If you receive any calls (except from BoB Contact Center when you have lodged a concern with them +975 2 349903), SMS and Email asking for personal details such as Account number or ATM Card number, please do not share. Bank of Bhutan will never ask for personal details of clients. It’s all spam.

Notification on ATM Withdrawal Charge

All customers are requested to note that cash withdrawals from other bank’s ATM machines are chargeable @Nu 9/- per withdrawal transaction from the sixth transaction onwards, and is recovered at each month end. This is a common charge across banks and as mandated by the Central Bank.

Bank of Bhutan Information Security Policy Version 3.0

VersionV 3.0
Date of version14th December 2022
Created byHead, IS Division
Approved byISSC
Distribution ListISSC, All employees
Confidentiality levelPublic


VersionDateShort description modification
1.027th February 2020Final
2.028th January 2021Added E. xv, xvi and xvii
3.014th December 2022Added privacy in the scope Updated the reference policy version


Review/ Approval DateApproverReview/ Approval Notes
15th April 2020Information Security Steering Committee5th ISSC MoM
21st April 2021Information Security Steering Committee9th ISSC MoM
26th December 2021Head, IS DivisionReviewed without change
14th December 2022Information Security Steering Committee13th ISSC MoM


This policy ensures that the information assets of the Bank are appropriately protected against the breach of confidentiality, failures of integrity, interruptions to their availability and/ the data privacy breach. The Information Security Policy (hereinafter referred to as the IS Policy) provides management direction and support towards information security for the Bank.

This policy is an apex document, which mandates the Information Security Management System at the Bank. It demonstrates Senior Management’s commitment towards all security controls and mechanisms as given out in the subordinate policy documents and lays down the structure of information security in the Bank.


IS Policy being applicable to all information assets of Bank of Bhutan Limited (BoB) that are electronically stored, processed, documented, transmitted, printed and/ or faxed. The policy applies to all employees and external parties (the term external parties in this document is used for third party users, contract staff, outsourced service providers, suppliers, vendors and consultants) of the Bank having logical and/ or physical access to Bank’s facilities and supporting assets, either directly or indirectly.

This policy addresses all aspects of information security including confidentiality, integrity, availability and privacy.


The owner of IS Policy will be the “Information Security Steering Committee” (hereafter referred to as ISSC) and the Head, Information Security Division (Head, ISD) will be the custodian of the policy.


The ISSC of the Bank is responsible for approving IS Policy and any subsequent modifications in it. Head, ISD along with Chief Information Officer (CIO) is responsible for ensuring that the policies constituting IS Policy are regularly updated and reflect the Bank’s requirement. The Information Security Division along with respective Department Chiefs/Division Heads/Functional Heads/Location Heads of the Bank is responsible for implementation of security policy and they are also responsible for dissemination of IS Policy across all relevant business functions. The Heads of Business Units/ Functional Heads/ Location Heads are responsible for enforcing the implementation of IS Policy within their jurisdiction. However, it is the responsibility of every individual, with access to information assets of the Bank, to adhere to IS Policy.


“IS Policy of Bank of Bhutan Limited aims at protecting all critical information, information processing and supporting service assets in order to ensure secure provision of services to its customers and business continuity”

The policy states:

  • that all forms of electronic/ print information, etc. on servers, desktops, networking and communication devices, tapes, CDs and information printed or written on paper or transmitted by facsimile or any other medium will be covered.
  • that procedures will be created and followed at various levels to ensure the protection of information security and objectives set for its continual improvement.

The Information Security Policy provides management directives towards information security within the Bank and recommends appropriate security controls that need to be implemented to maintain and manage the information security in the Bank. Bank shall strive to secure information by:

  1. Establishing and organising an information security governance framework;
  2. Developing and maintaining an effective security management system;
  3. Establishing and managing Information Security Policies, Procedures and Risk Management framework;
  4. Critical information is protected from unauthorized access, use, disclosure, modification, and disposal, whether intentional or unintentional;
  5. Deploying appropriate technology and infrastructure;
  6. Continually monitoring, reviewing, exception reporting and taking actions thereof for improving the effectiveness of the Information Security Management System;
  7. Provide a framework for promoting ‘best practices’ relative to our information systems and infrastructure;
  8. All legal and contractual requirements with regard to Information Security are met wherever applicable;
  9. Any security incidents, security devices and infringement of the Policy, actual or suspected, are reported and investigated;
  10. Awareness training on Information Security during on-boarding are available to all employees and wherever applicable to third parties viz. Subcontractors, Consultants, Vendors, etc. and regular training imparted to them annually;
  11. Taking appropriate actions for the violation(s) of IS Policy; and
  12. Creating and maintaining a security conscious culture in the Bank.
  13. Information Security Policy should provide a framework for setting of Information Security Objectives.
  14. Continual improvement of ISMS should be emphasized in the Information Security Policy.
  15. Information security in project management: All the new project in the Bank should include the Information Security relevant aspect. Report compliance status with PCI DSS/ other applicable security framework on quarterly basis
  16. Appoint a person responsible for compliance with PCI DSS/ another framework
  17. Review and update all Security Policies on need basis and at least annually

1. Review and Evaluation

The IS Policy document shall be reviewed at the time of any major change(s) in the existing environment affecting policies and procedures or at least once a year. The IS Policy document shall be reviewed and approved by the ISSC. The reviews will be carried out for assessing the following:

  1. Impact on the risk profile in the Bank due to, but not limited to, the changes in the information assets, deployed technology/ architecture, regulatory and legal requirements; and
  2. The effectiveness of the policies.

