Today, information is distributed and processed electronically, so it has become inevitable to take steps to protect personal data. The main purpose of the Personal Data Protection Law No. 6698, which was published in the Official Gazette on April 4, 2016 and entered into force on October 7, 2016, is to ensure that the personal data in our country are processed and protected in accordance with the law. The Personal Data Protection Board regularly makes announcements regarding the protection of personal data within the scope of the law, important concepts in this regard, the processing conditions of personal data, the rights of the data owner, the deletion, destruction, anonymization, transfer and the responsibilities of the data controller.

According to Article 12 of the Law, companies that want to comply with the law are required to take administrative and technical measures to prevent and protect personal data from unauthorized access. In this context, it is very important for the data controller to identify the personal data and the risks associated with the personal data and the damages it may cause if these risks arise. We can say that an institution that adopts the information security management system as a part of its own culture will not have any difficulties in this regard. We can clearly see that some of the controls that must be implemented in ISO 27001 meet the criteria in the Personal Data Security Guide published by the Personal Data Protection Board.

The implementation of the information security risk assessment process and the identification of risk owners are necessary to determine the risks related to the confidentiality, integrity and accessibility principles of the information included in the information security management system according to ISO 27001. It is expected that the risks will be subjected to a realistic analysis and evaluation process and that the risk transaction process will be handled appropriately. Another point emphasized in the Data Security Guide is to provide information security awareness training to employees. Roles and responsibilities of people should be defined, confidentiality agreements should be signed during the recruitment process, and disciplinary processes and definitions should be established in case employees do not comply with security policies and procedures. Employees should be notified of any changes to these policies and procedures. We see all these processes under ISO 27001 controls.

If you look at the technical side, solutions such as firewalls, gateways, anti-virus, anti-spam applications are seen as basic measures in ensuring cyber security. Software must be up-to-date and secure, patch management must be implemented, and security vulnerabilities must be checked and fixed at regular intervals. Establishment of a password-related policy, access authorization, control matrix and access control policies are among other expectations. In ISMS, it is very important to document what you do and do what you have documented. Institutions must ensure data security at the highest level, not only for legal obligations, but also to protect the rights of data owners and the reputation of the institution.