GC has established policies and measures pertaining to information security and cybersecurity as well as personal data management in accordance with ISO/IEC:27001 and ISO/IEC: 27701 to ensure the security and stability of the information security and cybersecurity management system and to prevent any actions regarded as an offense under the Computer Crime Act and the Personal Data Protection Act. In 2023, GC has requested to transition the information security management system from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 while maintaining the personal data security management system in line with ISO/IEC 27701:2019. The scope of application is as follows:

In 2022, GC applied for information security management system Privacy Information Management System certifications according to ISO/IEC27001:2013 and ISO/IEC 27701:2019, respectively. The scope of certification is as follows:

Priority Scope of Application for ISO/IEC 27001:2022 and ISO/IEC 27701:2019
1 Infrastructure as a Service On Premise
2 Cloud Infrastructure as a Service On Cloud
3 Cyber Zone / Internet Zone Network
4 Application Supporting Recruitment Process, including SAP, HCM and Success Factor
5 External Recruitment Process

GC has also taken preparational steps by conducting a cyber threat management exercise and performed cyber-attack risk assessments to enable risk monitoring and serve as a warning signal for operations. Therefore, the company developed Key Risk Indicators (KRI) in all three dimensions, namely People, Business and Technology.

Key Risk Indicator: KRI 2023

Target Group Action Key Risk Indicator (KRI) Target (%) 2023 Outcome (%)
People Conduct phishing test Phishing report rate (Quarterly) >= 20 % 53.30 %
Employees who passed Phishing Test (Quarterly) >= 95 % 98.26 %
Business Perform vulnerability assessment to improve information system security Vulnerability Fixed 100 % 99.17 %
Technology Update and improve protection system against cyber breaches and cyber-attacks to heighten data security Update Firmware and Signature on Firewall 100 % 100 %

Furthermore, GC also promotes knowledge on the safe use of information technology in tandem with information security/cybersecurity awareness trainings, infographics on data privacy and E-Learning to enable implementation in operations or the daily life by employees, contractors, suppliers (feedstock and non-feedstock), customers and authorities or individuals acting on behalf of GC across the supply chain.

Educating Employees on the Safe Utilization of Information Technology

Form of Communication Detail Content Sample
Infographics Use infographics to convey news and information via e-mail to create employee awareness, and use Microsoft Form to evaluate their knowledge and understanding
  • Precautions and prevention against different forms of phishing, e.g., E-mail, SMS, QR code
  • Precautions and risks of installing malware applications on smartphones and laptops
E-Learning Create an online knowledge center that is accessible to employees with a focus on creating awareness and understanding of fundamental cybersecurity issues as well as comprehensive information on cybersecurity threats
  • Cybersecurity Case Study (Phishing Emai)
  • Mobile Device Security
  • Personal data protection

Outcome

  • Test score on cybersecurity knowledge = 100%
  • Contractors and suppliers must attend online training to acknowledge the Information Security Policy before accessing the company’s information system = 100%