IT Security, Cybersecurity Process and Infrastructure
Independent External Audits (ISO 27001) by Certified Body Audit
EGCO Group’s IT Infrastructure and Information Security Management System have been certified with ISO/IEC 27001:2022 certification by SGS United Kingdom Ltd. This certification covers a range of processes including data security management system of a data center, infrastructure operation services, network management services, hardware and operational system services in compliance with “SM-0123-0002 Rev.03 dated 5 September 2024”, incident management process, change management process, document control service, asset utilization monitoring, and other processes relating to the corporate IT management system. The Company conducted third-party vulnerability analysis, simulated hacker attacks, phishing mail attacks, all systems recovery plan testing, and internal audits before conducting certification audits.
Internal Audits
EGCO Group conducts internal audits of its IT Infrastructure and Information Security Management System (ISMS) on annual basis. In August 2024, EGCO Group appointed Maximus International (Thailand) Co., Ltd. to perform an internal audit on behalf EGCO Group of the ISMS specifically pertaining to the EGCO Group’s Data Centre Operation Services. The audit process encompassed five key areas: organizational, people, physical, technological, and management aspects of ISMS activities. The audit concluded that the company's ISMS aligns with all requirements of ISO/IEC 27001:2022 standards, and the company is committed to further system improvements.
Vulnerability Analysis
Additionally, in August 2024, EGCO Group engaged with Maximus International (Thailand) Co., Ltd. to conduct vulnerability assessment against a total of 59 assets with assigned IP addresses via authenticated scan. Based on the assessment, a total of 4 distinct vulnerabilities were discovered across all assets scanned. All identified vulnerabilities were mitigated accordingly. The vulnerability assessment forms part of EGCO Group’s broader cybersecurity management programs which include penetration testing and simulated attack scenarios where necessary. EGCO Group plans to conduct vulnerability tests at least semi-annually.
Information Security-Related Business Continuity Plan
EGCO Group has established a Business Continuity Plan (BCP) for Information Technology Services. This plan focuses on key areas such as recovery protocols, clear assignment of responsibilities, coordination strategies, and prioritizing safety and preparedness to ensure ongoing business operations. To validate the plan's effectiveness, the company schedules business continuity system tests at least semi-annually. These tests involve functional exercises of critical processes, designed to confirm that all personnel understand their designated roles and responsibilities, and to guarantee the seamless operation of critical business functions in the event of any failure or disaster. Ultimately, the Infrastructure and Information Security Division manager holds overall responsibility for the BCP.
