In today’s fast-changing and uncertain business world, corporate governance is no longer just a formality. Implementing good corporate governance has become an essential requirement for organizations seeking long-term success and sustainability.

However, many companies in Indonesia still view corporate governance as optional. In reality, sound governance practices serve as the foundation for building a resilient, transparent, and trustworthy organization.

According to The Indonesia Corporate Governance Manual, governance reforms are often applied only at the surface level. Many organizations treat them as tools for public image rather than as a genuine system to safeguard stakeholder trust, enhance access to capital, and minimize business risks. The real benefits of governance can only be realized when companies demonstrate a strong and continuous commitment to its implementation.

Why Corporate Governance Matters in Modern Business

1. Enhancing Investor and Stakeholder Trust

Transparent, accountable, and ethical corporate governance sends a strong signal to investors that the organization is well-managed. This builds a healthy investment climate, strengthens corporate reputation, and enhances public confidence.

2. Reducing Risks and Increasing Resilience

A strong governance structure enables companies to identify, mitigate, and respond to risks effectively — whether financial, operational, legal, or reputational. With solid governance in place, organizations are better protected from scandals, corruption, and compliance failures.

3. Supporting Better Decision-Making

Corporate governance provides a clear, data-driven decision-making framework. The principles of transparency, accountability, and responsibility guide executives and boards of directors in making fair and strategic decisions.

4. Driving Innovation and Competitive Advantage

Companies that take governance seriously tend to cultivate a healthy, adaptive culture that encourages innovation. This becomes a strategic advantage in navigating global competition.

Integrating Corporate Governance and IT Governance

Many leading companies have made good governance more than a regulatory obligation — they’ve embedded it into their organizational culture. Governance now extends beyond finance and compliance, encompassing how a company manages strategic risks and technological resources.

In the era of digital transformation, IT governance has become increasingly critical. It serves as an extension of corporate governance, ensuring that business strategies and IT capabilities remain aligned.

Through effective IT governance, organizations can ensure that their IT investments, data security, and digital services deliver measurable value and support strategic objectives. One of the most widely used frameworks to achieve this is COBIT.

COBIT: The Global Framework for IT Governance

Control Objectives for Information and Related Technologies (COBIT) is an internationally recognized framework developed by ISACA. Its latest version, COBIT 2019, offers a comprehensive and flexible approach to managing IT in order to:

• maximize business value,

• ensure effective risk management, and

• strengthen compliance and sustainable performance.

COBIT 2019 provides a structured methodology that helps organizations tailor their IT governance according to business needs through design factors and focus areas.

The framework consists of four key publications:

1. COBIT 2019 Framework: Introduction and Methodology – introduces core concepts and principles.

2. COBIT 2019 Framework: Governance and Management Objectives – details 40 key governance and management objectives.

3. COBIT 2019 Design Guide – provides guidance for designing governance systems tailored to organizational context.

4. COBIT 2019 Implementation Guide – offers a roadmap for implementing and continuously optimizing IT governance.

Implementing COBIT has proven effective across various industries. For instance, a national bank in South Africa reported stronger IT governance and improved collaboration after adopting COBIT. Meanwhile, a customs organization in the Middle East experienced significant improvements in data reporting and operational efficiency following COBIT integration.

Partner with Robere & Associates

Robere & Associates Indonesia is ready to help your organization design, implement, and optimize IT Governance strategies effectively and sustainably.
Partner with us today and transform your governance into a powerful enabler of operational excellence and business growth. Contact Us !

In an era where reputation can shift overnight, integrity has become more than a moral ideal — it’s a cornerstone of sustainable business. Modern organizations are judged not only by what they produce but also by how they operate. In this context, ISO 37001 emerges as a global framework that turns integrity into a measurable system — ensuring honesty becomes habit, not hope.

So, what is ISO 37001 actually about?

In simple terms, ISO 37001 is an international standard for Anti-Bribery Management Systems (ABMS). It is designed to help organizations prevent, detect, and respond to bribery across all operations. But more importantly, ISO 37001 is a moral compass — a guide that helps organizations stay on the right path, even when shortcuts seem tempting.

ISO 37001: A Standard Born from Global Demand

Bribery and corruption are not just legal problems — they are matters of trust. Across industries and countries, corruption undermines progress, distorts competition, and erodes confidence. ISO 37001 was developed to address these challenges through a systematic, measurable, and transparent approach.

ISO 37001:2016, published by the International Organization for Standardization (ISO), provides a framework for establishing, implementing, maintaining, and improving an anti-bribery management system that can be audited and verified.

The beauty of ISO 37001 lies in its universality. It can be applied to organizations of all sizes — from multinational corporations and government institutions to NGOs and startups. The goal is simple yet profound: to ensure that every business decision is made with integrity.

The Purpose and Benefits of ISO 37001

Implementing ISO 37001 is not merely a compliance exercise — it’s an investment in credibility and long-term trust.

The standard is built around three core purposes:

1. Preventing and Mitigating Bribery Risks.
   By identifying high-risk areas and enforcing controls, organizations can stop bribery before it starts.
2. Embedding a Culture of Integrity.
   ISO 37001 requires participation at every level of the organization — from the boardroom to the front line.
3. Enhancing Stakeholder Confidence.
   Certification demonstrates that the organization has a structured, credible, and verifiable approach to ethical business practices.

Ultimately, ISO 37001 is not just about compliance; it’s about building trust as a strategic asset — something that money alone cannot buy.

The Core Principles Behind ISO 37001

To fully understand what ISO 37001 is about, we must look at the fundamental principles that form its foundation.

1. Ethical Leadership and Top Management Commitment.
   Integrity starts at the top. Leaders must act as role models, setting the tone for ethical conduct across the organization.
2. Clear and Enforceable Anti-Bribery Policies.
   A well-defined policy communicates zero tolerance for bribery, improper gifts, or conflicts of interest.
3. Risk Assessment.
   Every organization faces different exposure levels. ISO 37001 encourages risk-based thinking — identifying where bribery risks are most likely to occur.
4. Due Diligence.
   The integrity of an organization depends on its partners. ISO 37001 requires vetting third parties, suppliers, and consultants to ensure shared ethical standards.
5. Internal Controls and Auditing.
   A robust control system, supported by regular audits and financial transparency, is essential for detecting irregularities.
6. Training and Awareness.
   Ethics cannot thrive in silence. ISO 37001 emphasizes ongoing education and open communication about anti-bribery principles.
7. Whistleblowing and Investigation.
   A confidential reporting mechanism allows employees to raise concerns safely, ensuring that integrity has a voice at every level.

From Compliance to Culture

Many organizations begin their ISO 37001 journey for external reasons — a regulatory requirement, a client demand, or a procurement condition. But the true power of this standard is realized when compliance evolves into culture.

A strong anti-bribery culture doesn’t arise from fear of punishment but from a shared belief that integrity is good business.
When ISO 37001 becomes embedded in daily operations, honesty turns into a habit, and systems no longer depend solely on enforcement.

At that stage, ISO 37001 ceases to be a certification — it becomes an identity.

Why ISO 37001 Defines Modern Business Integrity

In today’s global marketplace, transparency is currency. Companies that can demonstrate ethical operations enjoy not only trust but also a competitive edge.

Here’s why ISO 37001 is quickly becoming a modern standard of excellence:

• Global Credibility.
  Certification signals to investors, partners, and clients that the organization operates with integrity and professionalism.
• Legal and Financial Protection.
  An effective anti-bribery system reduces exposure to lawsuits, fines, and reputational damage.
• Operational Efficiency.
  By removing unethical behaviors, processes become leaner, decisions more objective, and governance stronger.
• Stronger Relationships.
  Transparency fosters healthier partnerships, both internally and externally.

Ultimately, organizations with ISO 37001 don’t just avoid wrongdoing — they become symbols of trustworthiness.

How ISO 37001 Is Implemented

Implementing ISO 37001 is a transformation process — it requires commitment, communication, and consistency. While the specifics vary, most organizations follow these key steps:

1. Gap Analysis.
   Assess the organization’s current practices against ISO 37001 requirements. Identify where improvements are needed.
2. System Design and Policy Development.
   Create or update anti-bribery policies, procedures, and documentation tailored to the organization’s structure and risks.
3. Training and Communication.
   Conduct awareness programs to ensure all employees understand their role in maintaining integrity.
4. Implementation and Monitoring.
   Apply controls, reporting systems, and audits to ensure policies are working as intended.
5. Internal Audit and Management Review.
   Evaluate system performance and leadership involvement.
6. External Certification.
   Engage an independent certification body to validate compliance and issue formal ISO 37001 certification.

This approach ensures that anti-bribery management is not theoretical — it’s operational, measurable, and alive.

Case Example: When Policy Becomes Practice

Consider a regional engineering company that faced challenges with vendor transparency. After adopting ISO 37001, they restructured procurement workflows, implemented digital approval systems, and introduced regular integrity training.

Within eight months, audit findings improved dramatically, vendor compliance increased, and employee surveys showed higher confidence in management’s ethical leadership.

The result wasn’t just cleaner books — it was a stronger culture. Employees began to see ISO 37001 not as an external requirement, but as a shared language of trust.

ISO 37001 and the Future of Governance

Looking ahead, ISO 37001 is poised to become a global benchmark for responsible governance.
As regulations tighten and public scrutiny intensifies, organizations that prioritize integrity will be the ones that endure.

Building ethical systems today is a form of future-proofing — ensuring that even in times of uncertainty, trust remains unshaken.

ISO 37001 gives organizations the structure to sustain that trust, one decision at a time.

The Role of Robere & Associates

As a BSSN-verified and ASPI-registered consulting firm, Robere & Associates has guided numerous organizations in implementing ISO 37001 across diverse industries in Indonesia.

Our approach goes beyond documentation — we focus on helping organizations internalize integrity as part of their culture.

Our expertise includes:

• Gap Analysis and Risk Assessment.
• Designing and Implementing Anti-Bribery Systems.
• Ethics and Leadership Training.
• Internal Audit and Certification Readiness Support.

We believe integrity is not a cost of doing business — it’s what makes business sustainable.

Conclusion

So, what is ISO 37001?

ISO 37001 is more than a management standard — it’s a declaration that your organization chooses integrity as a way of doing business.
It helps companies prevent bribery, strengthen governance, and earn the trust that underpins long-term success.

In an age where transparency defines credibility, adopting ISO 37001 is not just a strategic choice — it’s a moral commitment.

Robere & Associates is ready to support your journey in building an anti-bribery system that reflects your values and elevates your reputation.
Learn more at https://robere.co.id/iso-370012025/

Quality is a universal language — one that every customer understands, yet not every organization can fluently speak. In today’s competitive business landscape, companies are expected not only to deliver high-quality products and services but also to maintain consistency and trust across every interaction.

To achieve this, many organizations worldwide rely on a key foundation: the Quality Management System (QMS).
QMS is a structured system that defines how an organization designs, controls, and improves its business processes to ensure long-term quality and customer satisfaction.

But QMS is far more than a collection of procedures. It is a strategic business philosophy — one that shapes how organizations think, operate, and make decisions across every level.

QMS: More Than a System, It’s a Mindset

For years, quality management has often been misunderstood as an administrative function. Yet, in reality, QMS is a driver of organizational transformation.

It enables companies to understand a simple truth: quality does not happen by chance — it is the result of deliberate design.
Through QMS, organizations can:

• Analyze every process to increase efficiency and minimize errors.
• Improve collaboration across departments to achieve shared goals.
• Identify opportunities for improvement before issues escalate.
• Ensure that customer satisfaction remains at the heart of every decision.

In practice, QMS bridges three essential elements: people, processes, and data.
Together, they create an organization that is agile, measurable, and resilient to change.

QMS and ISO 9001: The Global Standard for Trust

When discussing QMS, one name always stands out — ISO 9001.
As the world’s most recognized standard for quality management, ISO 9001 provides a structured framework for building and maintaining an effective QMS.

But beyond compliance checklists, ISO 9001 promotes a deeper management philosophy:
quality is not the responsibility of one department — it is a shared organizational commitment.

Through ISO 9001, companies learn to:

• Define their business context and stakeholder expectations.
• Identify risks and opportunities systematically.
• Align quality objectives with strategic goals.
• Conduct internal audits and management reviews for continual improvement.

No wonder ISO 9001 certification has become a global symbol of credibility — proving that an organization operates with strong governance, discipline, and integrity.

(See also: GRC Consulting and Certification by Robere & Associates)

The Core Principles of QMS

To function effectively, every Quality Management System must be grounded in seven fundamental principles, drawn from the ISO 9000 Family.

1. Customer Focus – placing the customer at the center of all decisions.
2. Leadership – providing clear direction and purpose across the organization.
3. Engagement of People – empowering every individual to contribute to quality.
4. Process Approach – viewing the organization as an interconnected system of processes.
5. Improvement – embedding continual improvement into the culture.
6. Evidence-Based Decision Making – making decisions based on data, not assumptions.
7. Relationship Management – building long-term, value-based relationships with stakeholders.

These principles form the living philosophy behind every successful QMS — turning theory into actionable practice.

QMS as a Business Transformation Strategy

An effective QMS doesn’t just optimize internal operations; it transforms the way organizations think and act.
By combining process-based and risk-based approaches, QMS enables businesses to see the bigger picture and make smarter decisions.

1. Aligning Vision with Execution

QMS ensures that business strategy is translated into tangible operational objectives.
When leadership aims to improve customer satisfaction, QMS provides the tools to measure, analyze, and refine every touchpoint.

2. Achieving Efficiency Without Compromising Quality

QMS identifies non-value-adding activities and eliminates waste, resulting in faster processes, lower costs, and consistent performance.

3. Fostering Collaboration and Transparency

With QMS, collaboration becomes natural. Every department understands its role in achieving quality objectives, supported by shared data and open communication.

4. Enabling Data-Driven Leadership

Through Evidence-Based Decision Making, leaders rely on real data — from audits, process metrics, and customer feedback — to make strategic decisions that drive growth.

Common Challenges in Implementing QMS

While QMS offers immense benefits, implementation often comes with challenges such as:

• Resistance to change – employees may initially view QMS as added bureaucracy.
• Limited understanding – without awareness, QMS becomes a document-driven task rather than a cultural shift.
• Overdocumentation – excessive procedures without practical application reduce agility.
• Lack of leadership involvement – without top management commitment, quality culture stagnates.

However, these challenges are opportunities in disguise.
With proper guidance, QMS can unite leadership, teams, and processes under one shared goal: sustainable excellence.

Case Study: QMS in Action

A growing service company once struggled with delays, customer complaints, and poor coordination.
After implementing ISO 9001-based QMS, the company mapped its workflows, defined process ownership, and introduced performance indicators.

Within six months, operational efficiency improved by 30%, customer complaints dropped significantly, and employee engagement increased.
This transformation wasn’t driven by documentation — it was driven by a change in mindset: quality became everyone’s responsibility.

Building a Sustainable Quality Culture

One of the most powerful outcomes of QMS is the creation of a living quality culture.
When every person in the organization starts thinking in terms of quality, decisions become more focused, and performance improves naturally.

A true quality culture transforms compliance into commitment.
Quality becomes part of the organization’s DNA — visible in how teams collaborate, innovate, and serve customers.

And when that culture takes root, the organization becomes self-sustaining, capable of evolving with change while maintaining its core values.

The Role of Robere & Associates in Implementing QMS

As a BSSN-verified and ASPI-registered consulting firm, Robere & Associates has guided numerous organizations in Indonesia in designing and implementing ISO-based management systems.

We recognize that each organization has its own challenges and culture. That’s why our approach is never one-size-fits-all — we build systems that are relevant, practical, and sustainable.

Our services include:

• Gap Analysis to assess organizational readiness.
• Design and implementation of an efficient, tailor-made QMS.
• Training and coaching to empower internal teams.
• Certification support to ensure readiness for ISO 9001 audits.

Our mission goes beyond compliance. We aim to help organizations build long-term quality resilience, where systems serve people — not the other way around.

Conclusion

Ultimately, QMS is not just a system — it is a long-term business strategy that transforms how organizations view and manage quality.
It fosters alignment, agility, and accountability at every level of operation.

Organizations that commit to implementing QMS don’t just become more efficient — they become more trusted, adaptable, and future-ready.

A sustainable quality culture is built through patience, consistency, and leadership commitment.
At Robere & Associates, we ensure that your journey toward quality excellence is measurable, meaningful, and built to last.

Learn more about how Robere & Associates can help your organization build and sustain an effective Quality Management System.
Visit https://robere.co.id/en/grc-consulting-and-certification/ for more information.

Every organization shares one universal goal — trust. For customers, trust is earned through consistent quality. In today’s fast-moving and transparent world, quality is not merely about the final product; it’s about how the organization builds and manages its processes.
This is where the ISO 9000 Family comes into play — not just as a standard, but as a universal language of quality that guides organizations toward structure, consistency, and continual improvement.

The ISO 9000 Family has shaped how thousands of organizations worldwide view and manage quality. From manufacturing to finance, from education to healthcare, these standards have helped build reputations rooted in reliability and performance. Yet many only know ISO 9001, while in reality, it’s part of a larger system that functions as a complete framework for quality management.

What Is the ISO 9000 Family?

The ISO 9000 Family is a series of international standards published by the International Organization for Standardization (ISO) that focus on Quality Management Systems (QMS).
These standards provide organizations with the structure and principles to consistently deliver products and services that meet customer and regulatory requirements.

The ISO 9000 Family is not just about compliance — it’s about cultivating a mindset of systematic improvement, helping organizations measure, analyze, and optimize their processes to remain competitive in a dynamic marketplace.

The Structure of the ISO 9000 Family

ISO 9000:2015 – Fundamentals and Vocabulary

ISO 9000 serves as the philosophical foundation of the family. It outlines the core principles of quality management and defines a shared vocabulary for organizations, auditors, and customers.

The seven key principles are:

1. Customer Focus – understanding and meeting customer needs.
2. Leadership – establishing direction and unity of purpose.
3. Engagement of People – empowering everyone to contribute to quality.
4. Process Approach – viewing activities as interconnected processes.
5. Improvement – embedding continual improvement in the organization’s culture.
6. Evidence-based Decision Making – basing decisions on data and analysis.
7. Relationship Management – fostering long-term partnerships with stakeholders.

These principles form the conceptual backbone for all other standards in the ISO 9000 Family.

ISO 9001:2015 – Requirements for Quality Management Systems

If ISO 9000 defines the philosophy, ISO 9001 is the practical implementation.
It is the only standard in the ISO 9000 Family that can be certified, specifying requirements for building and maintaining an effective Quality Management System.

ISO 9001 helps organizations:

• Set measurable quality policies and objectives.
• Identify risks and opportunities systematically.
• Control processes for operational consistency.
• Conduct internal audits and management reviews for continual improvement.

ISO 9001 certification is not merely a label — it’s evidence of a living quality culture within the organization.

(See also: GRC Consulting and Certification by Robere & Associates)

ISO 9004:2018 – Quality of an Organization for Sustained Success

While ISO 9001 focuses on meeting customer requirements, ISO 9004 provides guidance on achieving long-term organizational success.
It encourages organizations to look beyond short-term efficiency and focus on sustainability, innovation, and stakeholder satisfaction.

ISO 9004 is not for certification but serves as a strategic guide to help organizations align their quality management approach with their business objectives and vision.

ISO 19011:2018 – Guidelines for Auditing Management Systems

Every system needs verification, and ISO 19011 offers the framework for it.
This standard provides guidance on auditing management systems — covering principles of auditing, managing audit programs, and auditor competence.

Through ISO 19011, organizations transform audits into tools for learning and improvement, not merely compliance checks.

Why the ISO 9000 Family Matters Today

Many see ISO certification as a checkbox activity. But for organizations that understand its essence, the ISO 9000 Family is a strategic enabler — aligning leadership, processes, and people toward a unified culture of quality.

