Skip to main content
← BlogCompliance

Penetration Testing Requirements for Indonesian Banks Under POJK 11/2022

What POJK 11/2022 and its cyber security circular SEOJK 29/2022 require of Indonesian banks for penetration testing: cadence, scope, reporting, and remediation.

K
Karina Kosasih · Offensive Security Lead
June 7, 2026·4 min read

Penetration testing has moved from a good-practice nice-to-have to a regulatory expectation for Indonesian banks. If you run technology for a commercial bank, your testing programme needs to satisfy the regulator, not just your own assurance goals. This guide explains where the requirement actually comes from, how often you need to test, what the test should cover, and what to do with the findings.

What POJK 11/2022 asks of banks

It helps to be precise about the regulation, because the headline number is only half the story. POJK No. 11/POJK.03/2022, on information technology implementation by commercial banks, is the umbrella regulation. It was issued in July 2022 and sets out the expectations for IT governance, IT risk management, and operating systems that are tested and secure before they reach production.

POJK 11/2022 by itself does not spell out penetration testing frequency, scope, or reporting deadlines. Those specifics live in its implementing circular, SEOJK No. 29/SEOJK.03/2022 on cyber resilience and security for commercial banks, issued in December 2022. So when people talk about pentest obligations under POJK 11/2022, the operational detail they mean is in SEOJK 29/2022. The two should be read together.

SEOJK 29/2022 frames cyber security testing in two forms. The first is vulnerability-analysis-based testing, which identifies weaknesses and then attempts to exploit them through penetration testing. The second is scenario-based testing, which validates how well the bank detects, mitigates, and recovers from an incident.

Scoping your test

How much testing you need is driven by your risk, not by your capital tier. SEOJK 29/2022 has banks assess their inherent cyber risk across five levels, weighing factors such as the technology in use, the products offered, the bank's characteristics, and its cyber incident history. A bank with heavy digital channels and a history of serious findings sits higher on that scale and should test more intensively than a small, low-exposure bank.

Use the helper below to see how risk level, digital exposure, and prior findings shape a sensible testing scope and cadence.

The recommendations are indicative, but the logic mirrors how OJK expects banks to think: more exposure and more risk mean more frequent and broader testing. Internet-facing banking applications, both web and mobile, deserve particular attention because they are where most real-world attacks land.

How often and what to cover

The baseline is clear. SEOJK 29/2022 requires cyber security testing at least once a year. Higher-risk banks, and any bank making significant changes to its systems, should test more often than the annual minimum. Testing can be performed by an internal team or a qualified third party, subject to the conditions OJK sets.

A mature programme spreads testing across the year rather than cramming it into a single annual exercise. Annual external and internal penetration tests form the core, supplemented by tests before significant new systems go live, a scenario-based resilience exercise, and the annual inherent risk and maturity assessments. One reporting detail matters: the results of scenario-based testing must be reported to OJK within ten business days of completion.

Turning findings into remediation

A test is only useful if its findings get fixed. Penetration test results are usually rated by severity, commonly aligned to the CVSS scale, from critical down to low. The severity mix below is illustrative, but it reflects a common pattern: a small number of critical and high findings carry most of the real risk, while a long tail of medium and low findings needs steady attention.

The remediation timeframes shown are industry convention rather than an OJK mandate. POJK 11/2022 and SEOJK 29/2022 do not publish fixed remediation deadlines by severity, so a bank should set its own service levels, prioritise critical and high findings aggressively, and keep evidence of remediation for the regulator. What OJK does expect is that you test, that you act on what you find, and that you can show both.

At Alpha Code, we run penetration tests and resilience exercises for Indonesian banks that map directly to SEOJK 29/2022, and we help turn the findings into a remediation plan you can defend. If your annual test is approaching, scoping it correctly is where the value starts.

On This Page
What POJK 11/2022 asks of banksScoping your testHow often and what to coverTurning findings into remediation
Written By
K
Karina Kosasih
Offensive Security Lead

Karina leads penetration testing and red-team engagements for Indonesian banks, aligning technical assurance with regulatory expectations.

LinkedIn
Related Articles