Information Security & Privacy Protection

Importance

          Currently, the increasing use of digital technology to support service provision, corporate management, and airport operations has made information technology (IT) security, system reliability, and privacy protection critically important. Any incident involving data breaches, system outages, or cyberattacks could cause significant harm to stakeholders and lead to a loss of trust in AOT. Moreover, such incidents may also constitute violations of human rights, specifically the right to privacy.

Policy

          AOT has established the following policies to ensure robust information and communication technology (ICT) and cyber security all of which covers entire AOT operation and suppliers:

  • AOT ICT Security Policy 
  • AOT Cyber Security Policy 
  • AOT Personal Data Protection Policy 
  • AOT Data Privacy Policy 

          These policies align with relevant legal and regulatory requirements. AOT ensures these policies are communicated to all employees and external parties working with AOT to raise awareness and emphasize the importance of maintaining IT security and protecting personal data. In addition, AOT regularly conducts risk assessments and security testing of its systems. The company is also certified under ISO/IEC 27001:2013, the international standard for information security management systems.

AOT ICT Security Policy

          AOT’s ICT Security Policy emphasizes ensuring the confidentiality, integrity, and availability of its ICT systems. The policy covers access to information systems, networks, operating systems, applications, and data. It mandates regular risk assessments and audits, along with the development of contingency plans to maintain business continuity and uninterrupted access to information. 

          All AOT employees and external parties working with AOT are required to acknowledge and comply with this policy to uphold the organization’s ICT security standards. 

AOT Cyber Security Policy

In 2021, AOT established its Cyber Security Policy to ensure robust cyber resilience in preventing, responding to, and mitigating risks from cyber threats—whether domestic or international—that could impact AOT’s operations or services. These threats may pose risks not only to AOT but also to national security and economic stability. 

The policy aligns with the guidelines and national cybersecurity strategy set forth by the National Cyber Security Committee, ensuring that AOT’s approach is consistent with the broader framework for maintaining cyber safety across critical infrastructure sectors. 

AOT Personal Data Protection Policy

          AOT has established its Personal Data Protection Policy to ensure the security and confidentiality of personal data related to electronic transactions. This policy covers the personal data of AOT employees, external personnel working with AOT, and service users for the entire operations, which also include suppliers. It is reviewed regularly, at least once a year or as necessary. The President of AOT or a designated senior executive is responsible for issuing the policy, supporting operational practices, overseeing implementation, monitoring compliance, and providing guidance. Any violation or breach of this policy is considered a disciplinary offense under AOT’s internal regulations (Disciplinary Actions in Case of Breach). The Personal Data Protection Policy is also embedded in the company’s risk compliance.

          The AOT Personal Data Protection Policy aligns with the Royal Decree on Criteria and Procedures for Electronic Transactions of Government Agencies B.E. 2549 (2006), the Electronic Transactions Commission’s Notification on Policy and Guidelines for Personal Data Protection of Government Agencies B.E. 2553 (2010), the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, and internationally recognized practices for data privacy. 

          AOT informs users of its mobile applications about data privacy through official Terms of Use and Privacy Policies, as well as its publicly available Cookies Policy on AOT’s official website.

Management Approach

Information Security and Data Privacy Governance Structure
  1. The organizational structure for information security and data privacy at AOT is divided into three levels, as a designated person or department responsible for information security and privacy issues
    1. Board Level
    2. Executive Level
    3. Operational Level.