1. Consistency and Reliability

By standardizing processes, organizations achieve predictable results — the foundation of customer trust.

2. Customer Satisfaction

A focus on Customer Focus ensures every improvement effort revolves around value for the customer.

3. Operational Efficiency

The process-based approach minimizes waste, improves workflows, and enhances productivity.

4. Data-Driven Decisions

Evidence-based decisions reduce guesswork and strengthen organizational agility.

5. Global Recognition

ISO 9001 certification enhances reputation and opens access to international opportunities.

From Documentation to Culture

Implementing ISO 9000 is not about filling binders with procedures.
It’s about building a mindset where quality becomes everyone’s responsibility.
Organizations that internalize ISO principles often find that certification is not the end goal — it’s the beginning of a transformation toward sustainable excellence.

Challenges and Opportunities in Implementation

Implementing a Quality Management System often presents challenges — internal resistance, lack of leadership involvement, or complex documentation.
However, these challenges can be turned into opportunities for strengthening teamwork, accountability, and transparency.

With expert guidance, the implementation process becomes smoother and more impactful, ensuring the system delivers real value to the organization.

Robere & Associates: Your Partner in Quality

As a BSSN-verified and ASPI-registered consulting firm, Robere & Associates has extensive experience assisting organizations across industries in implementing the ISO 9000 Family of standards.

Our consultants provide:

• Gap Analysis to assess readiness against ISO 9001 and ISO 9004.
• Design and implementation of effective QMS frameworks.
• Training and coaching to strengthen internal capabilities.
• Guidance through ISO 9001 certification preparation.

Our mission is not only to help organizations achieve certification, but to foster a long-lasting culture of quality and continuous improvement.

Conclusion

The ISO 9000 Family is more than a technical standard — it’s a management philosophy that transforms how organizations operate, make decisions, and deliver value.

When applied holistically, it helps organizations earn not just a certificate, but something far more valuable — the trust of their customers.

For organizations seeking to strengthen their Quality Management System and build a foundation for sustainable growth, Robere & Associates is ready to guide you every step of the way.
Learn more about our services at https://robere.co.id/en/grc-consulting-and-certification/.

ISO 9001 is an international standard that defines the requirements for a Quality Management System (QMS), developed by the International Organization for Standardization (ISO). This standard applies to all types of organizations — from small and medium-sized enterprises (SMEs) to large corporations — and can be implemented across various sectors.

The current version, ISO 9001:2015, emphasizes a process-based approach, risk management, leadership engagement, and continuous improvement. Meanwhile, ISO 9001:2025 is under development and will represent the future evolution of this quality management framework.

In an increasingly competitive and fast-changing business landscape, operational performance is the key driver of organizational success. Efficiency, consistency, and adaptability to change are critical for survival and growth.

However, one of the main challenges organizations face is maintaining consistent quality in processes and services.

This is where ISO 9001 serves as an effective solution, helping strengthen quality management systems and improve overall operational performance.

How ISO 9001 Enhances Operational Performance

Implementing ISO 9001 can lead to significant improvements in operational performance through the following key aspects:

1. Process-Based Approach

ISO 9001 encourages organizations to map their processes thoroughly, eliminate non-value-adding activities, and optimize resources for maximum efficiency.

2. Risk and Opportunity Management

By identifying risks and opportunities in each process, organizations can prevent disruptions and leverage improvement opportunities effectively.

3. Documentation and Standardization

Well-documented procedures and work instructions ensure consistency, reduce dependency on individual knowledge, and maintain consistent quality across operations.

4. Leadership and Quality Culture

Top management plays an active role in quality implementation — fostering a collaborative, measurable, and results-oriented work culture.

5. PDCA Cycle (Plan-Do-Check-Act)

The PDCA cycle serves as a structured framework for evaluation and continuous improvement across all operational processes.

Case Study: Improving Operational Efficiency Through ISO 9001

A national logistics distribution company implemented ISO 9001 with consultant support. Within six months, the results were remarkable:

• Delivery time reduced by 25%

• Customer complaints decreased by 40%

• Operational costs lowered by 15%

This success was achieved through process standardization, employee training, and the use of more precise quality performance indicators.

Which Organizations Should Adopt ISO 9001?

ISO 9001 is highly flexible and can be implemented by:

• SMEs seeking structured work systems

• Hospitals and educational institutions

• Financial and banking organizations

• Manufacturing and automotive industries

The standard can be tailored to the organization’s scale and complexity without compromising its core quality management principles.

Steps to Implement ISO 9001 Effectively

1. Management commitment
2. Process identification and mapping
3. Establishing measurable quality objectives
4. Documenting procedures and work instructions
5. Employee training and competency development
6. Regular internal audits
7. Corrective actions and continuous improvement

With this approach, ISO 9001 becomes more than a certification tool — it becomes a driver of sustainable operational performance.

Conclusion: ISO 9001 as a Catalyst for Operational Excellence

ISO 9001 is not just a document — it is a strategic framework for building efficient, effective, and measurable systems. With proper implementation, organizations can:

• Improve process efficiency

• Reduce operational costs

• Increase customer satisfaction

• Strengthen business competitiveness

If your organization is committed to sustainable growth and aims to achieve operational excellence, ISO 9001 is the right foundation.

Robere & Associates Indonesia is ready to help your organization design, implement, and optimize an ISO 9001 Quality Management System strategically and effectively. Contact Us atoday and start transforming your operational performance.

ISO 9001, the internationally recognized certification focused on quality management, continues to raise questions among organizations in this era of rapid technological change, digital transformation, and increasing market complexity. Many business leaders ask:

Is ISO 9001 still relevant in 2025 and beyond?

This question is understandable, given the emergence of new management methodologies, the fast pace of technological development, and the growing need for business process flexibility. However, according to many global executives,, ISO 9001 is not only still relevant, it is becoming even more essential as a core foundation for organizations seeking sustainable and strategic growth.

From Quality Standard to Strategic Pillar

Since its introduction in 1987, ISO 9001 has undergone several major revisions, evolving from a basic quality control standard into a holistic and strategic Quality Management System (QMS) framework.

The current version, ISO 9001:2015, strengthens the process-based approach, incorporates risk management, and emphasizes leadership and customer satisfaction as central elements of the system.

This provides much greater flexibility and a stronger focus on real business outcomes, making ISO 9001 highly adaptable across various industries and organizational contexts.

Why ISO 9001 Remains Relevant in 2025

1. High Flexibility Across Industries

One of ISO 9001’s greatest strengths lies in its flexibility. It is not designed for any specific sector. Instead, it can be applied to organizations in manufacturing, healthcare, education, information technology, the public sector, and even fast-growing start-ups.

This flexibility allows organizations to tailor implementation according to their internal needs and context — without compromising the core principles of quality management. That adaptability ensures ISO 9001 remains relevant amid the rapidly changing business landscape of 2025.

2. Proactive Risk-Based Thinking

ISO 9001:2015 introduced risk-based thinking, encouraging organizations to go beyond reacting to problems and instead proactively identify risks and opportunities that may affect quality objectives and business performance.

This approach helps organizations prepare for uncertainty, regulatory changes, and digital disruption — all of which are intensifying in this decade. By 2025, such proactive strategies will be critical for organizations aiming to stay resilient and competitive.

3. Integration with Other Standards and Digitalization Needs

ISO 9001 currently adopts the High-Level Structure (HLS), making it easy to integrate with other management system standards, such as:

• ISO 27001 (Information Security Management)

• ISO 45001 (Occupational Health and Safety)

• ISO 14001 (Environmental Management)

• ISO 37001 (Anti-Bribery Management)

This provides tremendous value for organizations implementing multiple standards simultaneously.

Furthermore, ISO 9001 is evolving alongside the needs of digitalization and automation. Organizations can integrate IT systems and digital tools into their QMS — such as ERP systems, digital monitoring, and big data analytics — to enhance efficiency and transparency.

ISO 9001 and Its Support for ESG and Climate Action

The global landscape in 2025 also highlights growing attention toward sustainability and social responsibility, reflected in the ESG (Environmental, Social, and Governance) framework. ISO 9001 supports ESG initiatives through a transparent, traceable, and well-documented quality management approach.

Additionally, the recent ISO 9001:2015/Amd 1:2024 introduced clauses related to climate action, reinforcing the standard’s continued relevance to global environmental challenges and its ability to strengthen organizations’ sustainability strategies.

Case Study: A Fast-Growing Fintech Start-Up

A rapidly expanding fintech start-up implemented ISO 9001 as the foundation for building a scalable operational system. During implementation, the company:

• Developed clear and adaptable process documentation

• Applied layered quality control to ensure digital service reliability

• Aligned documentation with financial industry regulatory requirements

• Gained investor and partner trust through structured, transparent processes

Through ISO 9001, the start-up not only built a system for its current operations but also established a long-term foundation for sustainable and trusted growth.

Conclusion

Despite the rise of new management and technology frameworks, ISO 9001 remains both relevant and essential in 2025 because it offers:

• High flexibility and adaptability across diverse organizations

• A proactive risk-based approach to business challenges

• Seamless integration with other modern standards and digital systems

• A commitment to continuous improvement and customer satisfaction

Organizations that implement quality management systems effectively will strengthen their internal processes, enhance market credibility, and build resilience to face future global challenges.

Future-Proof Your ISO 9001 Quality Management System

If your organization wants to ensure that its quality management system remains strong and relevant in the modern era, consult with Robere & Associates Indonesia.

With over 35 years of experience supporting diverse industries, our team is ready to help you design a quality strategy tailored to the challenges and opportunities of 2025 and beyond. Contact Us Today

ISO 9001 is the internationally recognized standard for Quality Management Systems (QMS). More than one million organizations worldwide have adopted it to ensure that their products and services are consistent, high-quality, and compliant with customer needs and regulatory requirements.

In today’s increasingly competitive business landscape and with rising customer expectations, ISO 9001 certification is no longer merely an added advantage, it has become a strategic necessity. ISO 9001 provides a framework that enables organizations to:

• Identify and manage business process risks

• Improve operational efficiency

• Ensure sustainable customer satisfaction

• Foster a culture of continuous improvement across the organization

• Build stakeholder trust through reliable governance

Implementing ISO 9001:2025 – What You Need to Know

The International Organization for Standardization (ISO) periodically updates its standards to stay relevant to technological changes, market needs, and societal expectations.

The previous version, ISO 9001:2015, introduced several significant updates, including strengthened risk-based management, enhanced leadership involvement, and a stronger process-based approach.

The upcoming ISO 9001:2025 is currently under development. Although the final version has not yet been released, organizations should be aware that this revision will impact the existing structure of their quality management systems.

According to the ISO Technical Committee (ISO/TC 176), the revision process will take approximately 2–3 years and is expected to be completed by or before 2026.

Key Issues and Trends Driving the ISO 9001 Revision

Several strategic issues have influenced the development of ISO 9001:2025:

1. Digitalization and Process Automation

Organizations are increasingly relying on technologies such as ERP systems, cloud-based QMS platforms, and  Artificial Intelligence (AI). ISO 9001:2025 is expected to align with these digital realities.

2. Sustainability and ESG (Environmental, Social, Governance)

The global emphasis on sustainability and ESG encourages quality systems to support the Sustainable Development Goals (SDGs), including updates related to climate action introduced in ISO 9001:2015/Amd 1:2024.

3. Organizational Resilience

Recent global crises and the COVID-19 pandemic have highlighted the importance of having adaptive and resilient management systems. ISO 9001:2025 is expected to emphasize business resilience as a key component of the QMS framework.

4. Integration of ISO Standards

Many organizations now implement multiple ISO standards simultaneously, such as ISO 27001, ISO 37001, and ISO 45001. Therefore, the new ISO 9001 will adopt the Harmonized Structure (HS) to ensure easier integration across systems.

Core Principles of ISO 9001 That Remain Relevant

Although revisions are underway, the foundational principles of ISO 9001—such as customer focus, leadership, process approach, improvement, evidence-based decision-making, and relationship management, will continue to serve as the backbone of the standard.

How Organizations Can Prepare for ISO 9001:2025

To stay ahead of the transition process, organizations can start by taking these proactive steps:

1. Audit the Current ISO 9001 System

Identify the strengths and areas for improvement in your existing QMS.

2. Strengthen Internal Competence

Conduct ISO 9001 training programs to enhance the capabilities of internal auditors and quality teams.

3. Stay Updated on Standard Revisions

Monitor official updates from ISO/TC 176 and consult with trusted experts such as Robere & Associates.

4. Strengthen Documentation and Performance Evidence

Ensure that your QMS documentation is complete, accurate, and supported by performance-based evidence.

5. Develop an ISO 9001:2025 Transition Plan

Create a strategic roadmap that guides your organization through the transition process effectively.

The Role of ISO Consultants in the Transition Process

Transitioning to ISO 9001:2025 can be challenging. This is where ISO consultants play a critical role. With over 35 years of experience, Robere & Associates provides strategic and efficient ISO implementation consulting services.

Our consultants not only assist in meeting new requirements but also deliver real business value through a risk-based and continuous improvement approach.

Conclusion

The release of ISO 9001:2025 represents a strategic opportunity for organizations to refine their quality management systems and enhance competitiveness. With early preparation, organizations can navigate the transition confidently and gain the full benefits of the updated standard.

Are you ready to embrace ISO 9001:2025?

The consulting team at Robere & Associates is ready to help you design an effective transition strategy. Contact Us today to discuss your organization’s needs and ensure a smooth and successful transition.

---

Sources:

• https://www.iso.org/iso-9001-quality-management.html

• https://committee.iso.org/home/tc176

Micro, Small, and Medium Enterprises (MSMEs) are the backbone of Indonesia’s economy, contributing significantly to GDP and employment. However, to compete in local, national, and global markets, MSMEs must continuously improve the quality of their products and services.

ISO 9001 certification offers an international quality management standard that helps MSMEs build a strong, structured, and continuously improving system. By implementing ISO 9001, MSMEs can not only meet global standards but also enhance customer trust, expand their market reach, and elevate their business to the next level.

---

Why Many MSMEs Haven’t Started Implementing ISO 9001

Despite the proven benefits of ISO 9001, many MSME owners remain hesitant or delay its implementation. Common reasons include:

• Limited resources such as manpower, time, and budget
• Lack of understanding of ISO 9001, which is often perceived as complex and intended only for large companies
• Fear of documentation, as the process is seen as time-consuming and confusing
• Lack of management support, as the long-term benefits are not yet fully recognized

Therefore, an effective ISO 9001 implementation strategy is needed to help MSMEs overcome these challenges.

---

Effective ISO 9001 Implementation Strategies for MSMEs

Below are step-by-step strategies that can help MSMEs implement ISO 9001 effectively:

1. Build Management Commitment from the Start

The success of implementation depends heavily on the commitment of business owners or top management. ISO 9001 is a long-term investment in quality and operational efficiency.

2. Learn ISO 9001 Requirements in Simple Terms

Use simplified learning materials and SME-focused training programs. Understand key concepts such as customer satisfaction, the process approach, and a culture of continuous improvement.

3. Identify and Document Core Processes

Mapping key processes such as production, service, and procurement is crucial. Document them in a simple way (e.g., flowcharts or checklists) for easy understanding and consistency.

4. Adopt a Gradual Implementation Approach

Focus first on high-impact processes related to quality. Once these are stabilized, expand implementation to other areas of the business.

5. Enhance Team Competence through Training

Provide internal training or collaborate with consultants to ensure your team understands quality management principles and their respective roles.

6. Use a Simple Documentation System

Utilize accessible tools such as Google Drive or lightweight quality management software suited to MSME needs.

7. Conduct Regular Internal Audits

Internal audits help identify areas for improvement and maintain system consistency.

8. Engage ISO Consultants for Guidance

ISO consultants can accelerate understanding, resolve technical challenges, and ensure certification readiness.

---

Real-Life Example: A Handicraft MSME in Jepara

A handicraft MSME in Jepara successfully entered the export market after gradually implementing ISO 9001. The steps they took included:

• Conducting internal workshops for all staff

• Creating simple documentation for production and quality control processes

• Performing monthly internal audits

• Developing a mobile application for order management and raw material tracking

The results: higher quality standards, increased market trust, and broader national distribution.

---

Long-Term Benefits of ISO 9001 for MSMEs

• Improved product and service quality
• Enhanced operational efficiency and reduced costs
• Greater customer trust and expanded market opportunities
• Easier access to financing and partnerships
• A strong foundation for business expansion

---

Conclusion

Implementing ISO 9001 is a strategic step for MSMEs looking to strengthen quality and competitiveness. With the right approach and a focus on core processes, MSMEs can establish an effective quality management system without unnecessary burden.

To ensure a smooth implementation, join the ISO 9001 Training Program by Robere & Associates. Designed with practical, easy-to-understand materials tailored for MSMEs, this program is led by professional trainers ready to address real-world challenges.

Contact Robere & Associates (Indonesia) today—register your team and achieve sustainable growth with ISO 9001.

The Indonesian government has strengthened national information security governance through the issuance of Ministerial Regulation of Communication and Digital Affairs (Permenkomdigi) No. 8 of 2025. This regulation mandates all commercial postal and logistics service providers to implement an Information Security Management System (ISMS) in accordance with the international standard ISO/IEC 27001:2022.

This policy reflects the government’s commitment to ensuring data security, maintaining public trust, and enhancing the competitiveness of the national logistics industry in the digital era.

Why Information Security Has Become a Legal Obligation

The logistics and postal sector is among the industries most exposed to information security risks. Every day, millions of customer data points are processed and stored digitally — from delivery addresses to transaction details. Without a robust information security management framework, threats such as data breaches, cyberattacks, and misuse of information can result in significant financial and reputational losses.

Through Permenkomdigi No. 8 of 2025, the government affirms that:

• Information security is no longer optional but a legal obligation;

• Postal and logistics providers must implement and demonstrate compliance with ISO/IEC 27001:2022;

• ISO/IEC 27001:2022 certification serves as evidence of commitment and regulatory compliance with proper information security governance.

Implications for Postal and Logistics Service Providers

Compliance with this regulation brings direct implications for all postal, delivery, and logistics providers.
Key requirements include:

1. Establishing a structured information security system aligned with business and operational risks.

2. Defining documented and integrated data security policies and procedures.

3. Conducting internal and external audits to ensure the effectiveness of implementation.

4. Obtaining ISO/IEC 27001:2022 certification through accredited certification bodies.

5. Promoting a strong information security culture across all levels of the organization.

This implementation not only ensures compliance with government regulations but also strengthens customer trust and builds a long-term foundation for cyber resilience.

ISO/IEC 27001:2022 — The Global Foundation of Information Security

ISO/IEC 27001:2022 is the international standard for implementing an Information Security Management System (ISMS).
It provides organizations with a systematic framework to:

• Identify and assess information security risks;

• Establish appropriate data protection controls and policies;

• Maintain the confidentiality, integrity, and availability of information;

• Ensure legal compliance with national and international requirements.

For the logistics and postal industries, ISO/IEC 27001:2022 helps create a secure, efficient, and trustworthy digital supply chain amid the growing complexity of cyber threats.

Robere & Associates’ Support for Compliance and Cyber Resilience

As an internationally certified management system consultancy, Robere & Associates has supported numerous organizations across the logistics, transportation, and postal sectors in effectively implementing ISO/IEC 27001.

Robere’s approach focuses on risk-based and sustainable strategies, including:

• Design and implementation of ISMS tailored to organizational context and risk environment;

• Audit and certification support for ISO/IEC 27001:2022 until official certification is achieved;

• Training and awareness programs to strengthen internal information security culture;

• Integration of multiple standards such as ISO 9001, ISO 22301, and ISO 27701 to ensure system efficiency and alignment.

With over 35 years of experience, Robere ensures that every client is not only compliant but also truly secure and resilient against future digital threats.

