ISO/IEC 27001 Information Security Management System is an information security management system standard that supports addressing information security problems, identifying and managing valuable information assets of the organization. ISO 27001 helps businesses of the small, medium, or large scale and organizations from various industries manage their information security.

In addition, ISO 27001 is an increasingly popular standard as it is subject to certification, subject to regulations by regulators, and becomes one of the specification requirements in procurement processes requiring information sharing.

The structure of ISO 27001: 2013 Information Security Management System is as follows:

• Information security policies
• Organisation of information security
• Human resources security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operational security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance

CIOSIS ISO 27001 Consulting Method

Our ISO 27001 Information security management system consultancy method is prepared in parallel with the Deming cycle and consists of the following phases:

Preparation: The preparation phase is out of the main steps that make up the Deming cycle. However, the need for this phase has been observed in our many consultancy project experiences and the preparatory phase has become a standard step of our Information Security Management System (ISMS) implementation method. In this phase, ISO 27001 ISMS scope is clarified, the orientation of the project team with information security and management system training and management support is obtained.

Planning: Our ISO 27001 consulting service planning phase begins with the gap assessment for the organization’s information security controls. In process of the gap assessment, we also gather information on security-related business and regulatory requirements, IT infrastructure and existing information security controls. Going through the information security controls best practices we also discover the critical information assets and focus on them. At the end of this phase we identify the security controls requirements of the organization and the gap between the existing status and the required state.

Implementation: In the implementation step of our ISO 27001 consultancy, management system components (policies, procedures, guidelines, etc.) and the control requirements identified during the risk assessment is developed and put into practice. Information security awareness training is provided for the personnel of the organization in accordance with the security requirements of the organization.

Checking: In this step of our ISO 27001 consultancy, the internal audit work is carried out covering the ISO 27001 standard and all or some of the essential security controls discussed in detail in ISO 27002. Management review is conducted and corrective action needs are identified.

Correction: In the last step of our ISO 27001 consultancy, necessary improvement plans are implemented in line with the corrective action requirements determined.

Our GDPR consultancy services are not just about providing you with clear and accurate GDPR compliance advice and reporting your risks. Once we have worked closely with you to gain a clear understanding of where your organization’s GDPR compliance risks lie, we will, if required and necessary, provide you with the advice support you need to implement any necessary risk-mitigating controls. In addition to our GDPR Consultancy services, our DPO as a Service will provide you with access to highly experienced Data Protection Officers (DPOs) that will help you to embed GDPR compliance into your business as usual practices.

Ideal if you do not have the internal capacity or capability to effectively embed robust GDPR compliance controls which will provide your clients and stakeholders with the confidence they actively seek. Our GDPR Consultants and/or DPOs will work with you to put appropriate controls in place to proactively identify and mitigate GDPR risks in proportion to the threat they pose. Drawing on years of cross-sector and industry experience of implementing international, EU, and UK data protection laws in practice, for brands you know and trust.

From conducting GDPR Gap Analysis and GDPR Audits to mapping data flows, data retention, and risk remediation, right through to confidential destruction. We provide you with all the GDPR compliance advice and support you need to get things done. Whether you need advice and support from a single GDPR Consultant to complement your existing resource or you need a team of GDPR specialists to help you solve a complex GDPR compliance challenge, we will provide you with the exact GDPR compliance consulting support you need. We have a well-proven track record of working with organizations of all sizes and complexities, helping them to implement robust data protection and privacy compliance frameworks. Whatever the nature and scale of the GDPR compliance or Cyber Security challenge you face, we are here to help.

The Law on the Protection of Personal Data (KVKK)

Regulated upon taking international documents, Turkish constitution, Turkish Laws, comparative law practices, and the current needs of our country into consideration, this Law aims to protect the fundamental rights and freedoms of individuals, and especially the privacy of personal life by processing personal data in contemporary standards. In this context, the Law regulates the conditions of processing personal data, the basic principles to be adopted regarding the protection of personal data, the obligations of natural and legal persons who process personal data, and the procedures and principles they will comply with.

Even though the concepts of fundamental rights and freedoms, personal data, privacy, and security have been in our lives since the understanding of human rights emerged, these concepts have become even more important in our daily lives in recent times when the developments regarding technology and the implementation of fundamental rights and freedoms occurred. The Law on the Protection of Personal Data (KVKK), which is of the equivalence of GDPR in Turkey, gives us information and guides us on how to protect our personal data, along with our fundamental rights and freedoms.

In the first phase, the internal organizational chart should be prepared and which personal data is processed in the departments/units within the organization should be specified by category (identity, communication, location, health, etc.). Afterward, a data inventory should be prepared, and the following information should be included in the inventory.

• Which personal data are processed in the specified categories (ID: Name, Surname, TR Identity Number, etc.)
• A natural person whose data are processed (customer, employee, supplier, stakeholder, third parties)
• Purpose and legal reason of data processing
• What types of personal data are processed; sensitive personal data (health, race, religion, gender) or personal data (name, contact information).
• How long the processed data will be stored/Retention periods.
• Administrative and technical measures taken regarding personal data processing.
• Whether data are transferred abroad or not.