Evaluating ISO Standards for Indonesian PDP Law Compliance: A Regulatory Mapping and Literature Review

Abstract

Purpose: This paper aims to demonstrate how ISO standards such as ISO/IEC 27001:2022, ISO/IEC 27002:2022, and ISO/IEC 27701:2019 can assist Indonesian organizations in facilitating compliance with the Personal Data Protection (PDP) Law. It highlights the challenge organizations face due to the lack of clear guidance in the law, then shows how these ISO standards can guide them to achieve the compliance. The study also maps the regulation’s requirements and how that requirements can be fulfilled by certain approaches provided by the standards and offers a clearer path toward full compliance.

Methods: This research employs a qualitative approach, combining a literature review, document analysis, and comparative assessment. It provides systematic Indonesian PDP Law-ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27701 mapping, an analysis of their alignment, a gap analysis, and how these standards able to demonstrate compliance to Indonesian PDP Law.

Result: This study shows that from 14 mandatory requirement topics of Indonesian PDP Law that have been mapped, The ISO/IEC 27001:2022 only able to cover 1 topic, while ISO/IEC 27002:2022 able to provide controls to accommodating 8 topics and ISO/IEC 27701:2019 able to provide controls to accommodating 13 topics. But by combining these standards, then all of mandatory requirements of Indonesian PDP Law can be satisfied.

Novelty: This study shows how international standards like ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27701 would help organize compliance to the Indonesian PDP Law while also strengthening data protection practices in Indonesia.