OJK (Otoritas Jasa Keuangan) is the primary financial services regulator for Indonesian banks, insurers, capital markets, and non-bank financial institutions. Its IT governance regulations — led by POJK 11/2022 for commercial banks — establish specific requirements for IT governance structures, IT risk management frameworks, information security controls, business continuity, IT audit, and third-party IT services. These requirements are not abstract standards: they are examined directly by OJK supervisors, and non-compliance creates regulatory consequences including administrative sanctions, business restrictions, and reputational damage.
ISO 27001:2022 is one of the most directly relevant international standards for satisfying OJK's IT governance and information security requirements. The alignment is substantial: ISO 27001's management system approach, risk-based control selection, documented evidence requirements, and independent audit structure maps closely to what POJK demands. But as with UU PDP, ISO 27001 alone does not fully satisfy POJK. There are six specific areas where POJK requires structures, timelines, or mechanisms that ISO 27001 does not mandate — and understanding these gaps prevents the dangerous assumption that certification equals compliance.
This article covers the OJK regulatory landscape that Indonesian financial organizations navigate, maps ISO 27001 controls to POJK 11/2022's major sections, identifies the six gaps requiring supplementary action, shows how ISO 27001 evidence supports the OJK examination process at each stage, and provides the integration framework for building a dual-compliance program that satisfies both supervisory authorities simultaneously.
The OJK IT Regulatory Landscape
OJK regulates information security across the financial services sector through a layered framework of POJK regulations. The primary regulation is POJK 11/2022 for commercial banks — but a family of complementary regulations covers fintech, multifinance, insurance, capital markets, and digital banking services. Understanding which regulations apply to the organization is the first step in building the ISO 27001 ↔ POJK alignment:
| POJK regulation | Subject (Bahasa) | Scope | Key IS requirements | ISO 27001 alignment |
| POJK 11/POJK.03/2022 | Penyelenggaraan Teknologi Informasi oleh Bank Umum | All commercial banks including foreign bank branches operating in Indonesia | IT governance framework, IT risk management, IT security management, IT audit, outsourced IT services, cloud computing, IT project management. Supersedes POJK 38/2016 and is the primary OJK IT governance standard for banks. | ISO 27001 management system directly satisfies IT governance and security management requirements. Particularly strong alignment with Sections 5 (leadership), 6 (planning), 8 (operations), and 9 (performance evaluation). |
| POJK 13/POJK.02/2018 | Inovasi Keuangan Digital | Fintech companies operating in OJK's regulatory sandbox framework (formerly TekFin) | Technology risk, cybersecurity, data protection, third-party risk, incident response. Sandbox participants must demonstrate IT risk management maturity commensurate with service scale. | ISO 27001 provides the risk management and control framework that satisfies POJK 13 IT risk requirements for sandbox participants seeking regulatory recognition. |
| POJK 5/POJK.05/2023 | Penyelenggaraan Usaha Perusahaan Pembiayaan | Multifinance companies (leasing, consumer financing, factoring) | IT governance, IT risk management, information security, cybersecurity, data protection, operational risk. OJK has expanded IT governance requirements across non-bank financial institutions since 2022. | ISO 27001 satisfies the IT security management and risk framework requirements for multifinance companies, particularly for organizations with digital lending platforms. |
| POJK 21/POJK.04/2023 | Pedoman Pengelolaan Risiko Teknologi Informasi | OJK-supervised entities (banking, capital markets, insurance, finance companies) | Comprehensive IT risk management framework: risk identification, risk measurement, risk monitoring, risk control, IT risk appetite, risk reporting to board. Asset classification, vulnerability management, security testing. | ISO 27001 Clause 6.1 (risk assessment and treatment) and the supporting risk management documentation directly satisfies POJK 21 IT risk management framework requirements. |
| POJK 23/POJK.03/2023 | Layanan Digital Bank Umum | Commercial banks providing digital banking services | Cybersecurity for digital channels, authentication, transaction security, API security, third-party integration security, incident response for digital banking. Direct consumer-facing security requirements. | ISO 27001 technical controls (Domain 8 — particularly 8.5 authentication, 8.20–8.22 network security, 8.26 application security) align with POJK 23 digital banking security requirements. |