---

FAQ: ISO/IEC 27001 for the Logistics and Postal Sector

1. What is Permenkomdigi No. 8 of 2025?
Permenkomdigi No. 8 of 2025 is an official regulation issued by the Ministry of Communication and Digital Affairs of Indonesia, requiring postal and logistics service providers to implement an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022.

2. Why is ISO/IEC 27001 mandatory for the logistics and postal industry?
Because this sector handles massive volumes of customer and transactional data daily. ISO 27001 helps ensure data protection, prevent information leaks, and maintain operational reliability.

3. What are the main benefits of implementing ISO/IEC 27001 for logistics organizations?
Key benefits include increased customer trust, reduced cybersecurity risks, compliance with government regulations, and improved digital competitiveness.

4. How does the ISO/IEC 27001 certification process work?
The process typically involves a gap analysis, implementation of security controls, internal audits, and external audits by accredited certification bodies that issue the official certificate.

5. How can Robere & Associates assist organizations in meeting this regulation?
Robere & Associates provides end-to-end services — from consultation, implementation, and training to audit and certification assistance — ensuring your organization meets all regulatory requirements while maintaining customer trust.

Trust is the new currency. Consumers no longer judge an organization solely by the quality of its products or services—but also by how it protects their personal data. The surge of data breaches in recent years has revealed how fragile reputation can be when privacy is ignored.

Once data is compromised, the loss extends far beyond financial damage—it erodes public trust. Global studies even show that customers tend to abandon brands that have failed to protect their privacy, no matter how superior their products are.

Therefore, organizations must proactively build public trust. One of the most effective ways to do so is by implementing ISO/IEC 27701, the international standard for Privacy Information Management Systems (PIMS). This standard enables organizations not only to comply with regulations but also to demonstrate a genuine commitment to privacy protection.

Privacy as a Driver of Public Trust

As digital awareness grows, privacy has become one of the key factors influencing customer decisions. For consumers, the protection of personal data is now as important as the quality of the product they purchase.

Today’s customers are more critical and unafraid to ask:

“Is my data safe?”
“How does the company protect my information?”
“Is this organization transparent?”

These questions can no longer be answered with words alone—they require proof.

This is where privacy transforms into part of the customer experience. Organizations that are transparent, responsible, and trustworthy in managing personal data will earn long-term confidence—while those that fail to do so will quickly lose it.

ISO/IEC 27701 as Proof of Commitment

ISO/IEC 27701 serves as a global benchmark for organizations that take privacy seriously. Implementing this standard provides a clear, documented, and auditable framework for managing personal data responsibly.

This certification is not a mere “formality.” In the eyes of the public and business partners, ISO/IEC 27701 is a mark of credibility—a signal that your organization applies internationally recognized privacy governance.

Through certification, your organization demonstrates not only legal compliance but also a commitment to integrity, transparency, and accountability. This gives the public greater confidence that their data is in safe hands.

Reputation Benefits of Implementing ISO/IEC 27701

Implementing ISO/IEC 27701 brings long-term, tangible benefits to organizational reputation:

• Increased customer loyalty.
  Consumers are more likely to stay with companies they trust, even amid intense market competition.

• Stronger confidence from investors and partners.
  Organizations that adopt international privacy standards are perceived as lower-risk and better governed.

• Broader global opportunities.
  Many multinational corporations now require business partners to hold privacy and security certifications. With ISO/IEC 27701, your organization is ready to participate in global business networks.

In short, ISO/IEC 27701 not only protects organizations from risk—it strengthens their market position.

Strategic Steps to Use ISO/IEC 27701 as a Trust-Building Tool

Implementation of ISO/IEC 27701 is often seen merely as a compliance measure. In fact, when properly managed, it can serve as a strategic communication tool for building public trust.

1. Integrate It Into Organizational Culture

Don’t stop at documentation. Ensure every employee understands and applies privacy principles in daily work. When privacy becomes part of your culture, the public perceives genuine consistency—not just formality.

2. Communicate It Publicly

Many organizations achieve certification but never talk about it. Yet, this is a valuable asset. Use official communication channels—your website, annual reports, or social media—to share that your organization is ISO/IEC 27701 certified. Tell the story behind the certification and what it means for your customers.

3. Demonstrate Proactive Transparency

Don’t wait for incidents to discuss privacy. Proactively explain how you protect customer data—for example, through clear and simple privacy policies or annual transparency reports.

4. Educate Your Customers

Many customers don’t understand what ISO/IEC 27701 means. Explain it in simple language: this certification ensures their data is more secure, their privacy rights are respected, and your systems are independently verified. This approach makes customers feel involved—not merely managed.

With these steps, ISO/IEC 27701 evolves beyond a compliance symbol into a powerful communication tool that strengthens public trust.

In the digital era, public trust is an organization’s greatest asset. You may have the best products, the fastest service, or the most advanced technology—but if you fail to protect privacy, it can all collapse in an instant.

Implementing ISO/IEC 27701:2025 is not just about legal compliance—it’s about demonstrating an ethical and strategic commitment to protecting personal data. By integrating it into your organizational culture and communicating it transparently, ISO/IEC 27701 can become a strong foundation for customer loyalty, investor confidence, and global business growth.

---

FAQ

1. Is ISO/IEC 27701 certification only useful for legal compliance?
   No. It also enhances customer trust and strengthens organizational reputation.
2. How can we communicate our ISO/IEC 27701 certification to the public?
   Through annual reports, official websites, social media, and simple educational messages for customers.
3. Is ISO/IEC 27701 only for large organizations?
   No. Small and medium-sized enterprises can also gain significant benefits, especially in building customer trust.
4. How is ISO/IEC 27701 linked to business reputation?
   Organizations trusted to protect privacy are more appealing to customers, more credible to investors, and more attractive to global partners.
5. How can ISO/IEC 27701 become part of the culture, not just documentation?
   Through employee training, effective internal communication, and embedding privacy practices into everyday operations.

Personal data is both a valuable asset and a major responsibility for every organization. Each transaction, online form, and even internal conversation may contain personally identifiable information (PII). The challenge is that the risks of misuse and data breaches continue to increase.

ISO/IEC 27701:2025 introduces a Privacy Information Management System (PIMS) framework that helps organizations manage personal data securely, transparently, and in compliance with regulations. However, there is one crucial aspect often overlooked — the success of PIMS does not depend solely on documents or technology, but on the people who implement it.

From top management to operational staff, employees are the main drivers that bring PIMS to life within the organization.

What is ISO/IEC 27701:2025 PIMS?

Before discussing the human factor, let’s first understand what PIMS is. A Privacy Information Management System (PIMS) is a management system based on ISO/IEC 27701:2025 for handling personal data. This standard helps organizations protect PII through documented policies, procedures, and controls. Unlike the previous version, ISO/IEC 27701:2025 is stand-alone, meaning organizations can apply it directly without having ISO/IEC 27001:2022 in place first. PIMS covers technical, regulatory, and governance aspects — but its success depends largely on the people within the organization.

Why Employees Are the Key to ISO/IEC 27701:2025 PIMS

1. Humans are the weakest link.
   The majority of data breaches occur due to human error — such as sending an email to the wrong recipient or using weak passwords.

2. Every employee has access.
   From the receptionist to the director, everyone may have access to personal data. Every action matters to overall data security.

3. Privacy culture is stronger than written rules.
   Procedures can be documented, but only a strong culture ensures people actually practice privacy protection in their daily work.

The Role of Employees in Implementing PIMS

To make ISO/IEC 27701:2025 truly effective, each employee level plays a distinct role:

1. Top Management
   Top management is responsible for setting strategic direction and commitment, providing resources and full support, and most importantly — serving as role models in privacy compliance.

2. Managers & Supervisors
   They translate policies into daily procedures, oversee implementation within their teams, and resolve issues when rules or expectations are unclear.

3. All Employees
   Every employee must follow basic procedures — such as maintaining password confidentiality and handling data carefully.
   They should report incidents or potential privacy breaches and participate in regular privacy training sessions.

Strategies to Build a Privacy Culture in the Organization

For employees to be genuinely involved in PIMS, organizations must foster a strong privacy culture. Here are the steps:

1. Education and Training
   Regular education and training ensure employees remain aware of the importance of protecting personal data.
   The materials should be relevant to each department — for instance, HR focuses on employee data, while marketing focuses on customer data.

2. Effective Communication
   Use simple, clear messages such as posters or short reminders.
   Organizations should also provide a clear incident reporting channel so employees feel comfortable speaking up.

3. Integration into Work Processes
   Integrate privacy into daily routines — not as an additional rule but as a natural part of every activity.
   When this happens, employees perceive privacy as a standard work ethic, not a burden.

4. Employee Empowerment
   Empower employees by giving them real roles — such as participating in internal audits, providing feedback, or appointing “privacy champions” in each department.

5. Recognition and Appreciation
   Simple gestures like thank-you notes, small rewards, or acknowledgment from management can make compliance feel meaningful, not mandatory.

Simple Everyday Practices

Protecting privacy is not about grand gestures, but consistent small habits practiced daily by your employees. For example:

• Lock your laptop when leaving your desk.

• Never share passwords with colleagues.

• Double-check recipient addresses before sending important documents.

• Store physical documents in locked drawers.

• Report any phishing emails immediately.

When practiced consistently, these small actions can prevent major incidents.

Challenges and How to Overcome Them

Building a PIMS-based privacy culture is not easy. Common challenges include:

• Employee resistance.
  Some employees see privacy procedures as extra workload. The solution is to educate them about the personal and organizational benefits.

• Lack of understanding.
  Not everyone understands what PII is or why it matters. The solution is to use simple, practical communication.

• Limited resources.
  Not every organization has a dedicated privacy team. Start small — with basic training — and gradually move toward full certification.

ISO/IEC 27701:2025 PIMS provides a clear framework for protecting personal data. Yet, documents and technology are only the foundation — the real life force behind PIMS is your people.

By building a privacy culture, engaging everyone, and making compliance a daily habit, you’re not just protecting data — you’re safeguarding your organization’s reputation, public trust, and long-term future.

---

FAQ

Is technology alone enough to protect privacy?
No. Technology is just a tool. Without human awareness, vulnerabilities will always exist.

How can employees be encouraged to care about privacy?
Through regular training, clear communication, and recognition for compliance.

Should all employees be involved in PIMS?
Yes. Privacy is a shared responsibility, from staff to top management.

What if employees resist new rules?
Educate them using real-world examples of data breach impacts — both for the organization and themselves.

What are the long-term benefits of a privacy culture?
Increased customer trust, fewer incidents, and stronger organizational competitiveness.

In today’s digital era, personal data has become both a valuable asset and a potential source of risk for organizations. Every online interaction, business transaction, and public service generates data trails that must be properly managed. However, the rising number of data breaches and misuse of personal information has made the public increasingly critical of how companies protect their privacy.

Indonesia has enacted  Undang-Undang Nomor 27 Tahun 2022 tentang Perlindungan Data Pribadi (UU PDP), which requires every data controller and processor to ensure the security and governance of personal data comprehensively. With this regulation in place, organizations can no longer take privacy lightly, as non-compliance may result in administrative or even criminal sanctions.

In this context, international standards such as ISO/IEC 27701:2025 emerge as a new pillar of privacy governance, helping organizations meet legal obligations while strengthening public trust.

 

What is ISO/IEC 27701:2025?

ISO/IEC 27701 is an international standard for a Privacy Information Management System (PIMS). It provides a structured framework for organizations to manage personally identifiable information (PII) effectively, securely, and transparently.

The first edition, ISO/IEC 27701:2019, was published as an extension of ISO/IEC 27001 and 27002. This meant that only organizations already certified under ISO/IEC 27001 could obtain ISO/IEC 27701 certification.

However, the latest version, ISO/IEC 27701:2025, introduces fundamental changes:

1. It stands as a standalone standard. Organizations are no longer required to have ISO/IEC 27001 certification before being certified under ISO/IEC 27701.

2. It adopts the High-Level Structure (HLS). This aligns it with other ISO standards such as ISO 9001, ISO/IEC 20000-1, and the latest ISO/IEC 27001.

3. It emphasizes more comprehensive requirements. All clauses from 4–10 are mandatory, making PIMS a complete management system rather than a supplementary guide.

With these characteristics, ISO/IEC 27701:2025 becomes more inclusive and adaptable for various types of organizations—technology companies, financial institutions, educational bodies, and public sector entities alike.

Why is ISO/IEC 27701:2025 Important in the Era of the PDP Law?

Indonesia’s PDP Law imposes strict obligations on organizations that handle personal data—from obtaining valid consent and ensuring data security to providing access, correction, and deletion rights for data subjects.

ISO/IEC 27701:2025 aligns with these requirements. The standard helps organizations to:

• Translate regulations into practical implementation. For example, documenting data collection flows, assessing privacy risks, and defining data deletion procedures.

• Build compliance evidence. ISO/IEC 27701:2025 certification serves as tangible proof of an organization’s commitment to adhering to the PDP Law.

• Reduce the risk of legal penalties. With well-documented privacy governance, organizations have protection in case of audits or investigations.

In essence, the standard is not just about “following the rules,” but about strengthening the foundation of long-term privacy governance.

Benefits of Implementing ISO/IEC 27701:2025

1. Legal Certainty

Organizations that implement this standard have clear guidelines for meeting the PDP Law’s requirements, minimizing risks of misinterpretation or non-compliance that could lead to sanctions.

2. Public Trust

In business, trust is currency. When customers are confident their data is handled securely, organizational reputation and loyalty increase.

3. Operational Efficiency

ISO/IEC 27701:2025 encourages organizations to establish policies, procedures, and responsibilities systematically. This results in more structured, efficient, and accountable data management.

4. Market Competitiveness

Privacy certification adds value in a competitive business environment. Many global enterprises now only partner with organizations certified under international standards.

Strategic Steps Toward Implementation

1. Top Management Commitment – Privacy cannot be the sole responsibility of IT or legal teams; it requires full leadership support.

2. Gap Analysis – Compare current practices against ISO/IEC 27701:2025 requirements and the PDP Law to identify areas for improvement.

3. Develop PIMS Policies & Procedures – Define how data is collected, stored, used, shared, and deleted.

4. Training & Awareness – Ensure employees understand their roles in maintaining privacy.

5. Internal Audit & Certification – Conduct regular evaluations and prepare for formal certification to obtain official recognition.

ISO/IEC 27701:2025 arrives at the perfect time to address the challenges of modern data protection. It is not merely about regulatory compliance, but also about demonstrating commitment to ethics, transparency, and information security.

For organizations in Indonesia, adopting ISO/IEC 27701:2025 is a strategic move to ensure compliance with the UU PDP while fostering the public trust that is increasingly vital in the digital age.

---

FAQ

1. Is every organization required to have ISO/IEC 27701:2025?
   Not legally required, but highly recommended. The PDP Law does not specify particular standards, yet ISO 27701 certification serves as strong evidence of compliance and accountability in managing personal data.
2. Is ISO/IEC 27701:2025 only for technology companies?
   No. The standard is relevant for any organization that processes personal data—including banks, hospitals, universities, and government agencies.
3. How long does implementation take?
   It depends on the organization’s complexity and system readiness. Typically, the process takes 6–8 months, including training, documentation, and auditing.
4. Is ISO/IEC 27001 required before implementing ISO/IEC 27701:2025?
   No. The 2025 version is stand-alone, meaning it can be adopted directly without prior ISO 27001 certification.
5. How does ISO/IEC 27701 relate to the PDP Law?
   They complement each other: the PDP Law defines legal obligations, while ISO/IEC 27701 provides a practical framework for fulfilling them.

No one wants to start the day with news that the streets are closed due to large-scale demonstrations. Yet in reality, access to the office can be blocked, teams scattered, and client service schedules still waiting. At times like this, improvisation often leads to panic. A Business Continuity Plan (BCP) ensures that business operations do not stop by providing clear, measurable, and actionable guidance.

What Is BCP?

A Business Continuity Plan (BCP) is a plan developed by an organization to ensure business continuity, particularly to keep critical or essential operational processes running despite disruptions. The focus is not only on recovery but also on the ability to continue delivering operational services. In best practice, BCP is aligned with standards such as ISO 22301, where the plan does not depend on individuals but on a documented management system that is regularly tested and updated.

Why Is BCP Important During Demonstrations & Unexpected Events?

Social disruptions, such as demonstrations, often arise suddenly, as occurred at the end of August 2025. These situations limit physical access, require rapid decision-making, and demand clear coordination of communication and operational instructions to avoid confusion. Without a BCP, organizational responses tend to be reactive. With a BCP, however, organizations have measurable scenarios that ensure services remain operational, data and systems are protected, and recovery is carried out according to realistic Recovery Time Objectives (RTO), without exceeding the tolerance limit acceptable to stakeholders, known as the Maximum Allowable Outage (MAO).

Key Foundations & Components of BCP Based on ISO 22301

• Business Impact Analysis (BIA): Mapping of critical processes, identifying dependencies (applications, vendors, locations), and assessing potential impacts if processes are disrupted. (Download BIA)

• Maximum Allowable Outage (MAO): The tolerance limit of downtime acceptable to stakeholders when the organization cannot operate.

• Recovery Time Objective (RTO) & Recovery Point Objective (RPO): Agreed recovery targets for time and data loss tolerance for each service, across functions.

• Alternative Operations Strategy: Options for maintaining operations, such as work-from-anywhere, backup site/cloud usage, work area recovery, or capacity redirection.

• IT Disaster Recovery (DR): Includes encrypted backups, regular restore testing, recovery guidelines (BCP), access controls (VPN, MFA), and compliance with the Personal Data Protection Law (UU PDP).

• Crisis Communication Plan: Escalation channels, spokesperson appointments, update frequency, and ready-to-use message templates.

• Critical Vendor Management: SLA provisions during crises, emergency contacts, and ensuring vendor BCP/DRP compatibility with the organization.

• Governance & Roles: Decision-making structures and authorities during crises, e.g., Incident Commander, IT Recovery Lead, Crisis Management Team.

What Needs to Be Ensured When Running BCP?

Organizations must ensure proper storage and regular testing of all elements supporting business continuity, including: cross-functional and critical vendor emergency contact lists; secure repositories of emergency access and credentials (VPN, MFA, admin accounts); simple and operational priority service recovery BCPs; standard communication references for employees, key clients, and the public; alternative capacity (e.g., backup site/cloud, telephony or ticketing backup); and quick decision lists regarding which activities can be postponed without breaching contracts or SLAs. All these elements should be centralized and easily accessible during crises, rather than scattered across hard-to-track channels.

BCP KPIs and Metrics

The readiness level of a BCP can be monitored through several indicators, including: declaration time (interval from incident occurrence to BCP activation), compliance rate with RTO/RPO for each service, recovery duration compared to target, number of drill findings resolved each quarter, and client satisfaction scores after incidents. Trend analysis of these metrics provides management with the basis for determining additional investments—whether in capacity enhancement, recovery automation, or strengthening cross-functional coordination.

BCP vs DRP

A Business Continuity Plan (BCP) focuses on sustaining business processes—including services, customers, human resources, communication, and operations—to keep business running despite disruptions. Meanwhile, a Disaster Recovery Plan (DRP) focuses on restoring IT capabilities, such as servers, databases, applications, networks, and data, so that the technological foundation returns to normal.

In essence, the difference lies in their roles: BCP determines service priorities and recovery sequences, while DRP executes technical recovery steps according to those priorities. Therefore, both must be designed, tested, and executed in an integrated manner to complement each other in safeguarding organizational continuity.

Common Mistakes

Many business continuity plans fail during crises because they were developed without a Business Impact Analysis (BIA), making them generic and impractical. Other common mistakes include setting overly ambitious RTO/RPO targets without sufficient technical support; never conducting drills, leaving the BCP unused until panic strikes; neglecting vendor readiness, which often becomes the weakest link in the service chain; and leaving documents outdated despite changes in systems or organizational structure.

