Open menu

09 February 2022

Relationship Between ISO 27001 & KVKK

Posted in KVKK - GDPR

Relationship Between ISO 27001 & KVKK

Providing security of your information assets is part of Turkish Personal Data Protection Law (KVKK) and by creating an information security system for your business, having an ISO 27001 certification is the best way to document the measures taken by your organization in this context.

The purpose of ISO 27001 standard is to lay down conditions for establishing, implementing, maintaining, and continually improving an information security management system.

Information Security Management System maintains the confidentiality, integrity, and accessibility of information by applying the risk management process and provide assurance to related parties / parties interested that risks are managed properly.

The international ISO 27001 standard which consists of general requirements and Annex A controls, explains the details required for organizations to ensure information security.

Are Organizations with ISO 27001 Certificate Compliant with KVKK?

The first paragraph of Article 12 of KVKK that came into force in April 7th, 2016, sets forth the following provisions:

"The data controller is obliged to

a) prevent unlawful processing of personal data,

b) prevent unlawful access to personal data,

c) take all necessary technical and organizational measures to provide an appropriate level of security."

The measures to be taken within this scope are elaborated in the Personal Data Security Guide (Technical and Administrative and Organizational Measures) published by Turkish Data Protection Authority.

The fact that the general principle of both ISO 27001 and KVKK is to ensure confidentiality and security, surely enables Organizations with ISO 27001 certification to adapt to KVKK faster and smoothly.

However, it would be a great mistake for the organizations to think that they have become fully compliant with KVKK by taking only the measures within the scope of the standards due to existence of important points that distinguish KVKK and ISO 27001 from each other.

What are the similar aspects between the technical measures to be taken within the scope of the Law on the Protection of Personal Data and the control items included in the ISO 27001 standard?

Summary of Technical Measures to be Taken within the Scope of Personal Data Security Guide
(Technical and Organizational Measures)
ISO/IEC 27001:2013 Standard Clause
Authorization Matrix
Authorization Control
A.9.2 User Access Management
Access Logs A.12.4.1 Event logging
User Account Management A.9.4.2 Secure log-on procedures
Network Security A.13.1.2 Security of network services
Application Security A.14.2.6 Secure development environment
Encryption A.10.1 Cryptographic controls
Penetration Test
Intrusion Detection and Prevention Systems
A.12.6.1 Technical Vulnerability Management
Log Records A.12.4.1 Event logging
Data Masking N/A
Data Loss Prevention Software A.12.6.1 Technical vulnerability management
Backup A.12.3.1 Information backup
Firewalls A.14.1.2 Securing application services on public networks
Up-to-date Anti-Virus Systems A.12.2.1 Controls against malware
Deletion, Destruction, or Anonymization A.8.3.2 Destruction of Media
Key Management A.10.1.2 Key Management

What are the similar aspects between the administrative measures to be taken within the scope of the Law on the Protection of Personal Data and the control items included in the ISO 27001 standard?

Summary of Organizational Measures to be Taken within the Scope of Personal Data Security Guide
(Technical and Organizational Measures)
ISO/IEC 27001:2013 Standard Clause
Preparing Personal Data Inventory A.8.1.1 Inventory of Assets
Corporate Policy
(Access, Information Security, Usage, Retention and Destruction vb.)
5.2 Policy
Agreements
(Data Controller – Data Controller & Data Controller – Data Processor)
A.7.1.2 Terms and Conditions of Employment
Non-disclosure Agreements A.15.1.2 Addressing Security Within Supplier Agreements
Internal Periodic and Random Audit 9.2 Internal Audit
Risk Analysis 6.1.2 Information security risk assessment
Employment Contract, Disciplinary Regulation (Addition of Appropriate Provisions to Law) A.7.2.3 Discipline process
Corporate Communication
(Crisis Management, Processes of Informing Board and Data Subject, Reputation Management etc.)
A.16 Information security incident
A.17 Information Security Aspects of Business Continuity Management
Training and Awareness Activities
(Information Security and Law)
A.7.2.2 Information security awareness, education and training
Register with VERBIS (Data Controllers' Registry Information System) N/A

The points stated in the tables above indicate that the Standard and the Law have controls over the same headings, however the terms and requirements of the controls are not exactly the same.