As a result of the reviews, additional policies could be issued and/or the existing policies could be changed / updated, as required. These additions and modifications would be incorporated into the IS Policy document. The Head, ISD is responsible for the communication of the updated version of the IS Policy. Policies that are identified to be redundant will be withdrawn.

2. Disciplinary Measures for Non-Compliance

  1. All employees and external parties are required to comply with IS Policy.
  2. Non-compliance to IS Policy will attract disciplinary actions.

3. Exceptions

The IS Policy is intended to be a statement of Information Security requirements that needs to be met in BoB. However, the exceptions against individual controls in specific policy domains should be formally approved using exception form.

4. Reference

  1. BoB Asset Management Policy – AMP v3.0
  2. BoB Change Management & Control Policy – CMCP v3.0
  3. BoB Clear Desk & Clear Screen Policy – CDCS v3.0
  4. BoB Cryptographic Controls Policy – CCP v3.0
  5. BoB Electronic Mail Security Policy – EMP v3.0
  6. BoB Equipment Security Policy – ESP v3.0
  7. BoB Information Risk Management Policy – IRMP v3.0
  8. BoB Information Security Organization Policy – ISOP v3.0
  9. BoB Information Security Policy – ISP v3.0
  10. BoB Internet Security Policy – ISP v3.0
  11. BoB IS Audit Policy – IAP v3.0
  12. BoB Malicious Code Protection Policy – MCPP v3.0
  13. BoB Media Handling Policy – MHP v3.0
  14. BoB Network Security Policy – NSP v3.0
  15. BoB Password Policy – PP v3.0
  16. BoB Patch Management Policy – PMP v3.0
  17. BoB Physical Security Policy – PSP v3.0
  18. BoB Software Development Outsourcing Policy – SDOP v3.0
  19. BoB Telecommuters and Mobile Users Policy – TMUP v3.0
  20. BoB User Access Management Policy – UAMP v3.0
  21. BoB Capacity Management Policy – CMP v3.0
  22. BoB Logging and Monitoring Policy – LMP v3.0
  23. BoB Information Transfer Policy – ITP v3.0
  24. BoB Information Security Incident Management Policy – ISIMP v3.0
  25. BoB Compliance Policy – CP v3.0
  26. BoB Human Resource Security Policy – HRSP v3.0
  27. BoB Acceptable Usage Policy – AUP v3.0
  28. BoB System Acquisition, Development and Maintenance – SADM v3.0
  29. BoB Backup and Recovery Policy – BRP v3.0
  30. BoB Contact with authorities & Special Interest Groups – CASIG v1.0
  31. BoB Supplier Relationship Security Policy – SRSP v1.0
  32. BoB Disaster Recovery Policy – DRP v3.0
  33. BoB Data Retention Policy – DRP v2.0
  34. BoB Network and Server Hardening Policy – NaSHP v2.0
  35. BoB eWaste Management Policy – eWMP v2.0

5. Definitions

  1. Asset: Anything that has value to the organization.
  2. Assurance (Degree of): A level of certainty that the control in place will eliminate or reduce the risks as expected. This is normally subjective and based on analysis, assessment, and experience.
  3. Audit: Independent review of an activity or process to determine if it has functioned as intended.
  4. Availability: The property of being accessible and usable upon demand by an authorized entity.
  5. Bank: All references made in the IS Policy and subordinate policy documents will be interpreted as Bank of Bhutan Limited only.
  6. Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
  7. Control: Means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature
  8. DRS: Disaster Recovery Site
  9. Fallback: Arrangements made to provide service in the event of the failure of computing or communications facilities.
  10. Information Processing Facilities: Any information processing system, service or infrastructure, or the physical locations housing them.
  11. Information Security: Preservation of Confidentiality, Integrity and Availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.
  12. Information Security Management System: That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve Information Security. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.
  13. Integrity: The property of safeguarding the accuracy and completeness of assets.
  14. Media: All devices that can electronically hold and store information. These include diskettes, CD’s, tapes, cartridges and portable hard disks and any development from these.
  15. Policy: Overall intention and direction as formally expressed by management
  16. Risk: Combination of the probability of an event and its consequence.
  17. Risk Management: Coordinated activities to direct and control an organization with regard to risk.
  18. Safeguard: This is defined as the mechanism by which a control may be implemented, optionally with others, to reduce or eliminate an identified threat.
  19. Security Event: An identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
  20. Security Incident: A single or a series of unwanted or unexpected Information Security events that have a significant probability of compromising business operations and threatening Information Security.
  21. Security Domain: A discrete logical or physical area of an organization that is the subject of security controls to protect it from all outside the domain. An organization may be a single domain or divided into many domains. A single computer system or communication network may be a domain.
  22. Third Party: That person or body that is recognized as being independent of the parties involved, as concerns the issue in question.
  23. Threat: Threat is the potential cause of an unwanted event that may result in harm to the organization and its assets.
  24. Virus: A computer virus is a piece of malicious software designed to attach itself to other programs and to replicate itself into other programs, ultimately very possibly infecting every program in a system. There is also a variant known as a macro virus, which attaches itself to the macros, which are a part of some word processor and spreadsheet programs. Other malicious software goes by such names as worms, Trojan horses or time bombs. These can all be very damaging to a system but are free standing rather than replicating attachments.
  25. Vulnerability: Vulnerability is defined as a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.


For any queries, please contact the Information Security section at [email protected]