← Frameworks / Financial Regulation

Bank of Thailand Cyber Resilience Guidelines for Financial Institutions

Bank of Thailand mandatory cyber resilience guidelines for all BOT-regulated financial institutions. 26 requirements across governance and oversight, identification (asset management, risk assessment, threat intelligence), protection (access control, data security, network security, application security, change management), detection (monitoring, vulnerability assessment, penetration testing), and response and recovery (incident management, business continuity, crisis communication, lessons learned). Structured around NIST CSF five-function model with BOT-specific supervisory expectations.

Clauses: 26

Avg Coverage: 76.9%

Publisher: Bank of Thailand (BOT) Version: 2023

BOT Cyber Resilience → SP 800-53 SP 800-53 → BOT Cyber Resilience Coverage Analysis

Clause	Title	SP 800-53 Controls
Ch1.1	IT Governance and Board Oversight	PM-01 PM-02 PM-03 PM-09 PM-13 PS-09 PL-01
Ch1.2	IT Risk Management Framework	PM-01 PM-09 PM-28 RA-01 RA-02 RA-03 RA-07 RA-09 PL-09 PM-32
Ch1.3	IT Compliance and Regulatory Reporting	CA-01 CA-02 CA-07 PM-14 PM-15 PM-04
Ch2.1	IT Asset Management and Configuration	CM-01 CM-02 CM-03 CM-05 CM-06 CM-07 CM-08 CM-09 CM-10 CM-11 CM-12 CM-14 RA-09
Ch2.2	Identity and Access Management	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AC-08 AC-09 AC-10 AC-11 AC-12 AC-13 AC-14 AC-16 AC-17 AC-24 AC-25 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-07 IA-08 IA-09 IA-10 IA-11 IA-12
Ch2.3	Data Security and Classification	MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 MP-07 SC-08 SC-12 SC-13 SC-28 SI-12 SI-19 PT-02 PT-03 PT-04 PT-05
Ch2.4	Network Security	SC-01 SC-02 SC-03 SC-04 SC-05 SC-07 SC-08 SC-10 SC-20 SC-21 SC-22 SC-23 SC-32 SC-39 SC-40 SC-47 AC-04 AC-17 AC-18
Ch2.5	Application Security	SA-03 SA-04 SA-08 SA-10 SA-11 SA-15 SA-16 SA-17 SA-20 SA-21 SA-22 SI-10 SI-11
Ch2.6	Endpoint Security	SC-41 SC-42 SI-03 SI-04 SI-07 SI-16 CM-07 CM-11 AC-19 AC-20
Ch2.7	Cryptographic Controls	SC-12 SC-13 SC-08 SC-17 SC-28 SC-40
Ch2.8	Physical and Environmental Security	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18
Ch3.1	Security Monitoring and Threat Detection	SI-04 AU-02 AU-03 AU-04 AU-06 AU-07 AU-09 AU-12 AU-13 AU-14 CA-07 PM-16 RA-10 SC-26 SC-44
Ch3.2	Vulnerability Management and Penetration Testing	RA-05 CA-02 CA-08 SI-02 SI-05 PM-14 RA-09
Ch4.1	Cyber Incident Response and Management	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 PM-16 SI-05
Ch4.2	Business Continuity and IT Disaster Recovery	CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 CP-11 CP-12 CP-13 SC-24 SI-13 SI-17
Ch5.1	IT Outsourcing and Third-Party Risk Management	SA-04 SA-09 SR-01 SR-02 SR-03 SR-04 SR-05 SR-06 SR-07 SR-08 SA-21 PM-30
Ch5.2	Cloud Services Risk Management	SA-09 AC-20 SC-07 CA-03 CA-09 SR-01 PM-30
Ch6.1	IT Audit	CA-01 CA-02 CA-05 CA-06 CA-07 AU-01 AU-02 AU-06 AU-16 PM-14
Ch6.2	IT Project Management	SA-03 SA-04 SA-08 SA-15 SA-17 PM-07 SA-20 PL-07 PL-08
Ch7.1	Cybersecurity Awareness and Training	AT-01 AT-02 AT-03 AT-04 AT-06 PM-13 PM-16
Ch7.2	Personnel Security	PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PS-09
Ch8.1	Cyber Threat Intelligence and Information Sharing	PM-15 PM-16 SI-05 RA-03 RA-10 SC-26
Ch8.2	Digital Fraud Prevention	SI-04 SI-03 AU-06 SC-07 AC-02 AC-07 IA-02 SC-23
Ch9.1	Mobile Banking and E-Payment Security	SC-07 SC-08 SC-13 SC-23 SC-45 IA-02 AC-17 AC-19 SI-07
Ch9.2	Customer Data Protection and Privacy	PT-01 PT-02 PT-03 PT-04 PT-05 PT-06 PT-07 PT-08 SI-12 SI-19 PM-20 PM-25 PM-26
Ch10.1	IT Operations Management	CM-03 CM-04 SI-02 SI-06 SI-14 MA-01 MA-02 MA-03 MA-04 MA-05 MA-06 CA-07