Journal of Information Systems and Informatics (Jun 2024)
Integrating ISO 27001 and Indonesia's Personal Data Protection Law for Data Protection Requirement Model
Abstract
This research explores the integration of ISO/IEC 27001:2022 with Indonesia's Personal Data Protection (PDP) Law to establish a robust framework for data protection and information security within organizations operating in Indonesia. The research addresses the challenges of aligning the comprehensive information security management systems (ISMS) standard of ISO/IEC 27001:2022 with the specific legal requirements of the PDP Law, which governs personal data collection, processing, and protection. Employing the Action Design Research (ADR) methodology, the study involves a thorough review of existing literature, consultations with domain experts, and the development of a structured framework for integration. Key findings highlight the complementary nature of ISO/IEC 27001:2022's risk-based approach and the PDP Law's emphasis on data subject rights, consent management, and breach notification. The integration framework provides organizations with a unified approach to meet both international standards and local regulatory requirements, enhancing overall data protection. The research concludes with insights and recommendations for organizations seeking to navigate the complex landscape of data protection compliance, emphasizing the importance of harmonizing security measures with legal mandates to build a comprehensive and effective data protection strategy.
Keywords