Critical infrastructure sectors are included in the 2020 – 2023 National Cyber Security Strategy and Action Plan as “Electronic Communications”, “Energy”, “Water Management”, “Critical Public Services”, “Transportation”, “Banking and Finance”. 

With the Electronic Communications sector being declared as critical infrastructure, the Internet Service Providers (ISP) sector is officially subject to the CB Digital Transformation Office (DDO) Information and Communication Security Guide (BIGR) Compliance Audit and carries out the audit in-house or accredited once a year. is obliged to fulfill this with the service it will receive from an institution.

The Information and Communication Security Guide devotes Chapter 4.5 to Critical Infrastructures Security, and security measures are defined for only 2 sectors: Energy Sector and Electronic Communications Sector.

Service Security and Continuity in Subsection 4.5.3., Security Requirements for Third Parties, Security of Infrastructure Services, Detection and Prevention of Fraud Transactions, Security of Signaling Traffic, Establishment of Reliable Communication, Tightening Activities, Monitoring of Equipment Failures, Ensuring Equipment Security, Threat 14 Security Measures Specific to the Electronic Communications Sector, consisting of the headings of Intelligence Management, Communication with Authorities, Use of Caller Line Information, Internet Exchange Point and Critical Communication Security, are included in the scope of audit work by all ISPs in line with their criticality levels. 

Institutions currently handle the information security management system (ISMS) processes they carry out with an asset-control or process-control-based approach. Risk analysis activity is carried out by defining the current impact of the assets or processes in the ISMS on information security and the probability of occurrence of the risks determined within the scope of information security. As a result of risk analysis, institutions, organizations and businesses determine the risk value they can accept and carry out corrective, preventive and remedial actions for risks that exceed this value. In the Information and Communication Security Guide, asset groups are created and a survey is conducted to determine their impact on information security. The Delphi method is used in the survey. The score resulting from the survey determines the criticality degree of the asset group. Measures corresponding to the determined degree of criticality are applied to the asset group. Therefore, the studies carried out on asset specific basis in ISMS are carried out on asset groups in the Guide. The guide provides measures specific to each asset group and criticality level for the controls to be implemented after the risk analysis activities in the ISMS, ensuring the establishment of a more reliable and grounded information security management system. In addition, the audit questions in the Guide support internal audit activities to be carried out within the scope of ISMS and pave the way for creating a more reliable internal control environment for institutions.

On the other hand, ISPs that have completed the ISO/IEC 27001 Information Security Management System (ISMS) certification processes, which are mandatory for all ISPs, have largely fulfilled the requirements of many measures in the Information and Communication Security Guide, thus CB DDO BIGR achieves much more successful results in Compliance Audits than institutions that do not have ISMS.