| POJK 6/POJK.03/2022 | Perlindungan Konsumen dan Masyarakat di Sektor Jasa Keuangan | All OJK-supervised financial institutions | Data protection for financial consumers, incident notification to consumers and OJK, security of consumer data, digital literacy and security awareness for consumers. Intersects significantly with UU PDP. | ISO 27001 5.34 (PII), 5.26 (incident response with regulatory notification), 6.3 (awareness), and 5.14 (information transfer) support POJK 6 consumer data protection requirements. |
| WHICH POJK APPLIES TO YOUR ORGANIZATION | The applicable POJK(s) depend on the organization's OJK license type. Commercial banks: POJK 11/2022 is primary. Multifinance companies: POJK 5/2023 and POJK 21/2023. Fintech operators in OJK sandbox: POJK 13/2018. Digital banking services: POJK 23/2023 in addition to POJK 11. Insurance companies: separate POJK IT governance regulations. Securities companies: BAPEPAM-LK and OJK capital markets IT regulations. All OJK-supervised entities: POJK 6/2022 (consumer protection) and POJK 21/2023 (IT risk management guidelines). Most financial organizations operating in Indonesia in 2026 are subject to at least two to three POJK regulations simultaneously — alignment must cover all applicable regulations. |
POJK 11/2022 Deep Mapping: ISO 27001 Control Alignment
POJK 11/2022 is the most comprehensive OJK IT regulation and sets the standard for how OJK thinks about IT governance across the financial sector. The table below maps POJK 11's major sections to their ISO 27001 counterparts, identifies the gaps, and specifies the evidence required at OJK examination:
| POJK 11/2022 Section | POJK requirement | ISO 27001 alignment | Gap / additional action | Evidence required |
| Pasal 5–14: Tata Kelola TI (IT Governance) | Board responsibility for IT strategy, IT committee structure, IT director/chief role, IT policies approved at board level, IT risk appetite defined by board, IT organization structure documentation, roles and responsibilities for IT function. | Clause 5.1 (Leadership), 5.2 (IS Policy — board approved), 5.3 (Organizational roles), 9.3 (Management review — board-level input for IT risk). The IS policy and ISMS governance structure, when approved at CEO/board level, directly satisfies IT governance structure requirements. | ISO 27001 requires top management commitment but does not mandate a specific IT governance committee structure. POJK 11 requires: (a) a formal IT committee with defined membership and TOR, (b) an IT director role at C-suite level, (c) board-level IT risk reporting cadence. These structural requirements must be built explicitly in addition to ISO 27001 governance. | IT governance policy. IT committee TOR and meeting minutes. IT director position description. Board IT risk reporting records. |
| Pasal 15–25: Manajemen Risiko TI (IT Risk Management) | IT risk management framework integrated with enterprise risk. IT risk identification covering: operational risk, legal/regulatory risk, strategic risk, reputational risk. IT risk appetite defined. IT risk assessment methodology documented. IT risk reporting to management and board on defined schedule. | Clause 6.1 (IS risk assessment and treatment), 6.2 (IS objectives), 8.2 (IS risk assessment), 8.3 (IS risk treatment). ISO 27001's risk-based approach directly satisfies the IT risk management framework requirement when the risk register is structured to align with POJK risk categories. | POJK 11 requires IT risk reporting at defined intervals to the board (minimum quarterly) — ISO 27001 requires management review at planned intervals but does not specify board-level reporting frequency. The IT risk dashboard presented at management review should be expanded for board-level consumption. | IT risk management framework document. Risk register with POJK risk category tagging. IT risk appetite statement approved by board. IT risk dashboard with board presentation records. |
| Pasal 26–42: Pengamanan Informasi (Information Security) | Information security policy, information asset classification, access management, authentication controls (MFA specified for privileged access), vulnerability management, security monitoring, incident management with OJK notification, security awareness training, secure development, cryptography, network security, physical security. | Almost the entire Annex A control set addresses these requirements. ISO 27001 Domains 5–8 collectively satisfy POJK 11 information security requirements. Key controls: 5.12 (classification), 5.15–5.18 (access), 8.5 (MFA — explicitly required by POJK 11 for privileged access), 8.8 (vulnerability management), 8.15–8.16 (monitoring), 5.24–5.28 (incident management), 6.3 (awareness), 8.25–8.28 (secure development), 8.24 (cryptography), 8.20–8.22 (network), 7.1–7.14 (physical). | POJK 11 specifies MFA for privileged access explicitly and sets more prescriptive requirements for penetration testing frequency (annual minimum for critical systems) and vulnerability scanning schedule than ISO 27001 alone. POJK 11 also requires incident notification to OJK within timelines that must be integrated into the ISO 27001 incident management procedure. | Information security policy (board-approved). SoA with POJK 11 pasal references in justification column. MFA enrollment report (100% privileged accounts). Annual penetration test report. Quarterly vulnerability scan reports. Incident notification records to OJK. |
