SEC IT Compliance Audit

Regulatory Compliance Audit Based on The Securities and Exchange Commission (SEC) Announcement ST. 38/2565 - Detailed Requirements for Information Technology Provisioning (การตรวจประเมิน อ้างอิงตาม ประกาศสำนักงานคณะกรรมการกำกับหลักทรัพย์และตลาดหลักทรัพย์ ที่ สธ. 38/2565 เรื่อง ข้อกำหนดในรายละเอียดเกี่ยวกับการจัดให้มีระบบเทคโนโลยีสารสนเทศ)

The key objective of this announcement is to enforce 'enterprise' by SEC's definition to manage, control and resolve IT risks affecting confidentiality, integrity, and availability (CIA) in its information systems. Subsequently, trust and reliability in the eyes of clients and the public can be improved and any legal action against the enterprise or termination of contracts can be avoided. This announcement enforces the enterprise to submit the results of IT risk assessment based on its RLA (Risk Level Assessment) to SEC and to comply with additional requirements as referred to its Annexes which consist of Information Technology Governance, Information Technology Security and Information Technology Audit.

• Audit Scope

TUV NORD Thailand Limited was established in 1989 as part of the TÜV NORD Group. During the past decades, TUV NORD Thailand has accumulated extensive experience in information securities, IT risks and IT related certification to ensure ability to provide suggestions to our customers on the full range of information securities and IT related services provisioning, and be expert in information securities, IT risks and IT related audit.

1. Understanding the requirements of SEC Announcement ST. 38/2565 and SEC Guideline Announcement NP. 7/2565.

2. Establish the scope, objectives and context of the organization in accordance with ST. 38/2565.

3. Get Management Buy-in.

4. Perform risk assessment activities and fill-in 'Risk Level Assessment' worksheet.

5. Implement controls to mitigate information security risks.

6. Organize information security training for relevant parties.

7. Review and update mandatory documentation according to SEC Announcement ST. 38/2565 and SEC Guideline Announcement NP. 7/2565.

8. Choose a non-accredited certification body, e.g., TUV NORD Thailand to conduct a regulatory compliance audit against SEC Announcement ST. 38/2565 and SEC Guideline Announcement NP. 7/2565.

• SEC Guideline Announcement NP. 7/2565: Guidelines on Information Technology Provisioning