Conclusion

Disruptions and crises never wait for the “right time” or for organizations to be fully prepared. With a Business Continuity Plan (BCP), uncertainty can be translated into concrete steps: services remain operational, teams understand their roles, and clients feel supported. The most honest question for every organization is: “If tomorrow morning the office is inaccessible due to a demonstration, will your services still run?”

Need practical, tested Business Continuity Management (BCM) tailored to your business context? Robere & Associates (Indonesia) is ready to support you, starting from initial identification, conducting Business Impact Analysis (BIA) (Download BIA) and Risk Assessment, defining RTO/RPO, drafting the BCP, training your teams, to conducting drills in line with ISO 22301 standards.

Contact Robere & Associates today, so when disruptions happen, your business keeps running without interruption.

The ISO 9001 internal audit is one of the key elements in implementing a quality management system (QMS) based on the international ISO 9001 standard. Its main purpose is not to “find faults,” but to evaluate the effectiveness of systems and business processes, ensure compliance with ISO 9001 requirements, and identify opportunities for improvement.

For companies that have already achieved ISO 9001 certification, internal audits are not just an obligation, they are a strategic tool for maintaining and continuously improving operational performance.

What Is an ISO 9001 Internal Audit?

An ISO 9001 internal audit is a systematic and independent process used to evaluate the conformity of business processes, policies, procedures, and work practices with the ISO 9001 standard and the organization’s internal requirements.

This process is conducted by competent internal auditors who are independent from the area being audited and follow a predefined audit plan.

An internal audit helps organizations to:

• Evaluate compliance with ISO 9001 requirements and internal quality policies

• Identify nonconformities and opportunities for improvement

• Build a culture of continuous quality

• Prepare for external certification audits

Essential ISO 9001 Internal Audit Checklist

Below is a core checklist that can be customized according to the organization’s context and scope:

1. Context of the Organization

• Have internal and external issues been identified?

• Have stakeholder needs and expectations been defined?

• Is the scope of the QMS clearly established?

2. Leadership

• Does top management demonstrate commitment to quality?

• Is the quality policy communicated and understood?

• Are roles and responsibilities clearly defined?

3. Planning

• Have risks and opportunities been analyzed and addressed?

• Are measurable quality objectives established?

• Is there a plan for achieving these objectives?

4. Support

• Are resources (personnel, infrastructure) sufficient?

• Are personnel competencies demonstrated and maintained?

• Is internal communication effective?

5. Operation

• Are operational processes carried out as planned?

• Are documented controls in place for process changes?

• Are nonconforming products or services managed appropriately?

6. Performance Evaluation

• Are monitoring, measurement, and evaluation activities conducted?

• Are internal audits performed as scheduled?

• Is management review comprehensive and effective?

7. Improvement

• Are nonconformities addressed with corrective actions?

• Are there structured, continuous improvement initiatives?

Practical Tips for an Effective ISO 9001 Internal Audit

Conducting an internal audit should not be a formality. To make it truly valuable, consider the following best practices:

• Plan Strategically
  Prioritize critical processes and high-risk areas. Quarterly or semi-annual audits may be more manageable and effective.
• Select Competent and Objective Auditors
  Auditors must be trained in ISO 9001 and should not audit their own departments.
• Use a Process-Based Audit Approach
  Go beyond documents — assess real activities, interviews, and process outputs.
• Focus on Objective Evidence
  Avoid personal opinions. Audits should be based on data, records, and observable evidence.
• Follow Up on Audit Findings Promptly
  A fast response to findings demonstrates commitment to quality and drives continuous improvement.

Case Study: Enhancing Efficiency Through Internal Audit

A national financial services company with over 300 employees faced stagnating customer service performance. An internal audit of the customer service process revealed:

• Nonconformities in the complaint-handling procedure

• Response times exceeding the SLA

• Insufficient training for frontline staff

After corrective actions and additional training were implemented, results after four months showed:

• Customer satisfaction increased by 18%

• Response time reduced from 24 hours to 6 hours

• Customer complaints decreased by 35%

The internal audit became a catalyst for systemic improvement, not just documentation or checklist compliance. It ensured process effectiveness and eliminated non-value-adding activities.

Conclusion

The ISO 9001 internal audit is a powerful management tool when conducted correctly. It is not merely a compliance requirement but a driver of tangible organizational performance improvements.

With the right checklist, competent auditors, and consistent management support, internal audits can deliver:

• A more effective quality management system

• Ongoing compliance with ISO 9001

• Higher customer satisfaction

• Continuous process improvement

If your organization wants to enhance the quality and effectiveness of ISO 9001 internal audits, consult with our expert team at Robere & Associates Indonesia. We provide strategic training and hands-on guidance to help your organization implement QMS audits that generate measurable impact and long-term improvement. Contact Us

Privacy by Design and Privacy by Default have become two crucial concepts in the realm of personal data protection in the digital era. Both serve as proactive approaches that ensure user privacy is embedded from the outset of system and process design within organizations.

Regulations and Standards: PDP Law and ISO as the Foundation of Compliance

In Indonesia, Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi (UU PDP) is the primary legal framework that comprehensively governs the management of personal data. Complementing this regulation are international standards such as ISO/IEC 27001 and ISO/IEC 27701, which provide frameworks to help organizations ensure their data management systems align with information security principles and regulatory compliance.

As the volume of personal data processed and stored by organizations continues to grow, threats to privacy have also intensified. Systematic approaches such as Privacy by Design and Privacy by Default have therefore become increasingly relevant and critical.

What Are Privacy by Design and Privacy by Default?

Privacy by Design is an approach that requires personal data protection to be an integral part of system and organizational process design from the initial planning phase. Privacy is not treated as an add-on feature but as a core principle embedded in the development of products, services, and technology infrastructure.

Privacy by Default emphasizes that systems or services should be configured by default to collect and process only the personal data that is strictly necessary, used for legitimate purposes, and based on the explicit consent of the data subject. This aligns with the principles of data minimization and individual control over personal information.

Connection with the PDP Law

Privacy by Design under the PDP Law

This principle supports the implementation of the PDP Law by encouraging organizations to integrate personal data protection during the early design stages of systems, processes, and policies. It ensures data is collected only for legitimate purposes and that appropriate security measures are built in from the beginning to prevent misuse.

Privacy by Default under the PDP Law

Fully aligned with the PDP Law, this principle mandates that systems and services be configured by default to minimize the collection and processing of personal data. It requires organizations to gather only necessary data, with processing based on valid and explicit consent. This reinforces data minimization and strengthens individual control.

Privacy by Design & Default in ISO/IEC 27001

ISO/IEC 27001 is the international standard that outlines requirements for establishing an Information Security Management System (ISMS). It not only focuses on general information protection but also provides a structured and systematic guide for safeguarding personal data—including risk management, access controls, and physical and technical security. As such, ISO/IEC 27001 offers a comprehensive framework for maintaining the confidentiality, integrity, and availability of information.

Privacy by Design

Within the ISO/IEC 27001 framework, Privacy by Design is implemented through security policies and controls that proactively embed data protection into the design of systems and processes. It ensures that all systems, procedures, and technologies adopted by the organization include personal data protection as an integral security measure.

Privacy by Default

ISO/IEC 27001 also promotes Privacy by Default by ensuring systems and processes are configured to minimize the collection and use of personal data. Organizations are required to implement strict access controls, process only what is necessary, and limit processing scope to lawful and proportionate purposes. This supports data minimization and the protection of data subjects’ rights.

The Role of ISO/IEC 27701 in Enhancing Data Privacy

ISO/IEC 27701 is an extension of ISO/IEC 27001, specifically focused on Privacy Information Management Systems (PIMS). It provides additional guidance for managing and protecting personal data effectively, whether the organization functions as a data controller or processor.

This standard expands ISO/IEC 27001 by including privacy-specific elements, making it a vital tool for organizations aiming to develop a holistic and compliant information security management system.

Privacy by Design

ISO/IEC 27701 requires organizations to integrate privacy policies into their design and operations, ensuring personal data protection is built into every aspect of information management systems. This fully aligns with the Privacy by Design concept.

Privacy by Default

ISO/IEC 27701 also reinforces Privacy by Default by requiring system configurations that ensure only necessary data is collected and processed. This helps organizations comply with strict data protection standards and reduce privacy breach risks.

Why Your Organization Needs an ISO/IEC 27001 Consultant

Implementing ISO/IEC 27001 and ISO/IEC 27701 is a strategic move for organizations seeking to secure personal data and protect sensitive information. However, applying these standards can be challenging—especially for organizations lacking experience, resources, or in-house expertise.

This is where the role of an ISO/IEC 27001 consultant becomes essential. An experienced consultant can help organizations:

• Develop policies and procedures aligned with international standards

• Identify and manage risks related to personal and sensitive data

• Ensure compliance with the PDP Law and global privacy requirements

• Conduct internal audits to validate the effectiveness of the ISMS

Conclusion: Building Trust Through Privacy

Privacy by Design and Privacy by Default are foundational principles every organization should apply in protecting personal data and ensuring user privacy. These principles are highly aligned with Indonesia’s PDP Law, as well as international standards such as ISO/IEC 27001 and ISO/IEC 27701, offering a unified guide for systematic, secure, and compliant data management.

For organizations looking to implement these standards, working with an ISO/IEC 27001 consultant is a strategic decision. A consultant ensures that your ISMS complies with technical requirements and integrates privacy principles comprehensively and sustainably.

By adopting Privacy by Design and Privacy by Default, your organization can:

• Build trust with customers and business partners

• Reduce the risk of data breaches and reputational harm

• Ensure compliance with national and international data protection laws

---

Need help preparing your Personal Data Protection framework for the digital era?

Contact Robere & Associates (Indonesia) via WhatsApp at 0811-9555-476 and build a governance system that is adaptive, sustainable, and regulation-compliant.

PP TUNAS (Government Regulation of the Republic of Indonesia No. 17 of 2025) was introduced as a strategic initiative by the Indonesian government to address the growing challenge of protecting children’s personal data in the digital era. As technology rapidly evolves and digitalization expands across sectors such as education and entertainment, children are increasingly interacting with digital platforms that collect and store their personal information. From e-learning apps to online games, children’s data has become part of a complex digital ecosystem.

This situation highlights the urgent need for dedicated regulations that ensure children’s data is secure and protected from misuse. PP TUNAS provides technical guidance aimed at safeguarding children’s personal data while strengthening the mandate of Law No. 27 of 2022 on Personal Data Protection (PDP Law). Together, these laws lay the foundation for building a safe, child-friendly, and responsible digital environment.

What Is PP TUNAS (Government Regulation of the Republic of Indonesia No. 17 of 2025)?

PP TUNAS is a regulation designed to govern the operation of electronic systems to protect children from potential misuse of their personal data. It specifically focuses on safeguarding children’s data in the context of increasing digital technology use, considering the risks they may face, such as data exploitation and other negative effects from online interactions.

The regulation offers guidelines for electronic system operators on how to handle children’s personal data—including its storage, processing, and deletion—securely and in accordance with applicable laws.

Why PP TUNAS Is Crucial for Child Data Protection

Children, as digital natives, are more vulnerable to various online threats. PP TUNAS plays a critical role in minimizing such risks, including:

• Misuse of personal data

• Cyberbullying

• Other negative impacts of digital interaction

Key Reasons Why This Matters

1. Enhancing Child Data Security

   PP TUNAS mandates that any data collected about children must be processed and stored with extreme care, especially given its sensitive nature.

2. Parental Consent Requirement

   One of PP TUNAS’s core provisions is that electronic system operators must obtain consent from parents or guardians before collecting children’s personal data. This provides greater control for parents over their children’s data.

3. Preventing Data Exploitation

   The regulation prohibits the collection of children’s personal data for commercial purposes without explicit parental consent, aiming to prevent manipulation or exploitation.

4. Risk Assessment for Digital Platforms

   All digital platforms engaging with children must undergo risk assessments to ensure their safety and prevent exposure to inappropriate or harmful content.

PP TUNAS vs PDP Law: What’s the Difference?

The PDP Law is the overarching legal framework in Indonesia that defines data subject rights, data controller and processor obligations, and the principles of personal data protection. PP TUNAS serves as a more technical and specific derivative regulation, focusing solely on the protection of children’s personal data as a vulnerable group in digital data processing. JDIH Sekretariat Negara

Both laws complement one another by offering a comprehensive approach to securing personal data, including:

• Parental Consent

  The PDP Law requires operators to obtain explicit parental consent when collecting children’s data. PP TUNAS further specifies that such consent must be clear and accountable.

• Child Data Protection

  While the PDP Law demands stricter protection of children’s data, PP TUNAS provides detailed technical measures that platforms must implement when involving children.

• Responsibility of Digital Platform Providers

  Both regulations place the responsibility on platform providers to protect children’s data and ensure their platforms are safe from threats like data exploitation and inappropriate content.

How to Implement PP TUNAS in Your Organization

Data protection experts, such as PDP consultants, play a vital role in helping organizations and digital service providers comply with PP TUNAS and the PDP Law. Their support includes risk identification and aligning internal policies and systems with current legal requirements.

An effective action plan includes:

1. Developing Child Data Protection Policies
   Assisting organizations in drafting proper policies, risk assessments, and mechanisms for parental consent.

2. Compliance Audits
   Conducting audits to ensure organizational practices align with PP TUNAS and PDP Law requirements.

3. Training and Awareness
   Educating employees and stakeholders on the importance of child data protection and how to secure children’s data within the system.

4. Managing Data Breach Risks
   Designing risk management strategies to prevent breaches, including the use of secure technologies and infrastructure.

Industries Impacted by PP TUNAS

PP TUNAS has broad implications across various industries—particularly those that directly interact with children or manage their personal data in digital services. Key sectors include:

• Technology and Digital Platforms
  • Social media, mobile apps, online games, and e-commerce platforms must ensure data protection and obtain verifiable parental consent.
• Education and Online Learning Services
  • E-learning platforms, schools, and educational institutions collecting student data must comply with strict privacy standards.
• Healthcare
  • Child healthcare providers, hospitals, and health apps must ensure the confidentiality and security of children’s medical data.
• Advertising and Digital Marketing
  • Advertisers targeting children or using behavioral data must comply with data privacy laws to avoid misuse.
• Digital Finance and Banking
  • Payment and banking apps used by children must protect financial and personal information under PP TUNAS.
• Media and Entertainment
  • Streaming platforms and entertainment providers offering content to children must safeguard data from unauthorized access.
• Transport and Delivery Services
  • Services involving children (e.g., ride-hailing, public transport) must also protect the personal data of young users.

Conclusion: PP TUNAS and the Future of Child Data Protection

PP TUNAS significantly enhances child data protection in Indonesia’s digital ecosystem by establishing strict governance over the handling of children’s personal data. Data protection professionals, such as Pelindungan Data Pribadi (PDP) consultants, are essential in ensuring regulatory compliance and safe data practices across all sectors. With this regulation, Indonesia moves toward a safer, more responsible, and child-friendly digital landscape.

Need support to design your Personal Data Protection framework for children?
Contact Robere & Associates (Indonesia) via WhatsApp at  0811-9555-476 and build a governance system that is adaptive and future-ready.

In recent years, the utilization of Artificial Intelligence (AI) technology has rapidly expanded across various industry sectors. From customer service to manufacturing process automation, AI has become a symbol of efficiency, speed, and data-driven intelligence. This is no less true within the realm of Governance, Risk, and Compliance (GRC)—an integrated approach that forms the foundation for organizations to achieve objectives ethically, legally, and with measurable risk. 

However, while AI offers tremendous potential in strengthening GRC systems, one fundamental principle must not be overlooked: AI is merely a tool. Governance, risk management, and compliance still require robust guidelines and human decision-making based on values and experience. 

What is GRC and Why is AI Necessary? 

GRC is an integrated framework that encompasses: 

• Governance: Directing and controlling an organization to align with its vision, mission, and core values. 

• Risk Management: Identifying, assessing, and responding to various types of risks that could hinder the achievement of organizational objectives. 

• Compliance: Ensuring that the organization adheres to laws, regulations, industry standards, and internal policies. 

As data volumes and regulatory complexities increase, traditional approaches to GRC—still reliant on spreadsheets, emails, and manual processes—are becoming increasingly inadequate. This is where AI plays a role: not to replace humans, but to complement and significantly enhance the effectiveness of GRC systems. 

Strategic Benefits of AI in GRC 

1. Automated Governance Insight 

   With Natural Language Processing (NLP) capabilities, AI can sift through thousands of policy documents and provide alignment recommendations against standards such as ISO 37000, OECD, and applicable national regulations, thereby enriching existing governance.

2. Real-Time Data-Driven Risk Management 

   AI can process and analyze transaction data, user behavior, and market trends to proactively identify potential risks. For example: 

   • Prediction of business process disruptions 
   • Identification of cyber security breaches 
   • Analysis of project risk probabilities 

   AI also enables automatic risk weighting, based on dynamic parameters such as incident count, escalation, and business impact. 

3. Automated Compliance Monitoring 

   Through the integration of AI and Robotic Process Automation (RPA), companies can: 

   • Automatically monitor activities that violate internal policies 
   • Ensure adherence to regulations such as the Personal Data Protection Law (UU PDP), ISO/IEC 27001, 27701, and GDPR 
   • Automate compliance reports and audit trails 

AI as a Tool, Not a Decision-Maker 

While AI can perform rapid and massive analysis, it lacks human moral values, ethics, or intuition. Therefore, organizations should not rely entirely on AI without a strong foundation for governance. 

Why Are Guidelines Still Needed? 

AI will only be as accurate and secure as the data and guidelines used to train it. Without structured and human-reviewed policies: 

• AI could detect false positives detrimental to users. 

• Systems could become biased due to inaccurate, non-neutral, or biased historical data. 

• The risk of privacy and ethical violations increases. 

Therefore, human-based GRC guidelines remain the primary reference for evaluating AI‘s output—from risk appetite policies, internal control frameworks, to organizational ethical standards. 

The Vital Role of GRC Consultants in the AI Era 

For AI to be optimally implemented in GRC, organizations need to engage GRC consultants who understand three crucial aspects: 

• Compliance with local and international regulations: For example, the Personal Data Protection Law (UU PDP), ISO 37301, or OJK regulations. 

• Value-based organizational governance: AI can provide data, but only humans can assess based on the organization’s culture, ethics, and strategic direction. 

• Structure and framework for AI implementation in GRC: Consultants play a role in developing effective and secure AI-based policies, oversight mechanisms, and audit models. 

Implementation Challenges and Mitigations 

GRC Transformation: Innovative, Adaptive, and Human-Centered 

Implementing AI-based GRC does not mean abandoning fundamental governance principles. Instead, AI strengthens GRC—if direction, oversight, and evaluation remain in human hands. 

AI allows for risk detection in seconds, but humans determine whether that risk warrants action. AI can detect violations, but only humans can assess the context and implications. 

Conclusion 

AI has opened a new chapter in Governance, Risk & Compliance. However, the success of its implementation heavily depends on one crucial factor: the existence of guidelines, policies, and humans who remain in control.

Therefore: 

• Organizations need to establish a robust GRC framework first, before integrating AI as a supportive tool. 

• Engage with GRC consultants to ensure AI policies and systems align with the organizational context and applicable regulations. 

• Maintain a balance between technological efficiency and humanistic governance values. 

AI is not a substitute for GRC, but an enabler towards a more effective, resilient, and sustainable GRC. 

If you are looking to establish and develop your organization’s GRC framework to meet the challenges of the digital era, we can assist you. Contact Robere & Associates (Indonesia) at 0811-9555-476 and build adaptive and sustainable governance. 

Service quality is a paramount factor in winning business competition in today’s highly competitive modern era. Organizations capable of consistently maintaining service quality can more easily gain customer trust and enhance competitiveness. One of the most effective ways to ensure and maintain service quality is by implementing the international standard ISO 9001:2015. This standard not only regulates process planning and control but also emphasizes a system capable of identifying and addressing non-conformities comprehensively and continuously. 