| Pasal 43–55: Ketersediaan TI dan BCM (IT Availability and BCM) | IT system availability targets (RTO/RPO) defined and approved. Business continuity plan covering IT systems. Disaster recovery plan tested at minimum annually. Backup procedures with off-site storage. Redundancy for critical systems. BCM test documentation. | ISO 27001 Annex A 5.29–5.30 (business continuity), 8.13 (backup), 8.14 (redundancy). ISO 27001 5.30 (ICT readiness for business continuity) directly addresses POJK 11 IT continuity requirements. | POJK 11 specifies minimum RTO targets for core banking systems (4-hour RTO for Tier-1 systems) that may be more prescriptive than the RTO targets an organization would derive solely from ISO 27001 risk assessment. DR test must be documented and evidenced — the frequency and depth of DR testing under POJK may exceed ISO 27001 best practice recommendations. | BCM/DR policy with approved RTO/RPO. BCM plan. DR test records (annual minimum). Backup procedures and off-site storage configuration. Redundancy architecture documentation. |
| Pasal 56–68: Audit TI (IT Audit) | Independent IT audit at minimum annually, conducted by internal audit function or external auditor. IT audit scope covers IT governance, IT risk management, information security, IT availability. IT audit findings reported to board. Findings tracked and remediated. | ISO 27001 Clause 9.2 (internal audit) directly satisfies the IT audit requirement. ISO 27001 also supports 5.35 (independent review of information security). The ISO 27001 internal audit program, when scoped to cover IT governance and security, can serve as the primary evidence of POJK 11 IT audit compliance. | POJK 11 requires IT audit scope coverage that may extend beyond the ISMS scope if the ISMS scope is narrower than the total IT environment. The POJK IT audit must cover all bank IT systems — if the ISO 27001 ISMS covers only certain systems, additional audit coverage is needed for out-of-scope systems. | IT audit program (aligned to POJK 11 requirements). Most recent internal audit report. Audit finding tracker with remediation records. Board/audit committee presentation of IT audit results. |
| Pasal 69–85: TI Pihak Ketiga (Third-Party IT Services) | Due diligence before engaging IT outsourcing providers. Security requirements in IT outsourcing contracts. Monitoring of outsourced IT services. OJK notification for significant IT outsourcing arrangements. Foreign IT service providers must meet Indonesian data residency requirements. Exit strategy for critical outsourced services. | ISO 27001 Annex A 5.19–5.23 (supplier security), 5.31 (legal requirements). ISO 27001 supplier security controls directly address POJK 11 third-party IT requirements when scoped to include IT outsourcing providers. | POJK 11 requires OJK notification for 'significant' IT outsourcing arrangements before engagement — a proactive regulatory notification obligation that ISO 27001 does not require. Organizations must identify which outsourcing arrangements meet the 'significant' threshold and establish a process for OJK notification. | IT outsourcing policy. Vendor due diligence records for IT providers. Security addenda in IT outsourcing contracts. Third-party monitoring records. OJK notification records for significant arrangements. |
| The strongest alignment is in information security controls: POJK 11 Pasal 26–42 maps directly to ISO 27001 Annex A Domains 5–8. An organization with a well-implemented ISO 27001 ISMS that has deployed MFA for privileged access, runs quarterly vulnerability scans with documented remediation, maintains a security monitoring capability, and has an operational incident response procedure with OJK notification — will satisfy POJK 11's information security section almost entirely through ISMS evidence. This is the core value proposition of ISO 27001 for OJK-regulated institutions. |
Six Gaps: Where ISO 27001 Alone Is Insufficient
Six areas require supplementary governance structures, processes, or notification obligations beyond what ISO 27001 mandates. These gaps are the most common sources of OJK examination findings for organizations that have ISO 27001 certification but have not taken the additional POJK-specific steps:
| Gap area | POJK reference | What ISO 27001 partially covers | What ISO 27001 does not require | Supplementary action |
| IT Governance Committee | POJK 11 Pasal 7–11 | ISO 27001 Clause 5.1 requires top management commitment and leadership — but not a specific IT committee structure. | ISO 27001 does not mandate an IT committee, IT committee TOR, board-level IT reporting cadence, or C-suite IT director role. | Establish an IT committee with defined Terms of Reference. Appoint an IT Director at C-suite level. Define board IT risk reporting schedule (minimum quarterly). Document committee meetings and attendance. |
