The Post-PDNS Procurement Landscape
In June 2024, the Polda Metro Jaya and the National Disaster Management Agency (BNPB) were targeted by a sophisticated ransomware attack that disrupted multiple government services and exposed a critical weakness: government ICT operators were not adequately prepared for business continuity during a major cyber incident. The PDNS incident occurred at an institution that manages critical crime and disaster response data, demonstrating that government cybersecurity incidents can have cascading impacts on national emergency response.
In the aftermath of PDNS and related government ICT incidents, the government's procurement approach to ICT service providers changed fundamentally. BSSN issued guidance that critical government ICT projects must demonstrate BCM capability. K/L (government departments) and BUMN (state-owned enterprises) began incorporating BCM requirements into their tender documents. Procurement evaluation teams that previously gave BCM only passing attention now evaluate it as a major qualification criterion.
BCM Requirements in Government ICT Tenders
Government procurement requirements for BCM vary by project criticality and sector. The following table illustrates how BCM requirements differ across tender types and the weight they carry in evaluation:
| Tender Type / Project Category | BCM Requirement | Typical Evidence Requested | Evaluation Weight |
|---|---|---|---|
| National strategic ICT projects (SPBE) | BCM policy, tested BCPs, ICT continuity verification, RTO/RPO achievement | ISO 22301 certificate or equivalent documentation + exercise records | High (15-25% of technical evaluation) |
| Critical government systems (finance, defense, health) | ISO 22301 certification preferred or equivalent demonstrated capability | Certificate + exercise records + KPI dashboard | High (15-25%) |
| BUMN ICT service providers and suppliers | BCM program documentation, exercise records, vendor assessment capability | BCM policy, BIA summary, exercise records, corrective action log | Medium-High (10-15%) |
| K/L administrative systems | BCM clause in contract, annual testing expectation | BCM policy statement; annual exercise certification | Medium (5-10%) |
| Non-critical government services or periodic contracts | Service availability SLA | SLA documentation only | Low (1-5%) |
How ISO 22301 Certification Differentiates in Procurement
ISO 22301 certification in government procurement signals several things to the evaluating organization: (1) third-party verified BCM capability, (2) independent audit evidence of BCMS implementation and effectiveness, (3) demonstrated commitment to business continuity as a governance priority, and (4) alignment with an internationally recognized standard that many regulators reference.
The critical difference is between self-declared BCM capability and independently certified capability. An organization that submits a BCP document without a certificate is claiming that it has thought about continuity; an organization with ISO 22301 certification is providing proof that an accredited certification body has verified the completeness and effectiveness of the BCMS. Government procurement evaluators are increasingly sophisticated about this distinction. They recognize that a well-written BCP is necessary but not sufficient—it must be backed by evidence of testing and management commitment.
Post-PDNS Heightened BCM Expectations
The PDNS incident and its aftermath created new procurement checklist items. BSSN guidance now expects government ICT providers to have: documented ransomware response procedures (separate from standard BCP activation), data recovery capability with verified RTO/RPO for critical data, backup data stored in geographically separate locations, and evidence that ransomware recovery procedures have been tested. Additionally, zero-trust architecture for critical systems and segmentation to prevent ransomware lateral movement are increasingly expected.
Organizations responding to post-PDNS government tenders should recognize that BCM is no longer a differentiator—it is a minimum qualification. The question in procurement evaluation is not whether you have BCM capability, but whether you have ransomware-resilient BCM with proven recovery capability and evidence of recent testing.
Presenting BCMS Capability in RFP Responses
The way organizations present BCM capability in RFP responses has become increasingly important. The following table shows the difference between weak and strong responses to common BCM procurement questions:
| RFP BCM Question | Weak Response | Strong Response with ISO 22301 |
|---|---|---|
| Describe your business continuity management program | Description of BCP document and testing cadence | ISO 22301 certification from accredited body; annual management review; exercise program with documented corrective actions; KPIs tracked quarterly |
| What is your RTO (Recovery Time Objective) for this service? | Four hours (undocumented) | Four hours, tested and achieved in [specific date] DR exercise; see attached exercise record with timestamp and recovery time evidence |
| How do you manage supply chain continuity? | General statement about relationships with suppliers | Supplier BCM assessment process; critical supplier list with contractual BCM requirements; secondary supplier agreements for critical services |
| How do you respond to ransomware and cyber threats? | IT response description | BCP activation criteria for cyber incidents; data backup verification procedures; immutable backup storage; segment recovery procedures; encryption key management; incident notification procedure tested in exercises |
| Do you have experience with government sector continuity requirements? | Reference to government clients | Government sector experience + specific government security framework alignment (BSSN, OJK, BI); evidence of compliance audits; case study of incident response |
BUMN Procurement and ISO 22301
BUMN (state-owned enterprises) procurement practices for ICT service providers increasingly include BCM capability assessment. BUMN internal BCM requirements flow to their supply chains—a BUMN that is subject to OJK, BI, or BSSN oversight may require its service providers to meet corresponding BCM requirements. Large BUMN sectors with high BCM requirements include banking BUMNs (BRI, BNI, Mandiri), telecoms (Telkom), and energy (Pertamina, PLN).
BUMN procurement evaluation processes for ICT tenders typically mirror K/L processes but may include additional requirements specific to the BUMN's sector regulator. A service provider to Mandiri Bank should recognize that Mandiri is OJK-regulated and may require supplier BCM capability that satisfies OJK expectations. Similarly, a service provider to Telkom should recognize telecommunications sector availability requirements. ISO 22301 certification provides a framework that credibly addresses these sector-specific expectations.
Building a Government-Ready BCM Program
Organizations seeking to win government contracts should treat BCM certification as an ongoing investment, not a one-time achievement. Maintaining certification requires: annual management review with documented improvements, annual exercise program with evidence of corrective actions, current BCPs that reflect the organization's actual operating environment, and KPI tracking that demonstrates BCM effectiveness. Organizations that allow their ISO 22301 certification to lapse or that maintain certification documents that are not current find themselves at a disadvantage when responding to government tenders.
Preparing a government-ready documentation pack for tender submission requires: ISO 22301 certificate (copy), BCMS policy statement aligned with government sector expectations, executive summary of BIA and critical activities, recent exercise records (within 12 months) with corrective action evidence, KPI dashboard for the last 12 months, corrective action register showing closure evidence, and case study of incident response (if applicable). Using a GRC platform like Bitlion to maintain and present this evidence library is increasingly valuable—evidence can be exported directly for RFP submissions without manual compilation.
| KEY IDEA | ISO 22301 certification in government procurement is increasingly the difference between qualifying to compete and being disqualified at the shortlisting stage. In post-PDNS Indonesia, BCM capability has moved from a nice-to-have evaluation criterion to a minimum qualification requirement for critical government ICT projects. |
| IMPORTANT | Procurement evaluators are increasingly sophisticated about BCM. Submitting a BCP document without exercise evidence is a weakness, not a strength. The key evidence for government procurement is not the plan—it is the proof that the plan has been tested and works. |
| BITLION INSIGHT | Bitlion GRC's BCMS platform maintains the evidence library that government procurement requires—exercise records, BIA documentation, BCP currency, corrective action closure, and management review records—in a format that can be exported directly for RFP submissions. This turns ISO 22301 certification into a continuous commercial advantage, not just a one-time compliance milestone. |