ISO 27001: 2013 Information Security Management System

What is ISO 27001 ?

    ISO / IEC 27001 is an international information security management standard in which the requirements for a strong information security management system are detailed.

    Today, organizations are based on both their own and the legal and contracts they are affiliated with; They have to protect the confidentiality, integrity and accessibility of the information and information assets they process, store and manage.

    ISO / IEC 27001 Information security standard provides the targeted security level with the right human resources, procedures and information technology infrastructures for the protection of information and information assets in these processes of organizations with its risk-based approach. ISO / IEC 27001 is suitable for integrating companies of all sizes into company processes from all industries.

    Any financial, customer specific information etc. ISO / IEC 27001 certification is the most accurate proof that you protect critical data such as such as using a risk-based approach by your organization.

    For this reason, ISO 27001 certification becomes mandatory every day in line with both legal and contractual expectations.

    Every year millions of damages occur due to external problems, technical errors, espionage or information abuse, which cause damage to various information assets. The goal of an information security management system according to ISO 27001 is to use appropriate measures to identify corporate risks, analyze them and make them controllable.

    ISO 27001 complies with the Plan-Do-Check-Act cycle, a well-known approach from ISO 9001. Therefore, it can be easily done to integrate the information security management system into an existing management system.

Why Is ISO 27001 Necessary ?

    It is an accepted approach all over the world that it is not possible for an organization to protect information security and business continuity with only technical measures, as well as some measures and controls such as ISMS (Information Security Management System). Senior management and all employees are required to support and implement security policies to be established within the framework of ISMS. In addition, the compliance of all individuals and organizations with whom we cooperate with these policies is a factor that increases security.

Who Is Interested in ISO 27001 ?

    ISO 27001 is suitable for all organizations, large and small, regardless of which country or sector in the world. This standard is particularly necessary in areas where it is of great importance, such as the finance, health, public and information technology sectors. ISO 27001 is also very important for organizations that manage information on behalf of others, such as information technology subcontractors. It can be used to give customers the assurance that their information is protected.

Sectors that have to obtain ISO 27001 are as follows:

Companies that have signed a duty agreement

• Firms that have signed a concession agreement
• Companies providing satellite communication services
• Companies providing infrastructure management services
• Fixed telephone service companies
• GMPCS mobile phone service companies
• Companies providing virtual mobile network services
• Internet service providers
• Companies providing GSM 1800 mobile phone service in aircraft
• Companies that want to get e-invoice special integrator authorization
• Exporter companies that want to get authorization to facilitate customs affairs
• Firms that provide electronic communication networks and operate their infrastructure
• Software, hardware and integrator companies operating in the information sector and entering public tenders

Companies required to obtain ISO 27001

Companies Operating in the Energy Sector

    With the amendments published in the Official Gazette dated 26.12.2014 and numbered 29217, the Energy Market Regulatory Authority (EMRA) made it obligatory for companies in the Petroleum, Electricity and Natural Gas Market to have the ISO 27001 Information Security Management System certificate. License holders in the mentioned markets are obliged to obtain ISO 27001 certificate from an accredited certification body as of 01.03.2016.

Customs Firms

    T.R. The Authorized Economic Operator status put into effect by the Ministry of Customs and Trade within the scope of the Regulation on Facilitation of Customs Procedures published in the Official Gazette dated 10 January 2013; It is given to companies that fulfill their customs obligations, have financial competence and security standards (ISO 27001 and ISO 9001). With the on-site customs clearance, which is the first advantage of the producer and exporter companies with the aforementioned status, customs clearance for export is easily carried out at the company's own facilities. The company, which does not have to come to customs and wait at customs, performs its transactions safely in its own facility. Thus, it saves both time and operational costs. In addition, thanks to the certification, the prestige of these companies in the market is increasing.

Private Integrator Firms That Will Provide E-Invoice Service

    In the e-Invoice Application Special Integration Guide of the Revenue Administration - Audit and Compliance Management Department dated April 2015, it is stated that private integrator companies that will provide e-Invoice service are obliged to obtain ISO 27001, ISO 22301 and ISO 20000 certificates.

Private integrator firm;

• TS ISO IEC 27001 or ISO 27001 certificates for information security,
• ISO 22301 document for Societal security - Business continuity,
• Must have TS ISO IEC 20000 or ISO 20000 certificates for Information Technology Service Management System.

Terms and Concepts Related to ISO / IEC 27001

Information Security Management System (ISMS): It is a part of the entire management system based on business risk approach to establish, realize, operate, monitor, review, maintain and improve information security.

Risk analysis: Systematic use of information to identify sources and estimate risk.

Risk assessment: The entire process including risk analysis and risk rating.

Risk rating: The process of comparing the estimated risk with the given risk criteria in order to determine the significance of the risk.

Risk management: Coordinated activities used to control and direct an organization in relation to risk.

Risk processing: The process of selecting and implementing the necessary measures to change the risk.

Applicability statement: Documented statement regarding the organization's ISMS and explaining the applicable control objectives and controls.

Benefits of Establishing ISO 27001 Information Security Management System

• Awareness of information assets: The organization becomes aware of which information assets are available and their value.
• Ability to protect its assets: It determines the controls and protection methods it will establish and protects them by applying them.
• Business continuity: It guarantees its business for many years. In addition, in the event of a disaster, it has the ability to continue work.
• Being in peace with the relevant parties: It gains the trust of the relevant parties, especially its suppliers, as its information will be protected.
• It protects information by means of a system, it does not leave it to chance.
• If it evaluates customers, it is evaluated better than its competitors.
• It increases the motivation of the employees.
• It prevents legal pursuits.
• Provides high prestige.