Read Time: 5 minutes
The Ministry of State-Owned Enterprises (BUMN) has introduced pivotal regulations to strengthen IT governance and cybersecurity within the BUMN ecosystem. One such regulation, SK-190/MBU/07/2024, outlines technical guidelines for IT reporting, audits, and assessments, with full implementation required by 2025.
Key Requirements Under SK-190
BUMN are required to undertake three primary activities to ensure compliance:
a. IT Reporting
Frequency: Reports must be submitted quarterly and annually.
Purpose: To provide detailed updates on IT operations, compliance against relevant regulations and measure the value from each of IT implementation effectiveness based on its business impacts, process improvement, system improvement, regulatory compliance or other relevant metrics.
b. IT Audit
Frequency: Conducted at least once a year.
Scope: Includes assessments of regulatory compliance and adherence to internal IT implementation policies.
Auditor: Can be performed by internal or external parties.
c. IT Implementation Assessment
Frequency: Required at least once every two years.
Auditor: Must be carried out by independent external assessors.
Addressing 24 Priority Control Objectives
To strengthen IT governance, the regulation prioritizes 24 control objectives across five COBIT 2019’s domains, with a minimum capability level of 3 on a scale from 0 (incomplete) to 5 (optimizing):
| Domain | Details |
| Evaluate, Direct and Monitor (EDM) |
EDM01 Ensured Governance Framework Setting and Maintenance EDM02 Ensured Benefits Delivery |
| Align, Plan, and Organize (APO) |
APO01 Managed I&T Management FrameworkAP APO02 Managed Strategy APO03 Managed Enterprise Architecture APO05 Managed Portfolio APO06 Managed Budget and Costs APO09 Managed Service Agreements APO10 Managed Vendors APO12 Managed Risk Managed Budget and Costs APO13 Managed Security APO14 Managed Data |
| Build, Acquire, and Implement (BAI) |
BAI02 Managed Requirements Definition BAI03 Managed Solution Identification and Build BAI04 Managed Availability and Capacity BAI06 Managed IT Changes BAI07 Managed IT Changes Acceptance and Transitioning BAI09 Managed Assets
BAI011 Managed Project |
| Deliver, Service, and Support (DSS) |
DSS01 Managed Operations DSS02 Managed Service Requests and Incidents DSS04 Managed Continuity DSS05 Managed Security Services |
| Monitor, Evaluate, and Assess (MEA) | MEA01 Managed Performance and Conformance Monitoring |
How Crowe Can Help
External assessors for BUMN IT implementation assessments must meet strict criteria, including a minimum of five years of experience with international IT governance frameworks, a team of certified professionals, and independence from the assessed BUMN. These standards ensure unbiased and objective evaluations aligned with regulatory expectations.
Crowe meets these requirements, offering extensive experience in IT governance implementation, audits, and assessment. Our services are designed to deliver high assurance, enabling our clients to make better decisions and achieve IT governance leading practice for sustainable growth.