| OJK Pre-notification for Outsourcing | POJK 11 Pasal 72 | ISO 27001 5.19–5.22 require supplier security assessment and monitoring. | ISO 27001 does not require pre-engagement regulatory notification for outsourcing arrangements. OJK requires notification before engaging 'significant' IT outsourcing providers. | Define criteria for 'significant' IT outsourcing under POJK 11. Establish OJK notification process. Track all significant outsourcing engagements with notification evidence. |
| Penetration Testing Frequency | POJK 11 Pasal 33 | ISO 27001 8.29 requires security testing — but does not specify frequency. | POJK 11 specifies annual penetration testing minimum for critical systems, and mandates testing following significant system changes. ISO 27001 leaves frequency to the organization's risk assessment. | Define penetration testing schedule per POJK 11 guidance: annual for critical systems, triggered by significant changes. Retain pentest reports as ISMS evidence. Track finding remediation. |
| Core Banking RTO Targets | POJK 11 Pasal 50 | ISO 27001 5.30 (ICT readiness for BCM) and 8.14 (redundancy) address availability — but let organizations set their own RTO based on risk assessment. | POJK 11 specifies prescriptive RTO thresholds for banking system tiers (Tier 1 core systems: maximum 4-hour RTO in normal condition; 2-hour in catastrophic scenario). ISO 27001 risk-derived RTOs must be calibrated to meet POJK minimums. | Review IT system tier classification. Verify RTO targets for Tier-1 systems meet POJK 11 maximum thresholds. Update BCM/DR plan to reflect POJK-compliant RTOs. DR test must demonstrate RTO achievement. |
| OJK Incident Notification Timeline | POJK 11 Pasal 39 | ISO 27001 5.26 requires incident response including notification to relevant stakeholders. | POJK 11 specifies OJK notification within 3×24 hours for significant IT incidents (including cyber incidents affecting service availability or customer data). ISO 27001 does not set specific regulatory notification timelines. | Update incident response procedure to include OJK notification step with 3×24-hour maximum. Define what constitutes a 'significant' IT incident under POJK 11. Assign OJK notification responsibility. Test the notification process in tabletop exercises. |
| IT Audit Independence | POJK 11 Pasal 57–60 | ISO 27001 Clause 9.2 requires internal audit with independent auditors (not auditing their own work). | POJK 11 requires IT audit conducted by internal audit function (bukan IT staff) or external auditor. The IT audit must be reported directly to the audit committee/board — not just management. More specific independence and reporting chain requirements than ISO 27001. | Verify IT audit independence: IT staff should not audit their own systems. IT audit findings must be reported at board/audit committee level. ISO 27001 internal audit report format may need enhancement for board-level presentation. |
| The IT governance committee gap is the most commonly missed: OJK examiners consistently find that organizations have an IS Policy and a risk register (ISO 27001 artifacts) but do not have a formal IT committee with documented Terms of Reference, regular meetings with recorded attendance, and board-level IT risk reporting on a defined schedule. This is a structural governance gap — not a documentation gap — that requires building a governance institution rather than adding documents. The IT committee must exist and function before the OJK examination, not be constituted for it. |
Using ISO 27001 Evidence in the OJK Examination
The OJK examination process follows a structured methodology that creates specific opportunities to present ISO 27001 evidence as part of the institutional response. Understanding how the examination works enables organizations to prepare ISO 27001 documentation in the format and sequence that examiners expect:
| Examination phase | What happens | How ISO 27001 supports | Specific action required |
| Pre-examination notification | OJK issues a formal examination notification typically 30–60 days in advance. The notification specifies the examination scope, the examination team, the required documents, and the examination schedule. | The ISMS evidence library, if organized by clause and control, provides the document response to the pre-examination document request. Organizations with a GRC platform can generate examination-ready reports directly. | Upon receipt of OJK examination notification: confirm document availability against the request list. Identify any gaps and address before the examination date. Brief the ISMS Manager and relevant department heads on the examination scope. |
| Off-site review (Pemeriksaan Tidak Langsung) | OJK examiners review submitted documents before the on-site visit. This stage assesses document completeness and may generate clarification requests. Weak documentation at this stage signals potential examination findings. | ISO 27001 documentation (IS Policy, risk register, SoA, internal audit reports, management review minutes) is directly requested in OJK off-site reviews. Organizations with current, version-controlled ISMS documentation respond to off-site requests efficiently. | Submit all requested ISMS documentation in the format requested. Include the SoA with POJK 11 regulatory mapping column. Include the latest risk register showing IT risk categories aligned to POJK 11 risk classification. |