ISO 9001 and the Importance of Quality in Operations 

According to Deming (1986), quality must be an integral part of every process within an organization. Operational challenges such as service delays, defective products, customer complaints, and third-party non-conformities can occur at any time. To systematically address these issues, ISO 9001:2015 provides a process-based approach as its primary operational foundation. This standard is not merely reactive to problems but also proactive in preventing quality failures. 

By adhering to ISO 9001, organizations can execute service processes that are structured, documented, and consistently monitored. The focus is on continuous quality improvement through internal controls, precise fulfillment of customer requirements, design validation, and risk management throughout the entire service lifecycle. This process also includes oversight of external parties such as vendors and partners, ensuring service outputs meet specifications, and implementing corrective actions when non-conformities occur. 

Case Study: Apple and the Implementation of ISO 9001 in Service Quality 

Apple Inc. is recognized as a leader in technological innovation, but underlying this success is a robust and comprehensive quality management system. Apple obtained ISO 9001:2015 certification on July 16, 2020, serving as tangible evidence that they prioritize quality not just as a result, but as a planned, controlled, and continuously refined process. 

The following are the quality control stages based on ISO 9001 implemented by Apple to ensure the quality of its products and services: 

Planning and Operational Control 

Apple meticulously designs every product, from aesthetics to operation. Before launching products like the iPhone or MacBook to the global market, they develop cross-country manufacturing plans, manage logistics, and accurately handle distribution using advanced ERP and SCM systems. This ensures that every device reaches customers in perfect condition, on time, and meets quality expectations. 

Determining Product and Service Requirements 

Apple actively collects customer data through surveys, discussion forums, and user behavior monitoring. This data is translated into structured technical specifications. For instance, features like Face ID and Dynamic Island are not just the result of innovation but responses to specific user needs, combining aspects of convenience, security, and efficiency in a single technology. 

Design and Development of Products and Services 

Every Apple product development begins with in-depth research and the application of Design Failure Mode and Effects Analysis (DFMEA) techniques to anticipate potential failures from the initial design stage. Prototypes are tested through extreme simulations, durability tests, and technical and user experience validations to ensure the product genuinely meets initial design standards. 

Control of Externally Provided Products and Services 

Apple collaborates with world-class suppliers such as Foxconn, TSMC, and LG in providing key components. However, they implement routine audits, vendor evaluations, and strict Service Level Agreements (SLAs). If a component is found not to meet specifications, Apple can reject an entire production batch to ensure the quality of the final product is not compromised. 

Ensuring Production and Service Provision 

Apple integrates industrial automation and manual control into its production process. A traceability system allows for tracking every component from the supplier, installation time, to the responsible personnel. Changes to the production process can only be made if they have passed quality evaluation and have been approved by the QA/RA team. 

Quality Assurance (QA) in ISO 9001 

Apple’s QA process includes comprehensive final inspection before products are released to the market. Functional and visual testing is conducted for every unit. Test results are documented, and only products that pass all criteria are shipped to consumers. Through this step, Apple minimizes the potential for product defects in the market. 

Control of Nonconforming Outputs 

If problems are found in the market, Apple responds swiftly through recall programs or free repairs. An example is the global iPhone battery replacement program when performance degradation issues were discovered. Apple not only resolves immediate problems but also seeks the root cause and implements continuous corrective actions to prevent similar errors from recurring. 

Conclusion 

ISO 9001:2015 is more than just a certification; it is a quality management framework capable of maintaining service quality and continuously improving operational efficiency. From planning stages to controlling non-conformities, every element in this quality management system contributes to customer satisfaction and organizational competitiveness. 

Implementing ISO 9001 provides a competitive advantage through a system that supports risk identification, process evaluation, and continuous improvement. Quality is a strategy, not an administrative burden. Therefore, organizations aiming for excellence must begin to instill an ISO 9001-based quality culture in every aspect of their business. Your company can reap the same benefits with a high commitment to quality and service perfection. 

Written By, Jessika Ginting – Team Leader GRC Robere & Associate (Indonesia) 

---

For those who wish to discuss further and explore the latest information about organizational quality management based on ISO 9001, Robere & Associates is ready to assist. Contact us now!

In an increasingly complex business world, corporate governance is a key factor in organizational sustainability. An empirical study by Gompers, Ishii, dan Metrick (2003) demonstrated that companies with strong corporate governance exhibit better financial performance and lower risk. Their findings indicate that companies with good corporate governance are more highly valued by investors, management is more accountable in business decision-making, and financial and operational risks can be effectively managed. 

ISO 37000, an international standard for governance of organizations, provides guidance for companies in implementing effective corporate governance. This standard is designed to assist organizations of various types, sizes, locations, and structures in achieving their objectives in a sustainable, ethical, and responsible manner. 

Structure of Corporate Governance Based on ISO 37000 

ISO 37000 establishes core purpose, core principles, and enabler principles that form the framework for governance of organizations to foster ethical behavior, commitment to managing duties and responsibilities, and effective performance, ultimately benefiting the company. 

Core Purpose (Objectives) 

Companies must possess a clear vision, mission, and objectives that align with stakeholder interests, focusing not only on profit but also on social and environmental impacts. Development in this context includes: 

• Formulating organizational vision, mission, and values in line with sustainability principles. 

• Identifying and managing risks and opportunities associated with achieving organizational objectives. 

• Aligning organizational strategy with stakeholder expectations. 

Core Principles 

As a solid foundation, these principles support the sustainable achievement of organizational objectives. 

1. Value Creation: Generating value for shareholders and other stakeholders through innovation, growth, and sustainability. 
2. Strategy: Company strategy must align with stakeholder interests and sustainability principles. 
3. Oversight: Robust oversight mechanisms to ensure the effectiveness of governance implementation. 
4. Accountability: Ensuring that decisions are made transparently and responsibly. 

Enabler Principles 

These principles support the implementation of effective corporate governance. 

1. Responsible Leadership: Top management must ensure transparency and accountability in company operations. 
2. Ethics and Integrity: Organizations must apply ethical values in every aspect of their operations to maintain reputation and public trust. 
3. Openness and Transparency: Providing relevant information to stakeholders for better decision-making. 
4. Risk Management and Compliance: Effectively managing risks and ensuring compliance with applicable regulations. 
5. Sustainability: Considering economic, social, and environmental impacts in decision-making. 

Outcomes of Corporate Governance 

The application of core principles and enabler principles in organizational governance ensures that every decision and action align with the values of sustainability, transparency, and accountability. With a strong foundation through Value Creation, Strategy, Oversight, and Accountability, supported by Responsible Leadership, Ethics and Integrity, Openness and Transparency, Risk Management and Compliance, and Sustainability, organizations can operate sustainably, responsibly, and with a clear direction in achieving long-term goals. This results in positive impacts, namely: 

• The organization has a clear direction in achieving long-term objectives. 

• The organization operates sustainably and responsibly. 

• Improved accountability in organizational management. 

• Commitment to fulfilling duties and responsibilities within the organization. 

• Ethical behavior in all operational aspects. 

• Higher accountability and data-driven decision-making. 

• An organization is better prepared to face business challenges and changes. 

• Operations that are responsible for the environment and society. 

Benefits of Corporate Governance 

1. Enhancing stakeholder trust, competitiveness, company reputation, company market value, operational efficiency, relationships with investors and business partners, efficiency in decision-making, customer & business partner trust, and positive company image. 
2. Ensuring business continuity, long-term growth, professional management of the company, compliance with applicable regulations, and long-term business sustainability. 
3. Reducing business & compliance risks and potential losses due to unmanaged risks. 
4. Avoiding scandals or ethical violations, legal sanctions & fines, and potential legal risks. 
5. Facilitating access to funding sources and investments. 
6. Attracting more sustainability-conscious investors. 

Conclusion 

ISO 37000 provides a comprehensive framework for effective organizational governance. By implementing the core purpose, core principles, and enabler principles, companies can achieve ethical behavior, commitment to duties and responsibilities, and effective performance. This will provide various benefits, including enhanced stakeholder trust, reduced business risks, improved operational efficiency, and ensured compliance and long-term sustainability. 

Written by Firmansyah Lubis – Consultant GRC Robere & Associate (Indonesia) 

---

For those who wish to discuss further and explore the latest information on corporate governance based on ISO 37000, Robere & Associates is ready to assist. Contact us now!

ISO 37001:2025 represents the latest iteration of the anti-bribery management system, emphasizing the establishment of a culture of integrity, transparency, openness, and compliance. This article will delve into the key updates within ISO 37001:2025 and their implications for organizations implementing this standard. These updates aim to enhance the effectiveness of anti-bribery management systems and ensure compliance with applicable regulations. 

ISO 37001:2025: An Effective Anti-Bribery Management System 

ISO 37001 is an anti-bribery management system designed to protect organizations from bribery practices in a structured and measurable manner. ISO 37001:2025 focuses on fostering a culture of integrity and transparency through the following key elements: 

1. Proportional Procedure: Policies and procedures utilized in the implementation of the anti-bribery management system must be proportional to the risks faced by the organization. This ensures that the measures taken are commensurate with the level of bribery risk present. 
2. Communication: Clear and effective communication between internal and external parties is crucial to ensure a shared understanding and acceptance of the implemented anti-bribery policies. This will strengthen system implementation across all organizational levels.
3. Monitoring & Review: Regular monitoring and review of the implemented anti-bribery management system are essential to ascertain the effectiveness of existing policies and ensure the system remains relevant and efficient in addressing potential bribery.
4. Risk Assessment: Organizations must possess a comprehensive awareness of potential bribery risks. A meticulous risk assessment will assist organizations in implementing appropriate mitigation strategies and minimizing potential negative impacts. 
5. Due Diligence: The due diligence process needs to be conducted to thoroughly examine processes or parties with a high bribery risk, with the aim of identifying and addressing potential threats. 
6. Top-Level Commitment: Commitment from the organization’s leadership is paramount as a role model in implementing the anti-bribery management system. Leaders must ensure that all personnel within the organization actively support anti-bribery policies and ensure the sustainability of this program. 

Significant Changes in ISO 37001:2025 

With the launch of ISO 37001:2025, several important changes have been introduced to refine the anti-bribery management system. The following updates require attention: 

1. Governing Body No Longer Optional: The Governing Body, along with the organization’s leadership, is now mandated to be involved in and support anti-bribery commitment throughout the organization. Organizations must ensure that leadership plays a primary role in promoting anti-bribery policies. 
2. Development of an Anti-Bribery Culture: Organizations are required to develop, maintain, and promote an anti-bribery culture at all organizational levels, ensuring that all parties understand the importance of integrity and adherence to anti-bribery policies. 
3. Planned Changes to the Anti-Bribery Management System: When organizations determine the need to make changes within the anti-bribery management system, such changes must be executed in a planned manner to ensure the system’s continued effectiveness. 
4. Personnel Awareness of Conflicts of Interest: Personnel must be educated on the importance of reporting potential and existing conflicts of interest to ensure transparency and compliance with anti-bribery policies. 
5. Training for Personnel and Business Partners: Organizations must ensure that personnel and business partners are aware of their responsibilities within the implemented anti-bribery management system and adhere to established standards by providing training facilities that can enhance their knowledge related to the Anti-Bribery Management System. 

Impact of Updates on Organizations 

With the updates in ISO 37001:2025, organizations will experience various benefits: 

• Ease of Implementation: With more efficient structuring and simpler integration of controls, organizations can more easily implement the anti-bribery management system without compromising its effectiveness. 

• Improved Compliance: The focus on regulatory compliance and stakeholder engagement will ensure that anti-bribery policies are not only adhered to internally, but also by partners and third parties interacting with the organization. 

• Increased Transparency: These updates also strengthen reporting mechanisms, thereby enhancing the organization’s transparency and accountability in addressing bribery-related issues. 

Advantages of Implementing an Anti-Bribery Management System for Your Organization 

ISO 37001:2025 provides a more solid foundation for organizations to manage bribery risks and achieve better governance. With its simpler and more focused updates, this standard ensures that organizations can be more accessible and applicable, both for those new to implementing the standard and those who have previously adopted ISO 37001. 

If your organization aims to strengthen its anti-bribery management system, ISO 37001:2025 is the right step. Effective implementation will help enhance integrity, transparency, and compliance across all aspects of your business operations. 

---

Ready to Transition to ISO 37001:2025? We Are Here to Help! 

We at Robere & Associates (Indonesia) are ready to assist you in the swift and efficient implementation and transition process to ISO 37001:2025. Gain full support to ensure your anti-bribery system complies with the latest standards. 

Contact Us Now via WhatsApp Robere for the ISO 37001:2025 Transition Program! 

Have you ever felt that education and training processes in Indonesia are not optimally managed? Poorly managed education and training have widespread impacts, ranging from low graduate quality to a lack of workforce competitiveness in the global market. This necessitates a learning transformation driven by ISO 21001 and ISO 30422. 

The Impact of Curricula Irrelevant to Industry Needs 

Curricula that fail to align with industry demands lead to many graduates lacking relevant skills, consequently increasing intellectual unemployment. Furthermore, inadequate educational infrastructure and inefficient management often result in disparities in access to education, particularly in remote areas. This reinforces the cycle of social and economic inequality, slowing national development and hindering Indonesia’s potential to compete internationally. If left unaddressed, the long-term consequences could be a weakening of national innovation and productivity. 

Challenges for Organizations in Managing Effective Internal Curricula 

Organizations with internal curricula face the challenge of ensuring their learning systems are efficient, relevant, and aligned with stakeholders’ needs. In this regard, ISO 21001:2018 and ISO 30422:2022 offer a framework that supports the structured and sustainable management of educational systems. The integration of these two standards can assist organizations in achieving their strategic objectives through an operational and data-driven approach. 

ISO 21001 Provides a Framework for Effective Educational Systems 

ISO 21001 is a standard designed to enhance the quality of management systems for educational organizations. The primary focus of this standard is to ensure that educational processes align with the needs of learners and the organization’s strategic objectives. In an operational context, ISO 21001 covers: 

1. Curriculum Planning and Educational Processes, under the ISO 21001 Standard, organizations must identify educational needs by understanding the requirements of learners and other interested parties, such as the users of the learners, the strategic direction of the organization, and other considerations. This identification of educational needs is then integrated into the educational curriculum, which is expected to support the performance of both learners and the Organization. 
2. Operational Process Management ISO 21001, provides guidance for controlling and evaluating every stage of learning, from curriculum design to implementation and assessment. 
3. Continuous Improvement, by utilizing the Plan-Do-Check-Act (PDCA) cycle, organizations can continuously refine learning programs based on evaluation results. 

ISO 30422’s Contribution to Workplace Learning Management 

ISO 30422 focuses on managing learning and development in the workplace. This standard provides a framework to ensure that learning programs are oriented towards the organization’s strategic needs. Some of its contributions include: 

1. Identification of Learning Needs By conducting skill gap analysis, organizations can ensure that every learning program is designed according to individual needs and the organization’s strategic direction. 
2. Implementation of Learning Programs ISO 30422 supports both formal learning methods, such as classroom-based training, and informal methods, such as mentoring, team learning, e-learning, or reflective learning. 
3. Evaluation of Training Effectiveness This standard provides a framework for evaluating the impact of learning, both in the context of individual achievement and contribution to organizational strategic goals. Several recommended methods for evaluating training effectiveness include:
   • Measurement of trainee reactions; 
   • Measurement of trainee participation and engagement;
   • Measurement of learning costs; and 
   • Measurement of learning outcomes, such as improvements in competence and performance. 

Integration of ISO 21001 and ISO 30422 

The integration of these two standards provides a holistic approach to improving the operational efficiency of educational organizations: 

1. Comprehensive Educational Organization Management System ISO 21001, provides a framework for educational organizations to manage their quality, but it does not offer detailed guidance on the processes of planning, implementing, and evaluating training. Detailed guidance is available in the ISO 30422 standard, which helps provide specific instructions on how organizations can identify educational needs, design educational requirements, and implement specific evaluation mechanisms. 
2. Structured Implementation, the combination of both standards allows organizations to design and implement efficient learning programs suitable for both classroom-based and work-based learning. 
3. Continuous Evaluation and Improvement, with a requirements-based approach from both standards, organizations can continuously evaluate and refine their learning programs to ensure optimal results. 

The application of ISO 21001 and ISO 30422 in organizations with internal curricula provides a structured framework for enhancing the effectiveness of learning processes. By integrating these two standards, organizations can ensure that their educational systems are not only relevant and efficient but also capable of meeting stakeholder needs and supporting organizational strategy sustainably. This approach makes organizations more adaptive, innovative, and prepared to face future challenges. 

Written by Farrah Alizah Larasati – Lead Consultant GRC Robere & Associates (Indonesia), 2025 

---

For those who wish to discuss further and explore the latest information on education management systems based on ISO 21001 and ISO 30411, Robere & Associates is ready to assist.  Contact us now!

Have you ever purchased fried snacks only to be surprised to find them wrapped in important documents such as diplomas, family cards, or even other critical papers? While such a situation might elicit a chuckle, it also serves as a stark reminder of the paramount importance of sound records management. Without proper management, your valuable documents could end up in unforeseen places. 

Effective records management is a crucial component in supporting an organization’s sustainability in conducting its business processes. Records not only serve as evidence of business activities but also as strategic information assets that can foster efficiency, accountability, and business continuity when properly managed. To ensure optimal records management, organizations can refer to international standards such as ISO 30301:2019 and ISO 15489:2016, which provide guidelines and a framework for records management tailored to organizational needs. 

What is ISO 30301:2019? 

ISO 30301:2019 is an international standard for a Management System for Records. These standard outlines requirements that can assist organizations in designing, implementing, and maintaining an effective and efficient records management system. 

Steps for Implementing ISO 30301:2019 

In implementing ISO 30301, organizations need to formulate a policy for records management, starting with: 

• Commitment from top management articulated in a records policy; 
• Provision of necessary resources for the implementation of the records management system, including but not limited to human resources, infrastructure, finance, and other available resources; 
• Establishment of records management policies; 
• Provision of a records system to support records management; and 
• Evaluation of the records management system’s performance to ensure its effective and efficient implementation. 

What is ISO 15489:2016? 

Unlike ISO 30301, which is a standard for a Records Management System, ISO 15489:2016 provides guidelines for records management within organizations, encompassing processes such as creation, storage, loan/use, maintenance, and disposition. 

Key Aspects in ISO 15489:2016 

1. Records Creation Organizations must ensure that records created possess characteristics of authenticity, reliability, and integrity. Records creation in each organization can refer to applicable official correspondence regulations. 
2. Records Classification and Filing Organizations need to ensure that created records are grouped according to their subject matter, given identification that describes their content, and classified according to their content. 
3. Records Storage Organizations must ensure that records are stored in adequate storage facilities and spaces that guarantee readability throughout their retention period. 
4. Records Disposition Records disposition must be carried out in accordance with classification provisions and records retention schedules, and with appropriate records disposition methods. 

Key Aspects in Implementing Records Management 

Implementing ISO 30301 and ISO 15489 standards requires special attention to various aspects to ensure effective and efficient records management. Both standards provide a comprehensive framework for records management, both in terms of the management system and operational practices. Some aspects that need consideration when implementing these two standards include: 

1. Leadership and Commitment Top management must demonstrate full support by establishing records policies, ensuring the availability of necessary resources, and promoting the importance of records management. 
2. Policies and Objectives Organizations must define clear records policies and measurable objectives to ensure all records activities align with business goals and operational needs. 
3. Establishing Records Classification and Retention Periods Organizations must establish records classification and retention periods as a guide for managing and storing records. 
4. Records Management Operations Records must be managed from creation to disposition, including filing and classification, storage, maintenance, and destruction. 
5. Performance Evaluation Regularly evaluate the implementation of the records management system through internal audits and management reviews to ensure effectiveness and conformity with the standards. 

Benefits of Implementing ISO 30301 and ISO 15489 for Organizations 

The implementation of ISO 30301 and ISO 15489 standards can provide various strategic benefits for organizations, including reducing the risk of losing important information required by the organization and ensuring that records are managed in accordance with applicable national and international regulations and requirements. 

