Thailand: Adopted Standards for Defining Characteristics and Cybersecurity for Information Systems or Critical Infrastructures B.E. 2566 (2023)

On 18 December 2023, the National Cyber Security Committee (NCSC) adopted cybersecurity standards aimed at defining characteristics and ensuring the security of information systems or critical infrastructures. The standard was issued under the Cybersecurity Act and establishes a risk-based security classification for organisations’ data or information systems. Organisations must perform a self-assessment based on three key security objectives: confidentiality, integrity, and availability. Each is categorised into three risk levels (low, medium, and high). The assessment considers the potential impact on financial value, reputation, number of service users, ability to perform duties, and state stability or public order. The risk levels for the three objectives are assessed by evaluating whether the effects are classified as “minimal,” “severe,” or “very severe. “The risk levels are determined by the severity of effects on confidentiality (unauthorised disclosure), integrity (unauthorised alteration or destruction), and availability (inability to access data). Each type of data must be assessed, and the highest risk level dictates the overall security category. The security category should be reviewed at least every three years, with proper record-keeping of the results.