1. PURPOSE
This Information Security Policy establishes the framework for protecting the confidentiality, integrity, and availability of information assets within the defined ISMS scope.
It defines The Management Committee’s commitment and direction to implementing, maintaining, and continually improving an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022.
This policy provides the high-level principles and governance framework for managing information security risks across the organization’s defined ISMS scope.
2. SCOPE
This policy applies to all employees, contractors, and relevant third parties operating within the formally defined ISMS scope, as documented in the ISMS Governance & Operation Process.
All personnel within the ISMS scope are required to comply with this policy and supporting procedures.
3. INFORMATION SECURITY PRINCIPLES
ThaiQuest is committed to the following information security principles:
• Protecting the confidentiality, integrity, and availability of information assets
• Applying a risk-based approach to the identification, assessment, and treatment of information security risks
• Ensuring compliance with applicable legal, regulatory, and contractual obligations
• Assigning clear accountability for information security roles and responsibilities
• Promoting information security awareness among employees and relevant third parties
• Continually improving the effectiveness of the ISMS
4. INFORMATION SECURITY OBJECTIVES
ThaiQuest establishes measurable information security objectives that support business strategy and regulatory requirements. Objectives include, but are not limited to:
• Maintaining an effective Information Security Management System aligned with ISO/IEC 27001:2022
• Protecting against unauthorized access to production systems
• Ensuring availability and resilience of production systems
• Detecting and responding to information security incidents in a timely manner
• Maintaining legal, regulatory and contractual compliance
Information security objectives are monitored periodically and reviewed during Management Review to ensure continued suitability and effectiveness.
5. MANAGEMENT COMMITMENT
The Management Committee commits to:
• Supporting the ISMS and ensuring alignment with business strategy
• Providing adequate resources for effective implementation
• Approving risk treatment decisions and risk acceptance
• Participating in Management Reviews
• Promoting continual improvement of information security
The Management Committee retains overall accountability for the effectiveness of the ISMS. The Management Committee ensures that the Information Security Policy is established, communicated, and understood within the organization.
6. RISK MANAGEMENT
Information security risks shall be:
• Identified, analyzed, and evaluated using a defined methodology
• Assigned to responsible risk owners
• Treated according to risk tolerance levels
• Reviewed periodically and upon significant changes
• Risk treatment decisions shall be documented and approved.
Risk acceptance criteria and risk tolerance levels shall be approved by the Management Committee and reviewed at least annually. The Statement of Applicability (SoA) defines selected controls and justifications in alignment with ISO/IEC 27001:2022.
7. CONTROL FRAMEWORK
Security controls shall be selected and implemented based on:
• Risk assessment results
• Legal and regulatory requirements
• Contractual obligations
• Business and operational needs
Controls shall be implemented in accordance with ISO/IEC 27001:2022 and the approved Statement of Applicability (SoA) and supported by documented procedures where necessary.
8. ROLES & RESPONSIBILITIES
Information security responsibilities are assigned as follows:
• Management Commitee: Overall accountability and strategic direction
• ISMS Manager: Coordination and oversight of ISMS operation
• Risk Owners: Management and treatment of assigned risks
• Control Owners: Implementation and operation of controls
• Employees and Contractors: Compliance with security policies and procedures
ThaiQuest ensures that personnel performing information security-related roles are competent based on appropriate education, training, and experience.
All employees and contractors shall receive appropriate information security awareness training and are responsible for complying with applicable security policies and procedures.
9. COMPLIANCE OBLIGATIONS
ThaiQuest shall comply with:
• Applicable laws and regulations
• Exchange and market data provider requirements
• Contractual obligations
• Internal policies and procedures
Compliance requirements shall be identified, documented, and periodically reviewed to ensure continued adherence. Non-compliance may result in disciplinary action, contractual consequences, or legal measures where applicable.
10. INCIDENT MANAGEMENT
All information security incidents or suspected weaknesses must be reported promptly through designated reporting channels. Incidents shall be Investigated, managed and reviewed in accordance with the Incident Response Procedure, including root cause analysis and corrective actions where necessary.
11. BUSINESS CONTINUITY
ThaiQuest maintains business continuity and disaster recovery capabilities to:
• Protect core digital platforms and supporting infrastructure
• Minimize operational disruption
• Ensure recovery within defined recovery objectives
Recovery objectives and continuity arrangements shall be defined, documented, and tested periodically.
12. MONITORING, AUDIT, AND REVIEW
The effectiveness of the ISMS is monitored through:
• Performance metrics
• Internal audits
• Management reviews
• Corrective action tracking
Monitoring and review results shall be documented and used to support continual improvement. The ISMS shall be reviewed at least annually to ensure suitability, adequacy, and effectiveness.
13. CONTINUAL IMPROVEMENT
ThaiQuest is committed to continually improving information security by:
• Addressing audit findings
• Implementing corrective actions
• Reviewing risk treatment effectiveness
• Updating controls in response to evolving threats
14. POLICY COMMUNICATION
This policy shall be:
• Approved by the Management Committee
• Communicated to all employees and relevant external parties
• Available to interested parties as appropriate
• Maintained as documented information under document control procedures
15. ENFORCEMENT
Failure to comply with this policy may result in:
• Disciplinary action
• Contract termination
• Legal consequences where applicable
16. POLICY REVIEW
This policy shall be:
• Reviewed at least annually
• Updated when significant changes occur to business operations, risk environment, or regulatory requirements
• Approved by the Management Committee