Through the adoption of international standards like ISO 30301:2019 and ISO 15489:2016, organizations can ensure that records are managed systematically and in a structured manner. By adopting best practices from both standards, organizations not only protect their information assets but also enhance efficiency, accountability, and competitiveness in the long run. Therefore, sound archival management should be an integral part of an organization’s strategy to achieve sustainable business objectives. 

Written by Satrio Adhi Pradana – Lead Consultant GRC Robere & Associates (Indonesia), 2025 

---

For those who wish to discuss further and explore the latest information on records management systems based on ISO 30301 & ISO 15489, Robere & Associates s ready to assist. Contact us now!

Assets are a crucial pillar for companies to achieve optimal business processes and compete with other organizations. Many companies do not effectively manage their assets, hindering their planned growth. One of the primary reasons for this is a lack of transparent and optimal asset inventory processes. 

What is Asset Inventory? 

Asset inventory is a vital process within the asset management lifecycle, involving the identification and reconciliation of recorded assets with those managed by the company. Managed assets can include: 

• Physical assets / fixed assets: such as buildings, vehicles, and equipment. 
• Intangible assets: such as copyrights, licenses, software, and company inventory items. 

The purpose of conducting asset inventory is to ensure that all assets are properly recorded, maintained, and optimally utilized to support the achievement of company objectives.

Benefits of Asset Inventory for Companies 

While numerous challenges exist in conducting asset inventory, it is essential to recognize the positive impacts derived from a well-executed asset inventory process: 

1. Data Transparency and Accuracy, by performing asset inventory, companies gain accurate and transparent data regarding the quantity, type, location, and condition of their assets. This is crucial for data-driven decision-making, including the presentation of asset data in the company’s financial reports. 
2. Efficient Asset Management Asset inventory, helps companies identify assets that are no longer usable or are unproductive, allowing for optimization as needed or their derecognition. 
3. Asset-Related Risk Management, with proper asset recording, the risks of loss, damage, or misuse of assets can be minimized. 
4. Regulatory Compliance, many regulations related to the business processes of certain companies require complete and detailed asset records. The asset inventory process helps ensure compliance with these regulations. 

Enhancing Asset Inventory Effectiveness with Technology 

To support companies in conducting quick and effective asset inventory processes, several solutions can be implemented: 

• Software-based asset management systems or applications that enable automated and real-time asset recording and tracking,
• Technologies such as QR codes, RFID (Radio Frequency Identification),
• IoT (Internet of Things) can simplify asset identification and monitoring processes. 

Is Technology Sufficient for Asset Inventory Optimization? 

If asset management is currently performed manually, an improvement can be made by using a user-friendly asset management system or application that accommodates the company’s required asset data. 

However, if the company already uses a sophisticated asset management system or application, here are some further enhancements that can be made from the results of asset inventory to support a more optimal asset inventory process: 

1. Proposing asset optimization considering ESG (environment, social, and governance) factors. 
2. Regular updates for the security system used for assets, especially for systems or applications used by the company. 
3. Implementing international standards such as ISO 55001 Asset Management System. 
4. Utilizing Artificial Intelligence (AI) to provide predictive analytical data for assets, such as maintenance processes that consider the asset’s history. 

With the steps outlined above, companies will not only be able to manage assets effectively but are also expected to optimize asset value to support future business growth and sustainability. A well-executed asset inventory is a long-term investment that will positively impact company performance. 

Written by Hilman Badhi Adikara – Team Leader GRC Robere & Associates (Indonesia), 2025. 

---

For those who wish to discuss further and explore the latest information on Asset Inventory based on ISO 55001, Robere & Associatess ready to assist. Contact us now!  Contact us now!

ISO 8000-1:2022 is an international standard that governs Data Quality Management, ensuring that data used within organizational systems is accurate, reliable, and trustworthy. This standard provides structured guidance for organizations in data management, thereby improving operational efficiency, reducing the risk of errors, and ensuring compliance with data regulations. 

Key Principles of ISO 8000-1 

ISO 8000-1:2022 establishes several key principles for managing data quality, including: 

• Data Identification and Documentation: Organizations must be able to identify the data used in their operational processes and document its characteristics and attributes. 

• Data Accuracy: Data must be accurate and relevant for its intended purpose. 

• Data Interoperability: Data should be easily usable and exchangeable between different systems and organizations. 

• Data Security: Organizations must ensure that data is protected from potential security and privacy threats. 

• Data Availability: Data must be available in a timely manner when needed. 

• Data Measurability: Data must be measurable and assessable to ensure its quality. 

ISO 8000-1:2022 Framework 

1. Data Roles in ISO 8000-1:2022

ISO 8000-1:2022 categorizes data into several main types: 

• Master Data Master data is core data that defines essential business elements within an organization. It serves as a single source of truth to support key business processes and forms the foundation for consistency and interoperability within the organization. Examples include customer data, product data, supplier data, location data, and employee data. ISO 8000-1:2022 emphasizes that organizations should have robust Master Data Management (MDM) before further implementation. Master data must meet quality criteria such as accuracy, completeness, and consistency. 

• Reference Data Reference data consists of standardized data that provides context or classification for other data. It supports interoperability and data exchange across systems or organizations and helps align terminology and data classification for uniformity. Examples include postal codes, telephone area codes, currencies, units of measurement, and international standards. ISO 8000-1:2022 stresses that reference data should be documented with clear metadata to ensure consistent use, and it encourages the use of open-standard based reference data to enhance reliability in data integration. 

• Transactional Data Transactional data is generated from day-to-day business activities. It provides a record of activities that support operational processes and is used for data-driven analysis and decision-making. Examples include sales invoices, purchase orders, and financial transaction reports. ISO 8000-1:2022 emphasizes that the quality of transactional data is highly dependent on the quality of master data and reference data, ensuring that transactional data is well-structured and has clear traceability. 

• Metadata Metadata is data about data, describing its attributes, structure, and context. It enhances data understanding and interoperability and ensures transparency in data management. Examples include data element names, data types, formats, and relationships between data. ISO 8000-1:2022 highlights that metadata is a key element in this standard for supporting data quality documentation and validation, requiring the use of standardized metadata as the basis for data quality management. 

• Derived Data Derived data is data generated from the manipulation or combination of other data. It adds value through data processing and supports strategic decision-making. Examples include analytical reports, data-driven predictions, and Key Performance Indicators (KPIs). ISO 8000-1:2022 emphasizes that derived data must be based on quality data to produce accurate and reliable outputs. 

• Historical Data Historical data represents past information. It supports trend analysis and historical reporting and is useful for regulatory compliance and audits. Examples include transaction history, annual sales data, and patient medical records. ISO 8000-1:2022 stresses that historical data must be properly stored and managed to ensure accessibility and authenticity. 

The roles of data in ISO 8000-1 encompass various data types that work together to ensure data integrity, consistency, and interoperability within an organization. Master data and reference data form the core that supports transactional data, metadata, derived data, and historical data. Implementing ISO 8000-1 requires a comprehensive approach to ensure each data type is managed in accordance with data quality principles. 

2. Data Architecture in ISO 8000-1:2022

This framework encompasses how data is organized, stored, accessed, and managed within an organization. This architecture is designed to ensure that the data used meets quality standards, is accessible, and supports operational and business decision-making. Key Components of Data Architecture: 

• Data Structure Identifies how data is organized, including its format, data types, and relationships between data elements. Example: A database designed with entities such as “Customers,” “Products,” and “Transactions.” 

• Metadata Management Metadata supports transparency and understanding of data by explaining attributes and relationships between data elements. 

• Data Processes and Flow Defines how data moves throughout systems, from input to processing and output. 

• Data Security and Access Regulates access rights and controls to ensure data security, including protection against breaches or misuse. 

Furthermore, a Data Dictionary is also an important part of data architecture, serving as official documentation regarding the data within a system. A data dictionary is a structured collection of information that records: 

• The definition of each data element. 

• Data structure (data type, length, format). 

• Data attributes (relationships with other elements, default values, etc.). 

A data dictionary typically includes the following information: 

• Data Element Name: A unique name for each element. 

• Description: An explanation of the data element’s purpose. 

• Data Type: Such as string, integer, or date. 

• Format: Specifications on how the data is presented (e.g., “YYYY-MM-DD” for dates). 

• Allowed Values: If any, such as a list of codes or numerical constraints. 

• Data Relationships: Explains relationships with other data elements. 

Relevance of Data Architecture and Data Dictionary to ISO 8000-1 

ISO 8000-1 emphasizes the importance of good documentation, including a data dictionary, as part of quality data management. A data dictionary helps organizations achieve transparency, consistency, and traceability in data usage. The elements within a data dictionary support data validation processes, interoperability, and improved data-driven decision-making. A sound data architecture, supported by a data dictionary, enables organizations to ensure that data is reliable, standard-compliant, and supports business objectives. 

3. Scope of ISO 8000-1 Implementation

The scope of implementation begins with determining the types of data that are prioritized for management. This includes identifying data critical to the operational or strategic success of the organization. Examples of Implementation Scope Based on Data Type: 

• Retail Companies: Focus on product data, including product catalogs, pricing, stock, and suppliers. The objective is to improve inventory management efficiency and customer experience. 

• Accounting Firms: Focus on financial records, such as transaction reports, ledgers, and audit data. The objective is to ensure compliance with financial regulations and enhance reporting accuracy. 

• Government Organizations: Focus on population data (e.g., demographic data from Dukcapil) or tax data. The objective is to improve public services and transparency. 

Determining the scope of ISO 8000-1 implementation is highly flexible and adapted to the specific needs of the organization. Identifying the data to be managed is the crucial first step to ensure that data quality management efforts focus on the elements that provide the greatest impact for the business. With this approach, organizations can maximize the benefits of implementing the ISO 8000-1 standard. 

4. Data Owning Industries

ISO 8000-1 is designed to be flexible and adaptable to the specific needs of various industries. To this end, the standard has extensions that support data management according to the characteristics and requirements of particular industries. Here is an explanation of the standard’s application based on industry type: 

• Manufacturing Industry The manufacturing industry requires highly precise data management to ensure efficient and accurate supply chains. Extension Used: ISO 8000-115 (Smart Prefix), which functionally helps in the unique identification of components, products, or items within the supply chain. Example Implementation: Identifying components such as bolts, nuts, or electronic modules with unique codes that can be recognized by all parties in the supply chain. 

• Banking Industry Banking focuses on managing transactional data, customer data, and digital format-based documents, especially XML (Extensible Markup Language). Extension Used: ISO 22745, which functionally supports efficient and consistent XML-based data exchange. Example Implementation: Interbank transaction data using standardized XML format to ensure smooth information exchange. 

• Legal Industry In a legal context, data is often used for documentation, regulatory compliance, and legal document storage. Extension Used: ISO 8000-116, which functionally provides standards for managing data relevant to legal or regulatory contexts. Example Implementation: Management of contracts or agreements accompanied by standardized metadata such as creation date, involved parties, and reference numbers. 

Data-owning industries have different needs, and ISO 8000-1 provides flexibility through specialized extensions, such as ISO 8000-115 for manufacturing, ISO 22745 for banking, and ISO 8000-116 for legal. By applying these extensions, organizations can ensure that their data management aligns with specific industry needs, supports interoperability, and improves overall data quality. 

5. Quality Identifier (QI)

A Quality Identifier (QI) is a key element in ISO 8000-1 aimed at providing unique, accurate, and reliable identification for data, as well as ensuring the traceability of the data’s source or owner. For example: 

• Banking Data: A key identifier such as BRI123456789 can be used to indicate that the data belongs to Bank BRI. 

• Population Data: NIK (Nomor Induk Kependudukan) data from Dukcapil is equipped with a unique key identifier for each individual. 

• Health Data: Data belonging to BPJS (Indonesia’s National Health Insurance) is given a unique identifier, e.g., BPJS-5678-2025, to differentiate it from other healthcare providers. 

A Quality Identifier is a crucial element in managing quality data. By providing unique and clear identification for each data element, QI supports accountability, transparency, and efficiency in data management and exchange. Its implementation allows organizations to ensure that the data they use is trustworthy, free from duplication, and easily integrated into broader systems. 

Benefits of Implementing ISO 8000-1:2022 

Implementing ISO 8000-1:2022 provides various benefits for organizations, including: 

1. Improved Data Quality ISO 8000-1:2022 helps organizations ensure that the data used in business processes is accurate, complete, consistent, and reliable. Improved data quality contributes to more precise and faster decisions. 
2. Operational Efficiency With well-managed data, organizations can reduce the time spent searching for, cleaning, and correcting inaccurate data. It also helps reduce duplication and promotes more efficient workflows. 
3. Reduced Business Risk Poor data can lead to operational and financial errors. With better data quality, organizations can reduce potential risks related to data errors, for instance, in financial reports or regulations. Implementing ISO 8000-1:2022 helps minimize errors in data that can affect business decisions. 
4. Increased Customer Trust Customers tend to trust organizations more that demonstrate a commitment to quality data management and transparency. Implementing ISO 8000-1:2022 can serve as proof that the organization cares about the quality and integrity of the data it manages. 
5. Supports Digital Transformation Good data management is the foundation of many digital transformation initiatives. ISO 8000-1:2022 facilitates the use of new technologies, such as big data and analytics, by ensuring the quality of managed data. 

By implementing the ISO 8000-1:2022 standard, organizations can improve overall data management, which can support better decision-making, reduce operational costs, and enhance customer satisfaction. 

Written by Syifa Aulia Sari – Team Leader IT GRC Robere & Associates (Indonesia), 2025 

---

Discuss With Us!

For those who wish to discuss further and explore the latest information on IT GRC that can be developed within your organization, Robere & Associates is ready to assist. Contact Us! 

In today’s increasingly competitive professional landscape, obtaining international certification is a strategic move to demonstrate global competence and credibility. This certification not only helps individuals enhance skills aligned with industry standards but also provides formal recognition of abilities relevant to organizational needs. 

The Importance of International Certification 

For companies, the presence of internationally certified individuals strengthens reputation and ensures compliance with global standards in quality management, information security, and risk management. 

Prominent names in the field of training offering international certification often include CQI IRCA, Exemplar Global, PECB, Axelos, and many others. This article will focus on two of the largest and most globally recognized organizations: CQI-IRCA and Exemplar Global. Here’s an overview of both: 

Exemplar Global

Exemplar Global is an international organization that provides certification for professionals in various roles, such as auditors, trainers, and consultants in management systems. With a focus on competency development, Exemplar Global certifications are designed to ensure professionals meet internationally recognized standards across diverse sectors. 

• Focus Areas: Certification for individuals and training organizations across various industries. 
• Key Advantages: Exemplar Global certification is widely recognized in sectors including manufacturing, technology, and healthcare. 

CQI IRCA (Chartered Quality Institute & International Register of Certificated Auditors)

CQI IRCA is a leading professional body that manages the registration of certified auditors across various management system standards. As part of the Chartered Quality Institute (CQI), IRCA supports the development of competent auditors through internationally recognized training and accreditation. 

• Focus Areas: Auditor certification for diverse management system standards such as ISO 9001 (quality), ISO 27001 (information security), ISO 22301 (business continuity), and ISO 45001 (occupational health and safety). 
• Key Advantages: Widely recognized in the global market, particularly in Europe and Asia, serving as a benchmark for professional auditors. 

Professional Training Partners 

Numerous professional training organizations are recognized by Exemplar Global and CQI IRCA, one of which is Robere & Associates. With over 35 years of experience, this institution provides internationally certified training programs to support professional development in various fields, including Information Security Management Systems, Anti-Bribery Management Systems, Quality Management Systems, and Business Continuity Management Systems. 

Benefits of International Certification 

Here are several reasons why international certification an excellent choice for those is seeking to enhance their competence: 

• Global Recognition: Certification validates your expertise, gaining worldwide recognition and enhancing your competitiveness in the international job market. 
• Career Advancement: Opens opportunities for strategic positions such as risk manager, senior auditor, or even as an advisor within an organization. 
• Professional Confidence: With certification, you establish a strong foundation for building credibility in your specific area of expertise. 
• Contribution to Organizations: Helps organizations achieve compliance with global standards, improve efficiency, and strengthen their reputation in the international market. 

Obtaining international certification, such as those offered by Exemplar Global and CQI IRCA, is a crucial step to enhance your professional competence, unlock broader career opportunities, and make significant contributions to your organization. With global recognition, these certifications ensure you are well-prepared to meet the evolving challenges of your industry. 

For more information on our international certified training programs, please contact us at 0811-9555-476 for the latest public training schedule!

Written By, Marketing Communication – Robere & Associates (Indonesia), 2025 

By Maulana Iqbal Ruswandi, Lead Consultant IT GRC – Robere & Associates (Indonesia) 

In the contemporary business landscape, ESG (Environmental, Social, and Governance) has become a crucial aspect that organizations must consider in their operations. These three aspects are frequently utilized to measure an organization’s impact and business sustainability. 

The Importance of ESG in the Business World 

ESG aspects influence various organizational operational facets, public perception, and an organization’s market value. Below is an elaboration of the ESG aspects: 

• Environmental: Measures an organization’s impact on the environment, including waste management, resource utilization, environmental preservation, and climate change-related policies. 

• Social: Assesses a company’s interactions with employees, suppliers, customers, and authorities. The focus is on meeting expectations and needs, working conditions, health and safety, and relationships with specific interest groups. 

• Governance: Refers to leadership, auditing, internal controls, and the fulfillment of shareholder rights. It is crucial for ensuring reliability in company management, mitigating risks of performance decline and reputational damage. 

Information Security Management and ESG 

To support ESG aspects, organizations need to enhance information security management within their business operations. One international standard that can be referenced is ISO/IEC 27001:2022, which focuses on maintaining the availability, confidentiality, and integrity of information and information processing facilities. 

While its primary focus is on information security, the implementation of ISO/IEC 27001:2022 can provide positive impacts on ESG aspects: 

• Impact on Environmental: In Clause 4.1, the ISO/IEC 27001:2022 standard requires organizations to identify internal and external issues by considering climate change and environmental aspects. An example is the adoption of paperless methods for document management, which not only reduces the risk of document damage and theft but is also environmentally friendly. 

• Social Impact: This standard can enhance the protection of personal data and intellectual property rights (IPR), which are central to social responsibility. Effective data management and protection demonstrate a commitment to privacy and security, building customer trust. 

• Governance Impact: ISO/IEC 27001:2022 establishes a framework for implementing an information security management system that encompasses planning, implementation, evaluation, and follow-up. This assists organizations in implementing sound information security governance. 

Conclusion 

The implementation of ISO/IEC 27001:2022 in information security management yields significant positive impacts on ESG aspects within organizations. This implementation not only enhances the quality and added value of an organization but also ensures more sustainable and responsible operations. 

---

Discuss With Us! 

For those who wish to discuss further and explore the latest information on Information Security based on ISO/IEC 27001:2022, Robere & Associates is ready to assist. Join us now! 

Written By: Hilman Badhi Adikara, GRC Team Leader – Robere & Associates (Indonesia) 

Corporate governance serves as the fundamental bedrock for any company’s success. In the current era of globalization and escalating competition, companies that adeptly implement sound corporate governance practices possess a significantly greater likelihood of achieving sustainable growth. Corporate governance can be defined as the framework and management practices employed by a company to oversee and direct its operations. This encompasses the relationships among shareholders, the board of commissioners, the board of directors, and other relevant stakeholders. 

To ensure effective implementation, companies can adhere to relevant regulations pertinent to their business processes or consult other reference frameworks on corporate governance. 

Why is Corporate Governance Crucial for Companies? 

Fundamentally, corporate governance represents the essential foundational rules that companies must possess to support effective and efficient business processes and to facilitate the achievement of corporate objectives. Unfortunately, several companies currently do not fully comprehend the paramount importance of robust corporate governance. 