| On-site examination (Pemeriksaan Langsung) | OJK examiners visit the organization's premises for 5–15 days (typically). On-site examination includes interviews with IT Director, IT risk officers, security staff, and internal auditors. Technical system demonstrations may be requested. | ISO 27001 certification demonstrates systematic security management. ISMS-trained staff can answer examiner questions about risk assessment, control selection, and monitoring processes clearly. The ISO 27001 audit report demonstrates independent verification. | Brief all interview subjects using the ISO 27001 interview preparation approach from Article 4.3. Prepare technical demonstrations: MFA deployment report, vulnerability scan results, access review records. Have the ISMS Manager accompany examiners as the primary interface. |
| Examination findings (Temuan Pemeriksaan) | OJK issues a formal findings letter covering: satisfactory observations, areas for improvement, and required corrective actions. Findings are classified by severity. Required corrective actions have defined response timelines. | The ISO 27001 corrective action process (Clause 10.2, Article 4.4) provides the methodology for responding to OJK examination findings. CAR register discipline means findings are tracked to resolution with evidence. | Apply the 7-step corrective action process from Article 4.4 to each OJK examination finding. Submit corrective action plan to OJK within the response window. Update the ISMS CAR register with OJK findings as additional sources of improvement input. |
| Follow-up examination (Pemeriksaan Tindak Lanjut) | OJK conducts a follow-up review (typically within 6 months) to verify that required corrective actions have been implemented. Unresolved findings from the primary examination attract escalated regulatory action. | ISO 27001 corrective action closure discipline ensures that findings are addressed at root cause level rather than symptom level — the most credible response to follow-up examination. Evidence of closure is organized per the standard's documented information requirements. | Prepare corrective action closure evidence for each OJK finding before the follow-up examination date. Organize evidence in the same format as the initial examination response. ISMS Manager prepares a findings closure report mapping each finding to the corrective action taken and the evidence of effectiveness. |
The ISO 27001 certificate itself is a meaningful opening statement in an OJK examination. It demonstrates that an accredited, independent third party has verified that the organization's information security management system meets an internationally recognized standard. OJK examiners who encounter a well-maintained ISO 27001 ISMS — with current documentation, evidence of regular internal audits, management review records, and a functioning corrective action process — will typically conduct a more efficient examination because the governance infrastructure they are looking for is demonstrably in place.
Building the Dual Compliance Program: ISO 27001 and POJK
Organizations that run ISO 27001 certification and POJK compliance as separate programs create unnecessary overhead — duplicating documentation, duplicating audits, and maintaining two parallel evidence libraries. The integrated approach — using ISO 27001 as the governance backbone and adding POJK-specific elements as extensions — is more efficient and more credible to both OJK and certification bodies:
| Benefit area | ISO 27001 artifact | POJK equivalent | Integration approach |
| Shared documentation base | IS Policy, risk register, SoA, internal audit reports, management review minutes, corrective action register | IT policy, IT risk assessment records, IT audit reports, risk management reports to board, IT incident records | ISO 27001 documentation, when enhanced with POJK-specific content (IT committee TOR, board reporting format, OJK notification records), serves as the primary evidence base for both programs. |
| Risk management convergence | CIA-based risk assessment with risk register, risk treatment plan, and residual risk acceptance | IT risk framework covering operational, legal, strategic, and reputational risk categories — with board-level risk appetite | Expand the ISO 27001 risk register to tag risks with POJK risk categories. Add board-level risk reporting as an output of the management review. Risk appetite statement in the IS Policy serves dual purpose. |
| Audit program alignment | Internal audit covering ISO 27001 clauses 4–10 and applicable Annex A controls | Annual IT audit covering IT governance, IT risk management, information security, availability, and outsourcing | Design the ISO 27001 internal audit program to cover POJK 11 scope areas simultaneously. Audit scope statement explicitly includes IT governance and IT availability alongside ISMS clause coverage. Single audit report serves both programs. |