It comprises the following bodies: 

    • AOT Digital Technology and Communication Management Committee 
    • AOT Information Security Management System (ISMS) Committee 
    • AOT ISMS Team 
    • AOT ISMS Audit Team 
    • Working Group Supporting the Duties of the Data Protection Officer (DPO) 
    • Information and Communication Technology (ICT) Division 

Board Level

Personnel/Units Involved in Information Security and Privacy Roles and Responsibilities
Board of Directors:

Associate Professor THIRA JEARSIRIPONGKUL
Independent Director/ Audit Committee Member Chairperson of the Data Security and Privacy Committee Also serves as a member of the AOT Digital Technology and Communication Executive Committee
Relevant Work Experience in IT:
- Chairperson of the AOT Digital Technology and Communication Executive Committee Term of service: 3 April 2024 – 26 February 2025
IT-Related Education and Training:
- Digital Transformation for CEO #3 (DTC#3), organized by Krungthep Turakij, Thansettakij, and MFEC Public Company Limited
- IT Governance and Cyber Resilience Program (ITG), Class 12/2019
Board Skills Matrix: Science and Technology/Telecommunications and Information Technology/Innovation

Mr. Mr.KERATI KIJMANAWAT
President
Vice Chairperson of the Data Security and Privacy Committee Also serves as a member of the AOT Digital Technology and Communication Executive Committee
Relevant Work Experience :
Vice Chairperson of the AOT Digital Technology and Communication Executive Committee
IT-Related Education and Training :
- Training Course on Readiness for Compliance with the Personal Data Protection Act B.E. 2562 (PDPA) for AOT Executives, Fiscal Year 2022
  • Define strategic directions, policies, and strategies related to digital technology and communications management in alignment with the enterprise architecture, while supporting AOT’s overall policy and strategy.
  • Provide guidance, consultation, and endorsement on enterprise architecture, AOT’s digital action plans, annual operation plans, and technical standards in digital technology and communications, including relevant regulations and operational procedures.
  • Review and recommend the adoption of emerging technologies and communications innovations that contribute to AOT’s strategic development, with consideration of investment efficiency and return on investment for AOT.
  • Review and approve the annual budget, as well as any additional budgets beyond the approved annual budget, related to digital technology and communications.
  • Review and provide recommendations for resolving challenges or obstacles in the implementation of digital and communication technologies across AOT’s operations.
  • Explore strategies to create added value from digital technologies and communications to enhance competitiveness, generate new revenue streams, and improve airport service efficiency.
  • Monitor the progress of digital and communications initiatives according to AOT’s digital action plans and annual operational plans. Evaluate performance outcomes using relevant indicators to inform future decisions on the adoption of digital technology and communications in AOT's operations.
  • Promote digital and communications governance in accordance with the principles of ICT governance.
  • Appoint subcommittees or working groups as appropriate to consider and/or implement specific matters in detail.
  • Report progress periodically to AOT’s Board of Directors.

Executive Management

Personnel/Departments Involved in Information Security and Privacy Roles and Responsibilities
Executive Management:

Mr.Kittipoj Venunantana
Deputy President, Technology and Innovation Group (Chief Information Security Officer: CISO), serves as a member of the Information and Communication Technology Security Management System Committee (ISMS Committee) of AOT.
  • Oversee and manage AOT’s information and communication technology (ICT) security operations in alignment with the latest version of ISO/IEC 27001.
  • Review ISMS Management Review results submitted by the ISMS Team and operational staff within the defined ISMS scope.
  • Approve AOT’s ISMS scope for certification audit under the latest ISO/IEC 27001 standards.
  • Establish information security policies and objectives that align with AOT’s strategic direction and the defined ISMS scope.
  • Ensure that management systems and security controls are implemented to meet the information security requirements of relevant interested parties under the ISMS scope.
  • Approve the risk management framework for ICT security, including risk assessment and treatment processes, evaluation criteria, and risk acceptance thresholds.
  • Endorse ISMS risk assessment results and the corresponding risk treatment plans, as well as monitor the implementation of those plans.
  • Allocate necessary personnel and resources to support the implementation of ISMS activities.
  • Promote awareness of the importance of ISMS implementation among executives and staff within the ISMS scope.
  • Identify required actions, assign responsibilities, and monitor ISMS performance while supporting continual improvement of the system.
  • Support internal and external audits within the ISMS scope, review audit results, and oversee corrective actions for any non-conformities.
  • Appoint working groups or personnel to implement ISMS-related activities as deemed appropriate.
  • Report ISMS implementation progress to the AOT Executive Committee.