Key benefits of implementing sound corporate governance include: 

• Enhancing long-term stakeholder value. 
• Effective stewardship of resources. 
• Increased corporate resilience and performance. 
• Improved decision-making effectiveness. 
• Better personnel composition and retention within the company. 
• Fostering greater trust from parties with vested interests in the company. 
• Increasing the value of intangible assets, such as reputation, public image, and public trust. 

Regulatory References in Indonesia for Corporate Governance 

Regarding the implementation of corporate governance, Indonesian regulators have established several regulations that dictate how companies should apply governance based on their specific business processes. Below are some regulatory references categorized by company type in Indonesia: 

Company Type	Corporate Governance Regulation
State-Owned Enterprises (BUMN)	Minister of SOE Regulation Number 2 of 2023 concerning Guidelines for Corporate Governance and Significant Corporate Activities of State-Owned Enterprises.
Insurance Companies	Financial Services Authority Regulation Number 73/POJK.05/2016 concerning Good Corporate Governance for Insurance Companies and Financial Services Authority Regulation of the Republic of Indonesia Number 7 of 2023 concerning Corporate Governance and Institutional Arrangements for Mutual Insurance Companies.
Commercial Banks	Financial Services Authority Regulation of the Republic of Indonesia Number 17 of 2023 concerning the Implementation of Corporate Governance for Commercial Banks.
Rural Banks	Implementation of Corporate Governance for Rural Banks.
Financing Companies	Financial Services Authority Regulation Number 30/POJK.05/2014 concerning Good Corporate Governance for Financing Companies.
Venture Capital Companies	Financial Services Authority Regulation Number 36/POJK.05/2015 concerning Good Corporate Governance for Venture Capital Companies.

International Standards for Corporate Governance 

The International Organization for Standardization (ISO) published an international standard for good corporate governance, ISO 37000, in 2021. ISO 37000 provides a comprehensive overview of corporate governance, along with its principles and the outcomes derived from its implementation. Here’s an overview of ISO 37000:2021: 

 

Integrating Purpose and Principles for Corporate Governance According to ISO 37000:2021 

ISO 37000:2021 emphasizes the importance of companies having a clear Purpose as a primary principle. To support the achievement of this purpose, companies must establish their Value generation, strategy, oversight, and accountability within their business processes. These elements serve as foundational principles for implementing effective corporate governance. The application of primary and foundational principles requires support from enabling principles, which include leadership, data-driven decision-making, risk governance, social responsibility, stakeholder engagement, and corporate performance and sustainability. 

Through the application of these primary, foundational, and enabling principles, companies can achieve outcomes consisting of: 

• Effective performance: The company operates in accordance with its objectives and applicable requirements, enhances stakeholder value, and aligns with the policies and expectations of relevant stakeholders. 
• Responsible stewardship: The company utilizes resources responsibly, balances positive and negative impacts arising from its operations, considers the global context influencing its business, ensures its contribution to sustainable development, and fosters trust and confidence from the communities in which it operates. 
• Ethical behavior: The company conducts itself in accordance with accepted principles and prevailing norms, such as an ethical culture, accountability, fairness in treatment and engagement with stakeholders, integrity and transparency in fulfilling its obligations, and competence and honesty in decision-making. 

---

Discuss With Us! 

Authored By, Rian Munanjar, Lead Consultant GRC – Robere & Associates (Indonesia) 

Implementing ISO 37001:2016, the Anti-Bribery Management System (ABMS), offers significant benefits to organizations, including enhanced reputation, reduced legal and financial risks, and improved stakeholder relationships. This standard also fosters an organizational culture that rejects bribery, promoting integrity and transparency in all business aspects. 

Understanding ISO 37001:2016 

ISO 37001:2016, the Anti-Bribery Management System, introduces a comprehensive framework for managing bribery risks in daily operations and business transactions. Key elements of this standard include an anti-bribery policy, due diligence procedures, anti-bribery employee training, bribery risk evaluation, business associate due diligence, and ongoing monitoring of the anti-bribery management system’s effectiveness. Bribery risk management is one of the critical initial steps for organizations aiming to implement an ABMS. 

Why Organizations Need to Conduct Bribery Risk Assessments Based on ISO 37001:2016 

The objective of a bribery risk assessment is to enable an organization to establish a robust foundation for implementing an Anti-Bribery Management System. Through the identification of bribery risks, organizations can focus on priority risks. By understanding the priority risks that must be addressed, organizations can accurately implement risk mitigation strategies, control implementation, and allocate necessary resources. 

How to Assess Bribery Risks According to ISO 37001:2016? 

When conducting a bribery risk assessment, organizations need to consider several provisions: 

1. Organizations must establish criteria of levels of bribery risk, taking into account organizational policies and objectives. 

The determination of bribery risk criteria levels typically utilizes a Risk Heat Map. A Risk Heat Map measures the level of risk by considering Likelihood (the probability of a risk occurring) and Impact (the consequence of a risk occurring). 

Likelihood represents the probability of a risk occurring, relative to its infrequency over a certain period or number of occurrences. Below are examples of criteria for determining likelihood values: 

Likelihood Value	Definition	Example
1 (Low)	Very Rare / Unlikely	0 to 1 occurrence
2 (Low to Moderate)	Rare / Small Probability	2 to 3 occurrences
3 (Moderate)	Somewhat Rare / Possible	3 to 5 occurrences
4 (Moderate to High)	Frequent / High Probability	6 to 8 occurrences
5 (High)	Very Frequent / Certain	More than 8 occurrences

Meanwhile, Impact refers to the consequences of a risk occurring. Below are examples of criteria for determining impact values: 

Impact Value	Definition	Assessment
1 (Low)	Very Low	If the risk occurs, it does not disrupt operations or finances. (Loss Cost < 0.01% of total equity)
2 (Low to Moderate/LTM)	Low	If the risk occurs, it causes operational constraints, financial obligations, and reputation decline, but not significantly. (Loss Cost > 0.01% - < 0.25% of total equity)
3 (Moderate)	Moderately High	If the risk occurs, it causes operational constraints, financial obligations, and a fairly significant reputation decline. (Loss Cost > 0.25% - < 0.50% of total equity)
4 (Moderate to High)	High	If the risk occurs, it causes operational constraints, financial obligations, and a relatively significant reputation decline. (Loss Cost > 0.50% - < 0.80% of total equity)
5 (High)	Very High	If the risk occurs, it causes operational constraints, financial obligations, and a significant reputation decline. (Loss Cost > 0.80% of total equity)

From the likelihood and impact assessment on the Risk Heat Map, the prioritization of bribery risks within an organization will be generated. An example of bribery risk priority levels is as follows: 

In conducting a bribery risk assessment, organizations must assess both inherent risk and residual risk. Inherent risk is the risk that exists before any mitigation efforts or controls, or other actions are established to reduce the risk from its initial level to a more acceptable level for an organization. Meanwhile, residual risk is the risk remaining after mitigation efforts and controls are implemented to reduce inherent risk. This residual risk is what organizations must manage based on previously determined risk mitigation strategies. 

Below is an example of a bribery risk assessment related to the procurement process, including how an organization addresses such risks: 

2. Organizations must conduct bribery risk assessments periodically. 

The provisions for conducting bribery risk assessments are as follows:

• Identify reasonable organizational bribery risks in anticipation of relevant internal and external issues concerning an organization’s objectives. When identifying bribery risks, organizations need to understand their end-to-end business processes and consider the number of interactions carried out from internal to external and internal to internal within an organization. 
• Analyze, assess, and prioritize identified bribery risks; and 
• Evaluate the suitability and effectiveness of existing organizational controls to reduce assessed bribery risks. 

3. Bribery risk assessments must be reviewed periodically. 

The review of bribery risk assessments is conducted under the following provisions: 

• Reviews are carried out periodically so that any new information can be assessed in a timely manner by the organization; and 
• Upon the occurrence of significant changes to the organizational structure or activities. 

4. Documented Information 

Organizations must retain documented information to demonstrate that bribery risk assessments have been conducted and used to design and improve the anti-bribery management system. 

---

Discuss with Us! 

Authored By: Satrio Adhi Pradana, Lead Consultant GRC – Robere & Associates (Indonesia) 

The contemporary business landscape is experiencing rapid evolution. However, amidst this accelerated development, violations such as financial fraud, misuse of company policies, and other illicit activities are also increasing. Therefore, organizations are highly recommended to establish a systematic reporting and handling management system. This system serves as a crucial guide, assisting organizations in managing violations reported by relevant parties within the organization. In this context, the international standard ISO 37002:2021 on Whistleblowing Management Systems can be leveraged as a comprehensive guide for implementing an effective whistleblowing management system within organizations.

Benefits of Implementing ISO 37002:2021 

ISO 37002:2021 is a guideline published by the International Organization for Standardization (ISO). Its primary objective is to provide guidance for designing, implementing, maintaining, and continually improving a whistleblowing management system. 

ISO 37002:2021 can be utilized by organizations to prevent or minimize losses resulting from misconduct by identifying, addressing, and managing reported deviations as early as possible. 

Furthermore, the implementation of ISO 37002:2021 demonstrates an organization’s commitment to good governance practices and integrity to relevant stakeholders. 

Key Aspects of ISO 37002:2021 

One of the significant aspects of ISO 37002:2021 is its guidance on how organizations can foster an environment that encourages whistleblowing. This includes ensuring that whistleblowers feel secure and protected and promoting an open and transparent culture throughout the organization. The essential steps covered in ISO 37002:2021 encompass several key areas: 

1. Reporting Process 

Organizations are advised to establish mechanisms for managing whistleblowing reports, considering two crucial aspects: 

• Traceability

Every report must be meticulously tracked from receipt to resolution. This ensures transparency and accountability in handling reports. For instance, providing a reporting number to the whistleblower allows them to monitor the entire process of submitting their report. 

• Confidentiality

Organizations need to implement measures to protect the identity of whistleblowers and maintain the confidentiality of information related to the reports. This aspect of confidentiality helps organizations create an environment where employees feel safe to report violations. For example, organizations can provide an option for anonymous whistleblowing. Regarding anonymity, two options exist: 

• Total Anonymity: The whistleblower’s identity is entirely concealed, and there is no information that can link the report to the whistleblower. 

• Limited Anonymity: The whistleblower’s identity is known only to authorized parties, such as the Whistleblowing System (WBS) manager and/or the investigation team assigned to follow up on the report. 

2. Assessment of Reports

Organizations must ensure that the process of assessing, triaging, and managing reports of misconduct is free from bias and/or conflicts of interest. Organizations are also recommended to prioritize deviation reports based on the consideration of potential adverse risks to the organization and/or other relevant parties. For example, to facilitate assessment, the WBS manager can conduct evaluations by ensuring several aspects: 

• Verify the validity of the report. 

• Evaluating the extent to which the violation impacts the company adversely in terms of financial, reputational, legal, and operational aspects. 

• Categorizing incoming reports based on their urgency level. 

• If necessary, organizations can seek legal and regulatory consultation to ensure that the actions taken comply with applicable regulations, consulting with competent internal or external parties. 

3. Handling of Violations

Organizations must ensure the existence of a fair and objective investigation mechanism. Investigations should be conducted without bias, and the accused party should be granted the right to respond to the allegations. 

4. Protection of Whistleblowers, Accused Parties, and Investigators

This standard emphasizes the importance of protecting whistleblowers, accused parties, and investigators from any form of retaliation or discrimination as a result of reporting. This aims to foster an environment that supports integrity and courage in reporting violations. 

5. Case Resolution

A reported case can be considered closed when no further action is deemed necessary in response to the report, when fact-finding determines that no further investigation is required, when the report is referred to another process that needs to be handled, or at the conclusion of an investigation that either proves or disproves the alleged misconduct. 

ISO 37002:2021 can serve as a foundation for building an organization with integrity, where violations can be reported without fear of retaliation, and where every report is handled fairly and transparently. Thus, the implementation of ISO 37002:2021 is not merely about meeting a standard; it is about building trust, protecting whistleblowers, and solidifying the organization’s reputation as an entity committed to ethical values and sustainability. 

Authored By: Farrah Alizah Larasati, Lead Consultant GRC – Robere & Associates (Indonesia) 

Compliance is a critical aspect that companies must fulfill when conducting their business operations. Every company, regardless of its field, will have regulatory provisions and requirements from interested parties that must be adhered to. Failure to comply with applicable provisions or requirements can potentially lead to reputational damage, financial losses, and even legal or criminal sanctions for the company. 

A pertinent case example occurred in 2023 involving a Rural Bank (BPR) that failed to comply with regulations related to credit management. By disbursing fictitious loans, the BPR’s business license was revoked by the Financial Services Authority (OJK). 

The importance of adhering to every provision and requirement motivates companies to establish a systematic management system for identifying, evaluating, and ensuring compliance. In this regard, the international standard, ISO 37301:2021 on Compliance Management Systems serves as a best practice that companies can utilize as a guide for managing compliance. 

What is ISO 37301:2021? 

ISO 37301:2021 Sistem Manajemen Kepatuhan is an international standard that outlines how companies can effectively manage and comply with regulations. This standard provides clear guidance on how companies can develop, implement, maintain, and continuously improve compliance management systems. 

Critical Aspects in Implementing ISO 37301:2021 

The critical aspects that companies need to fulfill when implementing ISO 37301:2021 Compliance Management Systems are as follows: 

1. Commitment to Compliance

Commitment to the implementation of a Compliance Management System is crucial within a company, particularly the commitment from the Governing Body and Top Management. This commitment is demonstrated by establishing a Compliance Policy, ensuring that the implementation of the Compliance Management System is achieved, and guaranteeing the availability of necessary resources for its implementation within the company. 

2. Establishment of the Compliance Function

In the implementation of ISO 37301, companies need to establish a Compliance Function. This function has the duties and responsibilities to facilitate the identification of compliance obligations, conduct analysis and evaluation of the Compliance Management System’s performance to identify needs for corrective actions, establish mechanisms for compliance reporting, and monitor and report the results of the Compliance Management System’s implementation to Top Management. Generally, the Compliance Function is assigned to the unit overseeing compliance within the company. 

3. Awareness ISO 37301:2021

Companies must ensure that all employees are provided with an understanding of the Compliance Management System’s implementation. This includes offering training related to the Compliance Management System and conducting socialization sessions regarding the Compliance Policy. 

4. Identification of Compliance Obligations

Compliance obligations are regulations and provisions that companies must adhere to in accordance with their business processes, encompassing both external and internal regulations. In implementing ISO 37301, companies need to identify compliance obligations, analyze the impact of each regulation, and conduct evaluations to ensure all regulations are being followed. Compliance obligations can be categorized into two types: mandatory obligations and voluntary obligations. Mandatory obligations are provisions that must be complied with, such as regulatory provisions, government provisions, or customer requirements. Voluntary obligations, on the other hand, are provisions that are optional; while not mandatory, the company commits to fulfilling them, such as the ISO 37301 standard itself. 

5. Compliance Indicators

Companies can establish compliance indicators to assess their level of compliance. Under ISO 37301, compliance indicators are divided into predictive indicators and reactive indicators. Predictive indicators include measuring non-compliance risks as the potential for achieving or failing to achieve targets, as well as non-compliance trends. Examples of reactive indicators are the number of non-compliances that occurred, the time required to address non-compliances, and corrective actions taken. 

Companies implementing a Compliance Management System based on ISO 37301 not only ensure adherence to applicable provisions but also minimize risks, enhance operational efficiency, and build a positive reputation. This enables companies to continue growing and ensures their sustainability. 

---

Discuss with Us! 

Written By, Hilman Badhi Adikara, GRC Team Leader – Robere & Associates (Indonesia) 

To successfully execute its business processes, a company requires the support of high-quality assets that can uphold its performance in achieving established goals and objectives. Therefore, companies inevitably engage in asset management, encompassing processes from asset needs planning, asset inventory, asset operation, asset maintenance, asset valuation, to asset disposal, commonly referred to as the asset life cycle. 

Benefits of Implementing an Asset Management System 

Given the extensive range of processes involved in asset management, companies can leverage an Asset Management System as a fundamental framework to monitor each process. Furthermore, implementing an Asset Management System offers numerous advantages for companies, including: 

1. Supporting companies in making informed decisions, particularly in developing strategic asset management plans. 
2. Enhancing company performance through effective asset allocation. 
3. Reviewing actual asset values, including asset depreciation, to prevent performance decline. 
4. Simplifying budget planning for asset management. 
5. Optimizing asset-related risk management, especially in determining asset criticality levels. 

One key reference for implementing an Asset Management System is the ISO 55001 standard. A particularly compelling aspect of ISO 55001 is how companies can establish priorities for activities to achieve their defined asset management objectives. This prioritization can be achieved through asset criticality determination, commonly known as Asset Criticality Ranking. 

What is Asset Criticality Ranking? 

Asset Criticality Ranking is a method used to identify priority assets for maintenance and protection. Companies can perform Asset Criticality Ranking by considering several factors, including: 

1. The types of assets being managed, whether physical or non-physical. 
2. Defining consequence criteria that may occur to assets. 
3. Defining reliability criteria based on the likelihood of consequences occurring to assets. 
4. Defining detectability criteria as a form of prediction for potential asset damage. 
5. Establishing an asset criticality matrix. 

Companies can then conduct assessments by assigning values to the consequence, reliability, and detectability criteria. A higher Asset Criticality Ranking score will impact the handling of the asset, specifically prioritizing stricter monitoring and relatively shorter maintenance schedules to ensure optimal asset performance. 

Establishing Asset Criticality Ranking 

Below is an example of criteria that can be used to analyze each asset, which will then be assigned a criticality level: 

Criteria	Level 1	Level 1	Level 1	Level 1
Operational Failure Impact (A)	No direct impact on operational processes	Impacts operational processes within a specific Department	Impacts operational processes within a Division/Work Unit	Impacts company-wide operational processes
Utilization (B)	Asset used <50% within 1 year	Asset used 50% within 1 year	Asset used 75% within 1 year	Asset used continuously
Downtime/Repair Time (C)	More than 60 minutes	31 - 60 menit	16 - 30 minutes	0 - 15 minutes
Likelihood of Operational Failure (D)	Rarely occurs (0 - 1 time in 1 year)	May Occur (2 - 3 times in 1 year)	Often Occurs (4 - 6 times in 1 year)	Very Often Occurs (>7 times in 1 year)

After analyzing assets against each criterion, the values for each criterion (A+B+C+D) need to be summed up. The resulting sum then needs to be aligned with the criticality levels below. 

Criticality Level	Score	Action
Low	1 – 8	1.	Preventive Maintenance performed at least once a year
		2.	Asset monitoring conducted monthly
		3.	No bypass/backup process required in case of failure
		4.	No alert system required
Medium	9 – 11	1.	Preventive Maintenance performed at least once every 6 months
		2.	Asset monitoring conducted weekly
		3.	Bypass/backup process must be available in case of operational failure
		4.	Alert system must be available
High	12 – 16	1.	Preventive Maintenance performed at least once every 4 months
		2.	Asset monitoring conducted daily
		3.	Bypass/backup process must be available in case of operational failure
		4.	Alert system must be available.

Example: 

The company owns a server and operational vehicles. The company will then assess their criticality levels in the following table: 

Asset Name	Server	Operational Vehicle
Operational Failure Impact (A)	(4) Impacts company-wide operational processes	(1) No direct impact on operational processes
Utilization (B)	(4) Asset used continuously	(1) Asset used <50% within 1 year
Downtime/Repair Time (C)	(4) 0 - 15 minutes	(1) More than 60 minutes
Likelihood of Operational Failure (D)	(1) Rarely occurs (0 - 1 time in 1 year)	(2) May Occur (2 - 3 times in 1 year)
Criticality Level Score	4 + 4 + 4 + 1 = 13	1 + 1 + 1 + 2 = 5
Criticality Level	High	Low

Based on the table above, the criticality level of the server is higher than that of the operational vehicle. Consequently, the server requires more intensive treatment compared to the operational vehicle, including shorter maintenance intervals, continuous monitoring, preparing a backup plan mechanism in case of server downtime, and providing notifications for server disruptions. 