For example, while training and awareness activities are a control item in both aspects, the content and conditions of the training should be customized.

In addition, although the inventory preparation required within the scope of KVKK is also encountered in ISO 27001 as Inventory of Assets, it is not possible to state that an organization with an Inventory of Assets also has a Personal Data Inventory, as the conditions for the preparation of inventories differ from each other.

Our consultants offer you the most suitable solutions for your business in order to ensure your KVKK compliance and to provide you to have an ISO 27001 certificate by considering the similarities and differences. Besides, they carry out compliance processes and information security system setup at the same time, which enables ease of implementation.

Contact us to set up your information security system and determine the measures your business needs.

Notification!

Contents provided in this article serve to informative purpose only. The article is confidential and property of CottGroup® and all of its affiliated legal entities. Quoting any of the contents without credit being given to the source is strictly prohibited. Regardless of having all the precautions and importance put in the preparation of this article, CottGroup® and its member companies cannot be held liable of the application or interpretation of the information provided. It is strictly advised to consult a professional for the application of the above-mentioned subject.

Please consult your client representative if you are a customer of CottGroup® or consult a relevant party or an expert prior to taking any action in regards to the above content.

About The Author

Let's Get Started.
Get a Quote for Your Service Needs.

0 (Min. 7 Characters)
I accept to receive newsletters, legislation, current news, new service suggestions, advertisements and announcements.

(*) I have explicit consent to the processing of my data within the framework of Online Visitor Clarification Text and Privacy Policy.

*Required Field

Send

Privacy Policy

CottGroup® companies' network ("CottGroup®") includes independent companies with separate legal entities that provide various sections of this website and other websites in the CottGroup® member network; and this Personal Data Protection and Processing Policy applies separately for each CottGroup® member company.

Thank you for visiting our website and reading our privacy and security statement.

Basic Information About Our Approach to Data Security and Privacy

CottGroup®'s network of companies (CottGroup®) has dedicated itself to ensuring the security of your personal data in all of its information systems. For CottGroup®, privacy and security matters form the basis of the relation between us and our customers. CottGroup® understands your particular concern about your confidentiality and security and place utmost importance on that matter.

CottGroup® consists of multiple independent members which provide various sections of the websites in CottGroup®'s network of members. Please click here to see our current member companies. New members to be added to the CottGroup®'s network of members in future will also be viewable by clicking the same link.

Information that you will be disclosing when using this website may also be controlled by any other firm among the members of CottGroup®'s network in order to enable us to secure the control, inspection and security of the said data at the utmost level. Each independent member shall be legally liable for any data controlled and inspected by it.

CottGroup® Privacy Statement is applicable to all data processed by CottGroup®, including Personal Data collected or transmitted via our websites in CottGroup®'s network, our software and self-service applications, mobile applications or social media accounts and other online or off-line channels.

Protection of Personal Data

CottGroup® acts in the capacity of a data controller and data processor in line with the Turkish Personal Data Protection Law (KVKK) no. 6698 and provisions of any other legislation applicable to the protection of personal data. Accordingly, personal data shall be processed only by CottGroup® personnel authorized to implement any privacy and security policy as well as services falling within the scope of duty of CottGroup®'s management office and the personnel named in the privacy and security authorization matrices, and those natural/legal persons authorized by CottGroup® for such purpose by fulfilling the condition of informing the data subjects. For details, please click the Personal Data Protection and Processing Policy.

Electronic Messages

Subject to communication consents provided by you during your communication with us regarding electronic (e-mail) messages and through any other CottGroup® channel, you will be deemed to have accepted to receive e-mail messages through your contact details, for the promotion of services offered by CottGroup® and its business partners, information on new products and services, announcements on issues regarding legislation, and other matters that may be of interest for you. In this respect, you may contact CottGroup® to request that messages are no longer sent to you through one or more than one communication channel.

Log Data, Cookies and Web Beacons

Cookies are program bits that are usually in the form of text files that may be embedded in laptops, desktop PCs and mobile devices, which collect various data.

Cookies may be used to collect the following data:

  • Internet Protocol (IP) address
  • Domain name of the computer that you use for connecting to the website
  • Date and time of your connection and the time you spend on the website
  • Link of the page over which you connect our website or the address of another CottGroup® website
  • