IT Outsourcing Requirements
POJK 11/2022 explicitly addresses IT outsourcing, requiring that financial institutions maintain IT service management standards equal to those for internally delivered IT services. An outsourced IT service provider must maintain service management discipline equivalent to what the financial institution would maintain for internal IT operations.
For IT service providers (MSPs, cloud providers, data center operators) serving Indonesian financial institutions, ISO 20000 certification is the most direct response to this requirement. The provider's ISO 20000-certified SMS demonstrates that the provider maintains the same service management practices (incident management, change management, availability management) required for internal operations. Clients can reference the certification as evidence that outsourced services meet POJK's baseline service management requirements.
Building an OJK-Aligned SMS
Designing an SMS that serves both ISO 20000 certification and OJK supervisory examination requires integration at the inception:
First, the SMS scope must be clearly defined to cover all IT services that financial institutions rely on. Scope creep (including services outside the SMS) creates examination risk. Conversely, scope gaps (excluding services that OJK supervisors expect to be managed) undermine the examination value of the SMS.
Second, the documented information set (procedures, templates, records templates) must explicitly address OJK's requirements. This does not mean creating separate "POJK documents" — rather, it means ensuring that the SMS procedures capture regulatory requirements within the SMS structure. For example, the major incident procedure must identify OJK reportable incident criteria and include a decision tree for OJK notification.
Third, metrics and reporting must enable OJK examination visibility. OJK examiners will request incident reports, change logs, availability data, and SLA performance summaries. The SMS must capture and report this data in formats that examiners can readily assess.
| KEY CONCEPT | OJK does not mandate ISO 20000 certification — but ISO 20000 certification provides an independently audited evidence base that directly satisfies POJK 11/2022's IT service management requirements. It is the most efficient compliance demonstration available. |
| IMPORTANT | POJK 11/2022's major IT incident reporting requirements impose specific notification timelines on financial institutions. IT service providers must integrate these into their major incident management procedures — the SMS must support client regulatory obligations, not just its own SLA commitments. |
| BITLION INSIGHT | Bitlion GRC provides POJK 11/2022 compliance mapping against ISO 20000 requirements, enabling integrated compliance management for Indonesian financial sector IT providers. |
POJK 11/2022 IT Service Management Requirements vs ISO 20000
| IT Service Management Requirement | POJK Article Reference | ISO 20000 Clause | Implementation Guidance |
|---|---|---|---|
| Incident detection, categorization, timeliness | Article 8.6.1 | 8.6.1 Incident management | Establish incident detection mechanisms, categorization scheme aligned to severity, SLA response targets |
| Root cause analysis, corrective action | Article 8.6.2 | 8.6.3 Problem management | Documented problem register, RCA templates, corrective action tracking, closure verification |
| Change authorization, testing, documentation | Article 8.6.3 | 8.6.5 Change management | Change advisory board, impact assessment, testing phase, rollback procedure, post-impl review |
| Configuration inventory and tracking | Article 8.6.4 | 8.6.4 Configuration management | CMDB or CI tracking system, CI relationships, baseline snapshots, change audit trail |
| Availability targets and monitoring | Article 8.7.1 | 8.7.1 Availability management | SLA availability % targets, monitoring tools, availability metrics, trending analysis |
| Service continuity and DR testing | Article 8.7.2 | 8.7.2 Service continuity management | RTO/RPO definition, continuity plan, DR testing schedule, test result documentation |
| Service level agreements with providers | Article 8.2 | 8.2 Service portfolio and 8.3 Relationship management | Client-specific SLA documents, SLA review meetings, performance measurement, breach remedies |