| Incident management integration | Incident response procedure with classification, escalation, and post-incident review. Internal stakeholder notification. | IT incident management with OJK notification within 3×24 hours. Board notification for significant incidents. | Add OJK notification step (3×24 hours) to the ISO 27001 incident response procedure. Add board notification trigger for POJK 'significant' incidents. Single incident register serves both programs. |
| Certification as examination evidence | ISO 27001 certification from an accredited CB provides independent third-party assurance of ISMS conformance | OJK examinations assess IT governance and security management maturity. Independent assurance from accredited body reduces examination depth. | Present ISO 27001 certificate at the start of OJK examination. Provide auditor's Stage 2 audit report as evidence of independent security assessment. CB surveillance audit reports evidence ongoing compliance. |
| Bitlion OJK alignment module: Bitlion's GRC platform includes OJK regulatory mapping as a built-in feature — POJK 11/2022 and POJK 21/2023 requirements are mapped to Annex A controls and ISMS clause requirements within the platform. OJK examination evidence packages can be generated directly from the platform, organized by POJK section rather than by ISO 27001 clause — enabling rapid response to OJK document requests. The OJK incident notification workflow tracks the 3×24-hour notification countdown with automated escalation reminders. |
POJK-Specific ISMS Enhancements
Enhancing the IS Policy for POJK compliance
The ISO 27001 IS Policy is the governance foundation for both the ISMS and the POJK IT governance framework. To serve both purposes, the policy should include: explicit reference to POJK 11/2022 (and other applicable POJK regulations) as a compliance driver in the regulatory context section, a specific IT risk appetite statement expressed in quantitative terms that can be presented to the board, and reference to the IT governance committee structure and its relationship to the board and management.
IT risk appetite for board presentation
POJK 11 requires a board-level IT risk appetite statement. ISO 27001 requires a risk appetite in the IS Policy — but organizations typically express this qualitatively ('we will not accept HIGH risks without treatment'). For POJK compliance, the risk appetite should be expressible in terms the board can engage with: acceptable downtime tolerance for core systems (e.g. less than 4 hours RTO), maximum tolerable data loss (RPO), acceptable frequency of security incidents per quarter, and maximum acceptable time-to-detect a significant incident.
Board IT risk reporting
One of the most consequential enhancements is building a board-level IT risk dashboard from the ISMS data. The management review (Clause 9.3) provides the data — but the format and audience must be adapted for board consumption. A board IT risk dashboard should present: current risk posture against appetite (current top 5 risks vs. appetite thresholds), control effectiveness trends (phishing click rate, vulnerability remediation SLA adherence, MFA deployment), incident summary (number, severity, time-to-resolve trend), and POJK compliance status (OJK notification obligations met, examination finding status). This dashboard, presented quarterly to the board, satisfies POJK 11's board IT reporting requirement using data the ISMS already generates.
The OJK Regulatory Horizon: 2026 and Beyond
The OJK regulatory framework for IT governance and cybersecurity continues to evolve. Three developments are shaping the regulatory landscape for Indonesian financial institutions in 2026:
- POJK cybersecurity framework: OJK has signaled the development of a standalone cybersecurity framework for financial institutions — going beyond IT governance to address cyber resilience, threat intelligence sharing, and mandatory cyber incident reporting standards. ISO 27001 organizations are well-positioned for this framework given the overlap with their existing controls.
- Digital banking supervision intensification: OJK's Digital Financial Innovation supervision has matured from sandbox-focused to active operational supervision. POJK 23/2023 digital banking service requirements are being examined with increasing rigor for banks with significant digital channel volumes. API security, mobile application security, and transaction monitoring are specific examination focus areas.
- Cross-border regulatory coordination: OJK is increasingly coordinating with ASEAN financial regulators on cybersecurity standards. Organizations that hold ISO 27001 certification recognized across ASEAN markets (through KAN/IAF mutual recognition) are better positioned for cross-border regulatory examinations as ASEAN financial integration deepens.
Organizations that build their ISMS to satisfy POJK 11/2022 today — with the IT committee structure, board reporting, OJK notification processes, and evidence library discipline — will be well-positioned for the evolving OJK regulatory framework. The governance infrastructure built for POJK 11 compliance is reusable for every subsequent regulatory development, making the investment in dual compliance particularly valuable over a multi-year horizon.