EN ISO 27001:2022

ISO 27001:2022 Information Security Management System

What is ISO 27001?

ISO/IEC 27001 is the international information security management standard detailing the requirements for a strong information security management system.

Today, organizations are obliged to protect the confidentiality, integrity and accessibility of the information and information assets they process, store and manage, both due to their own legal and contractual obligations.

ISO/IEC 27001 Information security standard provides the targeted security level with the right human resources, procedures and information technology infrastructures to protect information and information assets in these processes of organizations with its risk-based approach. ISO/IEC 27001 is suitable for integration into the company processes of companies of all sizes from all sectors.

ISO/IEC 27001 certification is the proof that critical data such as all kinds of financial, customer specific information, etc. are protected by your organization in the most accurate way using a risk-based approach.

For this reason, ISO 27001 Certification is becoming more and more mandatory in line with both legal and contractual expectations.

Millions of damages occur every year due to external problems, technical errors, espionage or misuse of information, which cause damage to various information assets. According to ISO 27001, the objective of an information security management system is to identify organizational risks, analyze them and use appropriate measures to make them controllable.

ISO 27001 is aligned with the Plan-Do-Check-Act cycle, an approach well known from ISO 9001. It is therefore easy to integrate an information security management system into an existing management system.

Why is ISO 27001 Necessary?

It is a globally accepted approach that it is not possible for an organization to protect information security and business continuity only with technical measures, but also that a number of measures and audits such as ISMS (Information Security Management System) should be provided. Senior management and all employees must support and implement the security policies to be established within the framework of ISMS. In addition, the fact that all persons and organizations in cooperation act in accordance with these policies is a factor that increases security.

Who is ISO 27001 Relevant to?

ISO 27001 is suitable for all organizations, large and small, no matter which country in the world or which sector. This standard is particularly necessary in areas where it is of great importance, such as the financial, healthcare, government and information technology sectors. ISO 27001 is also important for organizations that manage information on behalf of others, such as information technology outsourcing companies. It can be used to reassure customers that their information is protected.

The sectors that are obliged to receive ISO 27001 are as follows:

  • Companies signing a mission contract
  • Companies signing concession agreements
  • Companies providing satellite communication services
  • Companies providing infrastructure management services
  • Fixed telephone service providers
  • Companies providing GMPCS mobile telephony services
  • Companies providing virtual mobile network services
  • Internet service providers
  • Companies providing GSM 1800 mobile telephone service in aircraft
  • Companies wishing to obtain e-invoice special integrator authorization
  • Exporters wishing to obtain authorization for customs facilitation
  • Companies providing electronic communication network and operating the infrastructure
  • Software, hardware and integrator companies operating in the IT sector and participating in public tenders

Who is interested in ISO 27001?

Companies Operating in the Energy Sector

With the amendments published in the Official Gazette dated 26.12.2014 and numbered 29217, the Energy Market Regulatory Authority (EMRA) made it compulsory for companies in the Petroleum, Electricity and Natural Gas Markets to have ISO 27001 Information Security Management System certification. License holders in these markets are obliged to obtain ISO 27001 certification from an accredited certification body as of 01.03.2016.

Customs Companies

Authorized Economic Operator status, implemented by the Ministry of Customs and Trade of the Republic of Turkey within the scope of the Regulation on Facilitation of Customs Transactions published in the Official Gazette dated January 10, 2013, is granted to companies that fulfill their customs obligations and have financial competence and security standards (ISO 27001 and ISO 9001). With on-site customs clearance, which is the first advantage of manufacturers and exporters with this status, customs procedures for exports are easily carried out in the company’s own facilities. The company, which does not need to come to customs and wait at customs, performs its transactions safely in its own facility. This saves both time and operational costs. In addition, the certification also increases the prestige of these companies in the market.

Special Integrator Companies Providing E-Invoice Service

In the e-Invoice Application Special Integration Guide dated April 2015 of the Revenue Administration – Audit and Compliance Management Department, it is reported that special integrator companies that will provide e-Invoice services are obliged to obtain ISO 27001, ISO 22301 and ISO 20000 certificates.

Special integrator company;

  • TS ISO IEC 27001 or ISO 27001 certificates for information security,
  • ISO 22301 certification for business continuity (Societal security – Business continuity),
  • Must have TS ISO IEC 20000 or ISO 20000 certificates for Information Technology Service Management System.

Terms and Concepts Related to ISO/IEC 27001

Information Security Management System (ISMS): Part of an overall management system based on a business risk approach to establish, realize, operate, monitor, review, maintain and improve information security.

Risk analysis: The systematic use of information to identify sources and estimate risk.

Risk assessment: The entire process encompassing risk analysis and risk rating.

Risk rating: The process of comparing the estimated risk with given risk criteria to determine the significance of the risk.

Risk management: The coordinated activities used to control and guide an organization with respect to risk.

Risk treatment: The process of selecting and implementing measures to modify risk.

Statement of applicability: A documented statement describing the control objectives and controls that are relevant and applicable to the organization’s ISMS.

Ways to Establish ISO 27001 Information Security Management System

  • Recognizing information assets: The organization realizes which information assets it has and their value.
  • Being able to protect its assets: The organization determines the controls and protection methods to be established and protects them by applying them.
  • Business continuity: It guarantees its business for many years. It also has the ability to continue its business in the event of a disaster.
  • Being at peace with interested parties: Gains the trust of interested parties, especially suppliers, as their information will be protected.
  • It protects the information through a system and does not leave it to chance.
  • If it evaluates customers, it will be evaluated better than its competitors.
  • Increases employee motivation.
  • Prevents legal proceedings.
  • Provides high prestige.