ISO 27001

Information is one of the most important assets for an organization to ensure business continuity. While it is possible to compensate for the loss of many assets, lost information has no monetary value. For this reason, in today's changing and developing conditions, the importance of information and the need for its protection are increasing. Information can be used and stored in writing, in electronic media, verbally, in the memories of employees and in many other ways. Due to technological developments, many of these forms of use may not be used or may change over time. Due to this change and development, it is necessary to constantly question and control the security of information. Information security is the protection of the confidentiality, integrity and availability of information.

ISO 27001 Information Security Management System is a management system that includes people, processes and information systems in ensuring corporate information security and is supported by senior management. It is designed to protect information assets and to provide adequate and proportionate security controls that give confidence to interested parties. ISO 27001 Information Security Management System includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

Why is ISO 27001 Necessary?

It is a globally accepted approach that it is not possible for an organization to protect information security and business continuity only with technical measures, and that a number of measures and controls such as ISMS should be provided. Senior management and all employees must support and implement the security policies to be established within the framework of ISMS. In addition, the fact that all persons and organizations in cooperation act in accordance with these policies is a factor that increases security.

What are the Benefits of ISO 27001 Information Security Management System?

• Provides accurate, reliable and valid information.
• It prevents extra workload and unnecessary waste of time.
• Minimizes risks.
• Provides business continuity.
• Ensures that the confidentiality of information assets is protected.
• Raises awareness across the organization about information systems and how to protect vulnerabilities.
• It is ensured that the accuracy and integrity of the information and its methods are maintained and that its content remains unchanged.
• The criteria required by the legal parties are met.
• Protect access to information assets.
• Corporate reputation is protected.
• Provides a competitive advantage.

Who is ISO 27001 Relevant?

ISO 27001 is suitable for all organizations, large and small, no matter which country in the world or which sector. This standard is particularly necessary in areas where it is of great importance, such as the financial, healthcare, government and information technology sectors. ISO 27001 is also important for organizations that manage information on behalf of others, such as information technology outsourcing companies. It can be used to reassure customers that their information is protected. The sectors that are obliged to obtain ISO 27001 are:

• Public institutions and organizations
• Companies signing a mission contract
• Companies signing concession agreements
• Companies providing satellite communication services
• Companies providing infrastructure management services
• Fixed telephone service providers
• Companies providing GMPCS mobile telephony services
• Sanal mobil ağ hizmetleri sağlayan şirketler
• Internet service providers
• Companies providing GSM 1800 mobile telephone service in aircraft
• Companies wishing to obtain e-invoice special integrator authorization
• Exporters wishing to obtain authorization for customs facilitation
• Companies providing electronic communication network and operating the infrastructure
• Software, hardware and integrator companies operating in the IT sector and participating in public tenders

Terms and Concepts Related to ISO/IEC 27001

Information Security Management System (ISMS): Part of the overall management system based on a business risk approach to establish, implement, operate, monitor, review, maintain and improve information security.

Risk analysis: The systematic use of information to identify resources and estimate risk.
Risk assessment: The entire process of risk analysis and risk rating.
Risk rating: The process of comparing the estimated risk with given risk criteria to determine the significance of the risk.
Risk management: Coordinated activities used to control and guide an organization in relation to risk.
Risk processing: The process of selecting and implementing the necessary measures to change the risk.
Statement of applicability: Documented statement describing the control objectives and controls that are relevant and applicable to the organization's ISMS.

ISO27001 compliance project is ongoing at Istanbul Bilgi University. You can send all your questions and requests regarding ISMS to bgys@bilgi.edu.tr e-mail address.