The results of the Asset Criticality Ranking assessment can benefit companies by preventing asset damage that would directly impact business processes. Additionally, the Asset Criticality Ranking results can also serve as a basis for companies in establishing their asset life cycle. 

Authored By: Syifa Aulia Sari, IT GRC Team Leader – Robere & Associates (Indonesia) 

In this modern era, Information Technology (IT) services have become a fundamental necessity for most of the Indonesian population. The advancements in digitalization and the influence of globalization have made it impossible for society to operate without the need for IT services. Driven by this demand, numerous companies are competing to deliver services that offer the highest quality and ensure customer satisfaction. 

What is a Service Level Agreement (SLA)? 

To provide a service, several aspects must be effectively managed. One such critical aspect is the Service Level Agreement (SLA). Simply put, an SLA is a formal agreement that outlines the committed performance guarantees to be met by a service provider to fulfill customer needs and expectations. SLAs typically encompass various performance parameters, such as service availability, response time, recovery time, information security, and other relevant metrics pertaining to the services rendered. 

Benefits of a Service Level Agreement (SLA) 

With an SLA in place, both the service provider and the customer gain a clear understanding of what is expected from the provided services, as well as the responsibilities and implications for each party should a breach of the agreement occur. An SLA also fosters transparency, enhances trust between the service provider and the customer, and provides a framework for the service provider to periodically evaluate service performance. Therefore, effective SLA management from the service provider’s perspective becomes paramount. Well-managed SLAs can significantly assist service provider organizations in delivering services that meet or even exceed customer expectations. 

Service Level Agreement (SLA) in ISO/IEC 20000-1:2018 

Within ISO/IEC 20000-1:2018, the international standard for Service Management Systems, the SLA is a key aspect regulated in one of its clauses (Clause 8.3.3) for compliance with the standard. This applies to both the implementation and certification of a Service Management System. Consequently, ISO/IEC 20000-1:2018 serves as a vital guide for implementing and certifying a Service Management System, including the effective management of service SLAs. 

Managing Service Level Agreements as Part of ISO/IEC 20000-1:2018 

Several key aspects of SLA management as stipulated in ISO/IEC 20000-1:2018 include: 

1. Establish clear and measurable SLAs between the service provider and the customer. SLAs must specify defined service performance parameters, such as availability, response time, and recovery time, and must align with business needs and customer requirements. 
2. Regular monitoring and measurement of performance in accordance with the agreed-upon SLA. This involves collecting service performance data, analyzing results, and reporting to the customer. 
3. Incident management to meet and improve SLA fulfillment. In the event of an SLA breach or an issue in service delivery, the service provider must be able to respond promptly and take necessary actions. 
4. Commitment to continual improvement in service management. Service providers are expected to continuously evaluate and enhance their processes, systems, and service performance to ensure consistent SLA fulfillment and to meet or even exceed customer expectations. 

Based on the explanations above, it is evident that ISO/IEC 20000-1:2018 plays a crucial role as a guide for organizations to effectively manage the services they provide, including SLA management. Therefore, by implementing and obtaining ISO/IEC 2000-1:2018 certification, organizations can not only enhance their SLA management but also improve their overall service management, ultimately leading to an increase in service quality and market value. 

The ISO/IEC 27001 Information Security Management System (ISMS) standard has undergone significant changes, with the latest ISO/IEC 27001:2022 version officially published on October 25, 2022. This release followed the completion of the Joint Technical Committee (JTC) voting process on September 22, 2022. All organizations that have implemented or plan to implement an Information Security Management System based on ISO/IEC 27001 can now adopt the ISO/IEC 27001:2022 standard. 

Certification audits (initial certification and recertification) for ISO/IEC 27001:2013 were permitted until October 25, 2023. After this date, all initial certification and recertification audits must adhere to ISO/IEC 27001:2022. Surveillance audits for ISO/IEC 27001:2013 are still allowed until October 24, 2025. 

Key Changes in the Latest ISO 27001 Version 

The ISO/IEC 27001 standard updates in 2022 align with the evolving landscape of digital business practices, including the increased adoption of Remote Working, Bring Your Own Device (BYOD), and growing reliance on Cloud Service.

The general changes implemented in ISO/IEC 27001:2022 include: 

1. Changes in the total number of Annex A controls, from 114 to 93, with the following breakdown: 

• 24 merged controls
• 23 controls with changed names 
• 35 controls with changed numbering 
• 11 new/additional controls, which include:
  • Threat Intelligence 
  • Information Security for Cloud Services 
  • Information and Communications Technology (ICT) Readiness for Business Continuity 
  • Physical Security Monitoring 
  • Monitoring Activities 
  • Web Filtering 
  • Data Masking 
  • Secure Coding 
  • Configuration Management 
  • Information Deletion 
  • Data Leakage Prevention 

2. Restructuring of Annex A control domains into 4 main domains: 

• People (8 Controls): Controls concerning individuals, such as Teleworking, Filtering, and Confidentiality Agreements. 
• Organizational (37 Controls): Controls concerning the organization, such as Information Security Policies, Return of Assets, and Information Security for the Use of Cloud Services. 
• Technological (34 Controls): Controls concerning technology, such as Authentication, Information Deletion, Data Leakage Prevention, and System Development. 
• Physical (14 Controls): Controls concerning physical objects, such as Storage Media, Equipment Maintenance, Physical Security Monitoring, and Securing Office Rooms. 

3. Five types of attributes for controls to facilitate easier categorization, consisting of: 

• Control Type (Preventive, Detective, Corrective) 
• Information Security Aspect (Confidentiality, Integrity, Availability) 
• Cybersecurity Concepts (Identify, Protect, Detect, Respond, Recover) 
• Operational Capabilities (Governance, Asset Management, Risk Management, etc.) 
• Security Domains (Governance, Protection, Business Continuity) 

Overall, there are no significant differences between the core requirements of ISO/IEC 27001:2022 and ISO/IEC 27001:2013. However, the changes in Security Controls necessitate updating the Statement of Applicability (SOA) as a top priority. 

Key to Transitioning to ISO/IEC 27001:2022 

Organizations can initiate their transition to ISO/IEC 27001:2022 immediately, with a deadline of October 25, 2025, or three years from the standard’s publication date. The milestones are as follows: 

While the publication of ISO/IEC 27001:2022 will necessitate a transition process, there is no need for concern. Robere & Associates is ready to assist your organization in navigating this transition. 

Robere & Associates is committed to supporting you since the release of the ISO/IEC 27001:2022 standard. We will continue to provide updates on its progress and offer further details on the necessary transition process. 

---

Discuss With Us! 

What is System Security Hardening? 

ISO/IEC 27001:2013 is an international standard that outlines requirements for information security management systems. Annex 12.6.1 (Management of Technical Vulnerabilities) and Annex 14.2.8 (System Security Testing) emphasize the importance of securing systems and applications from potential attacks. One utilized method is system hardening, which is the process of securing a system or application to mitigate the risk of hacker attacks. 

In the IT sphere, the term “security hardening” is frequently employed when systems or applications are about to be deployed or enter a production environment. System hardening constitutes a collection of tools, techniques, and best practices designed to reduce vulnerability to cyberattacks. Its objective is to eliminate attack vectors and minimize the attack surface that can be exploited by hackers or malware. 

Types of System Hardening 

System hardening encompasses several key aspects within IT ecosystem security. The following are the five primary types of hardening: 

1. Application Hardening – Securing applications from exploitation and malicious attacks. 
2. Operating System Hardening – Eliminating unnecessary services or configurations on the OS. 
3. Server Hardening – Securing servers from unauthorized access or exploitation. 
4. Database Hardening – Preventing data breaches through access control and encryption settings. 
5. Network Hardening – Enhancing network security with firewalls, segmentation, and access control. 

Why is System Hardening Important? 

System hardening plays a crucial role in lowering the probability of systems being hacked by reducing potential entry points for attacks. This measure is indispensable in industries that implement stringent security standards, such as the Payment Card Industry Data Security Standard (PCI DSS) in the financial sector and the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare sector. 

System hardening should be conducted periodically throughout the technology lifecycle, from initial installation to when the system operates in a live production environment. Some organizations even develop automated hardening methods to accelerate and enhance the effectiveness of this process. 

Does System Hardening Guarantee 100% Security? 

The answer is no. No system is 100% secure, but system hardening can significantly enhance a system’s resilience against attacks and reduce the likelihood of exploitation. By implementing hardening, attacks that could initially be executed by hackers with basic skill levels will become more challenging, allowing only hackers with higher skill levels to attempt to penetrate the system. 

With the appropriate approach, system hardening will become an integral part of a broader cybersecurity strategy, assisting organizations in protecting their data and IT infrastructure. 

_

IT GRC Team
Robere & Associates (Indonesia)

The Importance of an Information Security Management System (ISMS) in the Digital Business Landscape 

In today’s era of digital transformation, business and technology are almost inseparable. The rapid advancement of technology has become a significant driver for businesses to expand their operations. Without Information Technology, organizations cannot function effectively and efficiently, as the information generated from information systems is crucial for making informed policies and decisions. Discussions about information technology are intrinsically linked to the internet, which acts as an intermediary, facilitating easy access to information. The internet effectively removes barriers of space and time, enabling the seamless dissemination of information without delay, making distance and time no longer primary obstacles in this age. 

Cyber Threats and Information Security Challenges 

The internet was first introduced by the World Wide Web over 30 years ago, and the number of internet users worldwide is astounding. A 2018 survey by We Are Social stated that 55 percent of the global population were active internet users. With a global population of 7.655 billion, this means over 4.176 billion people use the internet. This indicates the internet’s immense role in daily life. 

In Indonesia, according to a survey by the Indonesian Internet Service Providers Association (APJII) at the end of 2017, 54.68 percent of the Indonesian population were active internet users. If the total population of Indonesia is 262 million, then at least 143.26 million people were active internet users. This number has continuously increased from previous years, with 110.2 million internet users in 2015 and 132.7 million in 2016, as shown in Figure 1.1. 

Figure 1.1: Indonesian Internet User Penetration 2017 (APJII Data: 2017) 

 

This data highlights the increasing reliance of individuals, businesses, and all stakeholders on accessing data and information anywhere, anytime. This dependency aims to obtain information that supports increased company effectiveness and efficiency, and helps achieve business objectives. Conversely, as technology and information evolve, threats to information management also escalate. The growth in internet users mentioned above is regrettable because it is not paralleled by an awareness of internet security. This makes systems highly vulnerable to malware threats through existing weaknesses. 

In 2017, known as the era of the Internet of Things (IoT), information security systems were shaken by the WannaCry ransomware malware attack. Between January and December 2018, the most frequent information security incidents were Web Defacement, followed by Malware, Spam, IP Brute Force, Phishing, and others (BSSN- ISSN 2655-8467 Volume 1 Tahun 2018). According to the Security Report by the National Cyber and Crypto Agency (BSSN) in 2018, there were 513,863 cyberattacks in Indonesia, most of which were malware activities, accounting for 12,895,554 incidents. 

This reality underscores the urgency of enhancing information security. Work processes involving internet networks are highly susceptible to malware attacks from malicious parties. To protect company information, these risks must be managed and minimized. 

Companies must implement malware control and malware protection. To prevent malware incidents within a company, it is advisable not to open spam emails from unknown sources or senders. Suspicious emails that may damage computers due to containing viruses, malware, or similar threats will typically be moved to a spam folder. If an opened email contains file attachments, it is best not to download them, or if the sender is unrecognized, the email should be blocked. 

Implementing ISO/IEC 27001:2013 for Information Security 

In accordance with ISO/IEC 27001:2013, companies must safeguard information security from various potential threats. One way to do this is by installing antivirus software on computer devices, which aligns with the implementation of Annex 12.2.1 concerning malware protection. If a company uses a wireless network system, it must ensure that it has technicians capable of securing the network in accordance with Annex 13.1.1 on network security. Companies must also ensure that they always lock routers and encrypt all information in accordance with Annex 10.1.1 on encryption controls. If necessary, always password-protect all computer data networks and hide all systems in accordance with Annex 9.4.3 on password usage. 

Overall, companies must protect information security from various potential threats. Information security can be maintained by installing antivirus software on computer devices and securing networks. If a company uses a wireless network system, it must ensure that it has technicians capable of securing the network. Companies must also ensure that they always lock routers and encrypt all information. If necessary, always password-protect all computer data networks and hide all systems. By hiding data, at the very least, this can prevent potential internal company crime. 

One form of control that can be implemented to minimize external and internal risks and threats is the adoption of an Information Security Management System (ISMS), referencing ISO/IEC 27001:2013. According to ISO/IEC 27001:2013, ISMS is defined as part of an overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, improve, and maintain information security, as well as to preserve the confidentiality, integrity, and availability of information, and to manage and control information security risks within an organization or company. 

Conclusion: Why ISMS is Crucial for Business Continuity 

By implementing ISO/IEC 27001:2013, companies can protect and maintain the confidentiality, integrity, and availability of information, and manage and control information security risks within the organization or company. ISO/IEC 27001:2013 provides assurance to clients and business partners that the company has a robust information security management system in line with international standards. If a company has implemented an Information Security Management System (ISMS), it will be able to control information assets from threats and attacks, indirectly guaranteeing the continuity of business operations. 

—

^{Syifa Aulia Sari
IT GRC Consultant
Robere & Associates (Indonesia)}

The implementation of Risk Management is closely linked to communication and consultation processes. These processes are crucial factors supporting the smooth progression of risk management from stage to stage. It’s undeniable that communication and consultation with various stakeholders can influence decisions, both in establishing the framework and executing risk management processes. Consequently, a breakdown in communication and consultation can lead to new risks. 

Discussing communication failures in risk management implementation, we can refer to a significant case in 2001: the Enron bankruptcy. Enron failed to provide information consistent with reality, preventing the Enron risk management team from identifying the risks they would face. Accurate and up-to-date data from a company is vital for identifying impending risks; without such information, a company can only predict risks based on historical data, which may not always be accurate. 

In connection with the above, this article will discuss a method that can be used to clearly structure and identify an effective workflow for communication and consultation in implementing a Risk Management System: the RACI Matrix. This method helps organizations identify parties involved in Risk Management System communication and consultation processes, typically categorized into four roles: Responsible (R), Accountable (A), Consulted (C), and Informed (I). As a guide for constructing a RACI Matrix, several stages can be followed: 

1. Identify Stakeholders in the Risk Management System 
   Before creating a RACI Matrix, it’s essential to determine all parties with an interest in the Risk Management System. Examples include
   • Board of Commissioners 
   • Board of Directors 
   • Department Managers / Division Heads 
   • Department Staff / Risk Owners 
   • External Stakeholders (Customers, Shareholders, Government, Risk Consultants, etc.) 
2. Identify Stages to be Performed in the Risk Management System 
   After identifying stakeholders, it’s necessary to pinpoint the stages involved in implementing the Risk Management System. Examples include: 
   • Establishing Scope, Context, and Criteria 
   • Risk Identification 
   • Risk Analysis 
   • Risk Evaluation 
   • Risk Treatment 
   • Risk Monitoring and Review 
   • Risk Recording and Reporting 

   For improvement, the more detailed the description for each stage in the Risk Management System, the clearer the roles of the stakeholders involved in executing those stages will be. 

3. Constructing the RACI Matrix 
   The RACI Matrix is developed based on the roles of stakeholders concerning the stages performed in operating the Risk Management System. As mentioned earlier, these roles are divided into: 
   • Responsible (R): The party tasked with executing a specific stage within the Risk Management System process. Examples include Department Staff / Risk Owners. 
   • Accountable (A): The party ultimately responsible for the outcome of a Risk Management System-related stage and the decision-maker for any issues that arise. Examples include leaders in respective Work Units / Departments / Divisions (Department Managers / Division Heads). 
   • Consulted (C): The party possessing expertise related to the Risk Management System. Examples include the Enterprise Risk Management (ERM) Department, Risk Analysts, Risk Consultants. 
   • Informed (I): The party who receives information regarding the results of the Risk Management System implementation stages. Examples include the Board of Commissioners, Company Directors, and External Stakeholders. 

   An example of a RACI Matrix format can be seen in Table 1.1 below:  Table 1.1: RACI Matriks

4. Additional Information for the RACI Matrix
   Once the RACI Matrix has been developed, additional details can be added, such as: 
   • The type of information delivered as an output from each stage of the Risk Management System. Examples include Risk Identification Reports, Risk Management System Evaluation Reports, etc. 
   • The method of delivering the results of the Risk Management System stages. Examples include Monthly Meetings, Yearly Meetings, Management Review Meetings, Email, Letters, etc. 
   • The frequency of delivering the results of the Risk Management System stages. Examples include monthly, semi-annually, annually, every 3 months, etc. 

Fundamentally, the RACI Matrix is a method aimed at enhancing the effectiveness of the Risk Management System implemented by an organization. The expectation is that if an organization or company develops a well-structured RACI Matrix, it will achieve: 

• No overlap in duties and responsibilities when implementing the Risk Management System. 
• Quicker decision-making and problem resolution. 
• Clearer internal and external information distribution. 
• Transparency regarding information in operating the Risk Management System. 

—

^{Hilman Badhi Adikara
Non-IT GRC Consultant
Robere & Associates (Indonesia)}

 

Customer satisfaction is a crucial factor in the sustainability of any company. As end-users of products or services, customers play a vital role in shaping the direction of business growth. Therefore, conducting customer satisfaction surveys is a reflection of a company’s commitment to ensuring that customer needs and expectations are properly met.

Benefits of Customer Satisfaction Surveys for Companies

Customer satisfaction surveys offer numerous benefits, including:

1. Assessing Product and Service Quality
   These surveys allow companies to gauge how well their products or services meet customer expectations. Understanding customer satisfaction levels helps identify areas for improvement.

2. Identifying Areas for Improvement
   Surveys serve as evaluation tools to enhance the quality of products and services. By gathering customer feedback, companies can implement more targeted and market-relevant improvements.

3. Analyzing Customer Behavior
   Survey data helps companies understand customer behavior patterns, preferences, habits, and the factors that influence purchasing decisions. This insight can be used to develop more effective marketing strategies.

4. Enhancing Competitive Advantage
   Customer satisfaction surveys also enable companies to benchmark their products and services against competitors. By understanding competitive strengths and weaknesses, businesses can develop more strategic approaches and expand market share.

Methods for Conducting Customer Satisfaction Surveys

There are several methods that companies can use to conduct customer satisfaction surveys, such as:

1. Distributing Survey Forms to Customers
   This is the simplest way to collect customer feedback. Surveys can be distributed in written form or through digital platforms such as email, social media, or company websites.

2. Customer Business Meetings
   Holding direct meetings with customers allows companies to receive real-time feedback. These sessions also provide an opportunity to engage in discussions and offer tailored solutions.

3. Lost Customer Analysis
   This method involves contacting customers who have stopped using the company’s products or services to understand why they switched to competitors. The data gathered is valuable for service improvement and customer retention efforts.

The Importance of Customer Satisfaction Surveys in Quality Management Systems

Customer satisfaction surveys are also a requirement in the implementation of quality management systems such as ISO 9001. Conducting these surveys regularly allows companies to:

• Evaluate the effectiveness of products and services

• Identify and proactively address customer complaints

• Ensure continuous quality improvement

• Build long-term customer relationships

Conclusion

Conducting customer satisfaction surveys is more than a mere formality—it is a strategic business approach to improving service quality, retaining customers, and outperforming competitors. By understanding customer needs and acting on survey results, companies can continue to grow and build stronger customer loyalty.

If you want to learn more about how to enhance customer satisfaction and implement data-driven business strategies, make sure to conduct regular customer satisfaction surveys and analyze the results thoroughly.