17 Oct, 2023

ISO 27001 AS A LEGAL OBLIGATION

Today, the pulse of the business world beats with fast and effective decisions based on information. However, protecting this information is of vital importance for every organization. Information leaks, cyber attacks, data loss, and process disruptions are among the main risks that threaten the business world. At this point, ISO 27001 emerges as one of the most important frameworks that show how we can deal with all these threats.

ISO 27001 is an international standard that determines and implements requirements for organizations to establish an Information Security Management System within them. It is primarily designed to help organizations evaluate whether they can protect sensitive data, comply with applicable legal and regulatory requirements, protect sensitive and critical information assets by reducing information security risks, and increase their security and reliability.

ISO 27001 and ISMS are much more than the hardware and software we use to keep information safe. So, is ISO 27001 certification a legal obligation in addition to its advantages such as keeping your data safe, providing trust for customers, gaining the trust of investors and stakeholders, improving business processes and increasing competitiveness? Let's examine this issue in terms of our legislation.

With the Regulation published by the Ministry of Industry and Technology on June 29, 2022, the relevant projects within the scope of IT service procurements to be made by public administrations.

  • Penetration Test Authorization Certificate, 
  • Software Authorization Certificate and
  • It is mandatory to have a Public Informatics Authorization Certificate. 

When we examine the criteria required to have the documents in question, we see that it is necessary to have the ISO 27001 certificate, which is valid for all three documents. 

The relevant Regulation leaves the obligation date for the authorization certificate obligation to the amendment to be made in the General Communiqué on Public Procurement. With the amendment made in the General Communiqué on Public Procurement on 29 December 2022, as of 29.09.2023, in IT, software or penetration test service procurement tenders, the pre-qualification specification or administrative specification will include the pre-qualification application and/or participation in the tender and the Public Informatics Authorization Certificate among the qualification criteria. It is mandatory to have a Penetration Authorization Certificate and a Software Authorization Certificate. In addition, it is an important detail that this obligation also applies to subcontractors.   

ISO 27001 is a standard that directly concerns not only the IT sector but also many sectors. One of these sectors is the Electronics and Communications sector. With the publication of the Network and Information Regulation in the Electronic Communications Sector on 13.07.2014, ISO 27001 has become a necessity for organizations providing the following services.

- Infrastructure management service

- Various telecommunication services (Concession agreement)

- GMPCS mobile phone service

- GSM/IMT-2000/UMTS (concession agreement)

- GSM 1800 mobile phone service in aircraft

- Internet service provider

- Landline phone service

- Satellite communication service

- Satellite and cable TV services (task contract)

ISO 27001 has also become an important standard for the energy sector. The Energy Market Regulatory Authority, which has been aware of the importance of this standard for a long time, has made ISO 27001 mandatory for companies operating in the Petroleum, Electricity and Natural Gas markets as of 26.12.2014. All companies operating in this field must obtain the ISO 27001 certificate from an institution accredited by the Turkish Accreditation Agency as of 01.03.2014.

As can be seen, ISO 27001, in addition to being a standard and framework that provides the basic requirements for ensuring information security, has now become almost a legal obligation for organizations to carry out their activities. Therefore, establishing an effective end-to-end Information Security Management System with the support of professional teams will enable organizations to strengthen their information security posture, manage their risks, and gain competitive advantage and increase their profitability by complying with legal requirements. 

SOURCE

Kamu Bilişim Hizmet Alımı Kapsamında Katılımcıların Yetkilendirilmesi Hakkında Yönetmelik

https://www.resmigazete.gov.tr/eskiler/2022/06/20220629-2.htm

Kamu İhale Genel Tebliğinde Değişiklik Yapılmasına Dair Tebliğ

https://www.resmigazete.gov.tr/eskiler/2022/12/20221229-18.htm

Elektronik Haberleşme Sektöründe Şebeke ve Bilgi Güvenliği Yönetmeliği

https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=19880&MevzuatTur=7&MevzuatTertip=5

Enerji Sektöründe Siber Güvenlik Yetkinlik Modeli Yönetmeliği

https://www.mevzuat.gov.tr/MevzuatMetin/yonetmelik/7.5.40224.pdf

To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

Request a Quotation
About Content:
With the Regulation published by the Ministry of Technology on June 29, 2022, a new obligation was introduced within the scope of IT service procurements by public administrations. Details are in our content
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram

Related Articles