Operational Level

Personnel/Departments Involved in Information Security and Privacy Roles and Responsibilities
Information and Communication Technology Security Management System Team
    Operational Level Responsibilities:
  • Implement management system processes and information security controls in accordance with the ISMS scope for ISO/IEC 27001:2013 certification.
  • Facilitate the development and regular review of the ISMS context, including identification of Interested Parties’ Information Security Requirements for determining the ISMS scope of AOT.
  • Support the implementation of policies, processes, controls, and operational procedures relevant to the ISMS scope.
  • Support the development of an information security risk management framework, encompassing risk assessment and risk treatment processes, risk assessment criteria, and risk acceptance criteria, for submission to the ISMS Committee for approval.
  • Coordinate with relevant departments to conduct risk assessments within the ISMS scope, including review and summary of assessment results, and report outcomes to the ISMS Committee.
  • Collaborate with relevant departments to develop risk treatment plans within the ISMS scope, monitor implementation progress, and present results to the ISMS Committee.
  • Support and coordinate implementation of information security measures under the ISMS scope in collaboration with relevant departments.
  • Facilitate the definition of performance evaluation methods and criteria, and coordinate the monitoring, measurement, analysis, and evaluation of ISMS performance.
  • Summarize implementation results within the ISMS scope for reporting to the ISMS Committee.
  • Support ISMS audits, review audit results, and propose corrective actions for identified non-conformities.
  • Promote continuous improvement of the ISMS.
  • Conduct internal reviews within the ISMS Team and report ISMS implementation results to the ISMS Committee. .
Personnel/Departments Involved in Information Security and Privacy Roles and Responsibilities
AOT Information and Communication Technology Security Management System (ISMS) Audit Team
  • Conduct audits of AOT’s Information Security Management System (ISMS) in accordance with ISO/IEC 27001 (latest version) and AOT’s internal ICT security requirements.
  • Define audit policies, scopes, and criteria aligned with the ISMS framework.
  • Prepare audit procedures and documentation in line with the ISMS scope.
  • Develop the audit programme and audit plan for annual ISMS audits.
  • Coordinate with auditees to ensure readiness for the audit process.
  • Conduct audits within the ISMS scope at least once a year.
  • Prepare audit reports, identify nonconformities (if any), and recommend improvements for the ISMS.
  • Follow up with auditees on corrective actions and provide necessary support.
  • Report audit findings to the auditee unit, ISMS Working Group, and ISMS Committee.
Data Protection Officer Supporting Team: DPO Supporting Team
    Support for Personal Data Protection Operations:
  • Provide guidance and assistance to Data Controllers or Data Processors, as well as AOT departments, employees, contractors, or service providers acting on behalf of Data Controllers or Data Processors, to ensure compliance with the Personal Data Protection Act B.E. 2562 (2019).
  • Review and update AOT’s Personal Data Protection Policies, Guidelines, and related documentation and forms to ensure alignment with legal developments and organizational practices.
  • Provide adequate tools and resources, as well as facilitate access to personal data as necessary for the effective performance of the Data Protection Officer (DPO).
  • Communicate and raise awareness among AOT personnel and relevant stakeholders regarding the importance of complying with AOT’s Personal Data Protection Policies and Guidelines.
  • Require the assessment and review of risks associated with the collection, use, or disclosure of personal data at least once a year, and establish appropriate risk management plans.
  • Direct the investigation and resolution of incidents involving personal data breaches or non-compliance with relevant laws, policies, or practices. Ensure that personal data breach incidents are reported to the Office of the Personal Data Protection Committee (PDPC) within 72 hours upon becoming aware, to the extent possible, and report the results of such actions to the AOT Executive Committee.
  • Provide ongoing support and cooperation with AOT’s Data Protection Officer (DPO) and the Office of the Personal Data Protection Committee (PDPC).
Digital Technology and Communication Line
  • Information and Communication Technology Strategy Department
  • ICT Operations and Maintenance Department
  • Information Systems Department
  • Digital Solutions Development Department
  • Innovation Strategy Department
AOT has established Information and Communication Technology (ICT) security as one of the Key Performance Indicators (KPIs). Employees responsible for information security are required to complete organizational digital training courses—such as ISMS Awareness, Cyber Security, and PDPA—and their performance is evaluated on a scale of 1 to 5 (Level 1 = Needs Improvement; Level 5 = Excellent). This approach ensures alignment with the organization’s operational plans.

