Skip to main content

ISO Compliance

Overview

Core Banking ISO Security Service mengimplementasikan 3 standar ISO untuk keamanan dan kepatuhan perbankan.

ISO 27001 - Information Security Management

Controls Implemented

ControlDescriptionImplementation
A.9.1Access controlJWT + RBAC
A.9.2User access managementRole-based permissions
A.9.4System and application access controlAPI authentication
A.12.4Logging and monitoringAudit trail + WebSocket alerts
A.12.6Vulnerability managementRegular security updates
A.18.1Compliance with legal requirementsAudit logging

Implementation

@Configuration
@EnableWebSecurity
public class SecurityConfig {

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable())
.sessionManagement(session ->
session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(auth -> auth
.requestMatchers("/auth/login").permitAll()
.requestMatchers("/iso/health").permitAll()
.requestMatchers("/ws/**").permitAll()
.requestMatchers("/api/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
)
.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);

return http.build();
}
}

ISO 20022 - Financial Messaging

Message Formats

Message TypeCodeDescription
Customer Credit Transferpacs.008Domestic transfer
Payment Status Reportpacs.002Payment confirmation
Financial Institution Credit Transferpacs.009Interbank transfer
Customer Direct Debitpain.008Direct debit

Implementation

@Service
public class Iso20022Service {

public Pacs008 createCreditTransfer(Transaction txn) {
Pacs008 pacs = new Pacs008();

// Group Header
pacs.setCreDtTm(LocalDateTime.now());
pacs.setMsgId(generateMessageId());
pacs.setNbOfTxs(1);

// Payment Information
PaymentInformation pi = new PaymentInformation();
pi.setPmtInfId(generatePaymentInfoId());
pi.setPmtMtd("TRF");

// Credit Transfer Transaction Information
CreditTransferTransactionInformation ctti = new CreditTransferTransactionInformation();
ctti.setPmtId(generatePaymentId());
ctti.setAmt(new ActiveOrHistoricCurrencyAndAmount()
.setValue(txn.getAmount())
.setCcy("IDR"));
ctti.setDbtrAgt(new FinancialInstitutionCustomerCreditTransfer()
.setBranchId(txn.getFromBank()));
ctti.setCdtrAgt(new FinancialInstitutionCustomerCreditTransfer()
.setBranchId(txn.getToBank()));

pacs.setPaymentInformation(pi);
return pacs;
}
}

ISO 22301 - Business Continuity Management

Requirements

RequirementTargetImplementation
RTO (Recovery Time Objective)4 hoursHA configuration, auto-failover
RPO (Recovery Point Objective)1 hourRegular backups, WAL archiving
Health ChecksEvery 30sSpring Boot Actuator
Circuit BreakersAutomaticResilience4j

Implementation

@Configuration
public class BusinessContinuityConfig {

@Bean
public CircuitBreaker circuitBreaker() {
return CircuitBreaker.ofDefaults("coreBanking");
}

@Bean
public Retry retry() {
return Retry.of("coreBanking", RetryConfig.custom()
.maxAttempts(3)
.waitDuration(Duration.ofSeconds(1))
.build());
}

@Bean
public TimeLimiter timeLimiter() {
return TimeLimiter.of("coreBanking", TimeLimiterConfig.custom()
.timeoutDuration(Duration.ofSeconds(5))
.build());
}
}

Health Check

@Component
public class CoreBankingHealthIndicator implements HealthIndicator {

@Autowired
private DataSource dataSource;

@Override
public Health health() {
try (Connection conn = dataSource.getConnection()) {
if (conn.isValid(5)) {
return Health.up()
.withDetail("database", "accessible")
.withDetail("timestamp", Instant.now())
.build();
}
} catch (SQLException e) {
return Health.down()
.withDetail("database", e.getMessage())
.build();
}
return Health.down().build();
}
}

Compliance Dashboard

API Response

{
"iso27001": {
"status": "COMPLIANT",
"controls": {
"accessControl": "IMPLEMENTED",
"auditLogging": "IMPLEMENTED",
"encryption": "IMPLEMENTED"
},
"lastAudit": "2026-06-15T00:00:00Z",
"findings": 0
},
"iso20022": {
"status": "COMPLIANT",
"messageFormats": {
"pacs.008": "IMPLEMENTED",
"pacs.002": "IMPLEMENTED"
},
"lastValidation": "2026-07-06T00:00:00Z"
},
"iso22301": {
"status": "COMPLIANT",
"targets": {
"rto": "4 hours",
"rpo": "1 hour"
},
"lastTest": "2026-06-01T00:00:00Z",
"circuitBreakers": "ACTIVE"
}
}

Next Steps