AOT’s Information and Cybersecurity Guidelines

          AOT has established comprehensive guidelines to ensure the security of information and information systems and control over escalation process for employees to report incidents, vulnerabilities or suspicious activities.. These guidelines outline operational procedures for key activities, including: 

  • Procedures for transporting backup media 
  • VPN access request process to connect to AOT’s internal network 
  • Maintenance procedures for computer center support systems 
  • Guidelines for cryptographic practices and key management 
  • Procedures for user access control to information systems 
  • Information classification and corresponding handling procedures 
  • AOT Cybersecurity Guidelines and Framework 
  • Incident Response Plan (IRP) for server-related disruptions 
  • Procedures for managing information security events and incidents 
  • Cybersecurity Incident Response Plan 
  • Rapid Cyber Threat Incident Reporting Procedure 
  • ICT Business Continuity Plan (ICT BCP), which outlines procedures for AOT employees in case of incidents that pose risks to cybersecurity or business operations 

          In addition, AOT’s approach to information and cybersecurity includes mechanisms for evaluating violations of security policies and procedures. These violations are assessed as part of overall employee performance to ensure accountability and continuous improvement in cybersecurity practices, as well as apply disciplinary actions in case of breach  

Information and Privacy Security Audits

          AOT conducts information and privacy security audits at least twice a year (semi-annually), covering the organization’s information technology systems and outlining response measures for emergency incidents. Employees follow the Incident Response Plan (IRP) and Information Security Event and Incident Management Procedures through the following steps: 

  • Internal Audits are conducted under the framework of the Information Security Management System (ISMS) Committee, ensuring compliance with internal policies and controls and privacy compliance
  • External Audits are performed by third-party entities, involving vulnerability assessments simulated cyberattacks (Simulated Hacker Attacks), and privacy compliance to evaluate system resilience. These audits assess the risk exposure and verify compliance with international standards including: 
  • ISO/IEC 27001:2013 – Information Security Management System 
  • ISO 22301:2019 – Business Continuity Management for Airport Services 

          The responsible units are required to report annual audit findings and recommendations to the relevant committees to ensure that audit results are acknowledged and acted upon in a timely manner. 

Implementation

Awareness Media via AOT STAFF System

          AOT has developed and disseminated information and privacy security awareness media through the AOT STAFF system to enhance employee awareness of information technology and privacy protection. The campaign includes various key topics, such as:

  • 10 Things the Public Should Know About the PDPA 
  • Rights of Data Subjects Under the Personal Data Protection Act (PDPA) 
  • Who’s Who in the PDPA Framework 
  • Essential Information About Data Privacy 
  • Personal Data Processing in Employment Context 
  • AOT’s Complaint Channel for Personal Data Breach Incidents 
  • Is Your Biometric Data at Risk of Being Leaked? 
  • Key Points of the Cybersecurity Act 
  • AOT Data Management Guideline 
  • How Secure Is Your Password? 
  • Desk Organization and Screen Protection Tips 
  • 10 Best Practices for Protecting Your Information Assets 
  • Highlights of the Official Information Act B.E. 2540 (1997) 

Information Technology and Privacy Training

          In the digital era, where information technology plays a pivotal role in driving organizational operations, enhancing knowledge and awareness in information and communication technology (ICT) security is essential. This ensures that personnel can work efficiently, safely, and in compliance with international standards. Additionally, training and preparedness in business continuity planning help mitigate and respond to technological threats that could impact AOT’s operations. 

  • AOT has implemented the Information and Communication Technology Security Awareness Training Program via an e-Learning system for AOT employees and staff. The training is conducted over a period of 1,230 days, aiming to equip personnel with essential knowledge aligned with ISO/IEC 27001 standards and to raise awareness of the importance of maintaining ICT security. 

ICT Business Continuity Plan (ICT BCP) Drill 

          AOT conducts Business Continuity Plan (BCP) drills for Digital and Communication Technology Systems, covering six critical systems to ensure operational resilience and readiness in the event of disruptions. These key systems include: 

  1. Log Data Retention System – in compliance with the Computer-Related Crime Act (No. 2), B.E. 2560 (2017) 
  2. IT Infrastructure Consolidation System – covering both the main and backup data centers at AOT Headquarters and Suvarnabhumi Airport 
  3. Electronic Document System (E-Document) 
  4. Airport Safety Information System (e-Safety) 
  5. AOT Application Programming Interface (AOT API) 
  6. AOT Car Park Freezone System 

Training on Personal Data Protection and Information Security Awareness 

          AOT has organized comprehensive training programs to enhance awareness and understanding of the Personal Data Protection Act B.E. 2562 (2019) among executives and employees across its six airports and headquarters. The training aims to provide legal knowledge, ensure compliance with the Act, and introduce necessary organizational measures, including general and information security-related controls to be implemented within AOT’s operations. 

          Additionally, AOT conducted training sessions to prepare personnel for the development of the Information Security Management System (ISMS) under the consultancy project for establishing ISMS in alignment with ISO/IEC 27001 standards. These training sessions covered seven core courses, designed to equip AOT staff with knowledge of best practices and compliance requirements in information security, relevant laws, regulations, and internal policies. The key topics include: 

  1. Development of the Information Security Management System (ISMS) and ISO/IEC 27001 Requirements 
  2. Roles and Responsibilities in Developing and Maintaining ISMS under ISO/IEC 27001 
  3. Information Security Risk Management 
  4. Information Security Lead Implementer Training under ISO/IEC 27001 
  5. Information Security Management System (ISMS) Auditor/Lead Auditor Training 
  6. Information Security Awareness for Executives and Employees at all seven AOT entities: Headquarters (HQ), Don Mueang International Airport (DMK), Chiang Mai International Airport (CNX), Phuket International Airport (HKT), Hat Yai International Airport (HDY), Mae Fah Luang – Chiang Rai International Airport (CEI), and Suvarnabhumi Airport (BKK) 
  7. Personal Data Protection Awareness Training in compliance with the Personal Data Protection Act B.E. 2562 (2019) 

Training Collaboration Project between AOT and the Cyber and Infrastructure Security Group (CISG)

  • CISG delivered 10 laptops pre-installed with CARSA X-ray Tutor Software to AOT under the “Enhancing AOT Security Screener Capability” project. The purpose is to utilize the laptops for training new staff and conducting refresher courses, thereby enhancing the ability of screeners to detect prohibited items.The training also provides screeners with hands-on practice to improve their image analysis skills, covering both hold baggage screening and cabin baggage screening. 
  • The Operational Cyber Security in Aviation workshop aims to provide AOT personnel responsible for managing computer systems and information technology with in-depth knowledge and enhanced skills in assessing and mitigating risks, as well as preventing potential cyberattacks targeting systems, infrastructure, and information. 
  • The Aviation Cyber Security workshop is designed to raise awareness of security practices related to cyberattack prevention. It also aims to enhance knowledge of cyber threats (Cyber Attacks) and cybercrime, including various methods of cyberattacks and vulnerabilities that may expose an organization to such threats. The workshop emphasizes risk assessment in operations and identifies strategies to mitigate potential risks.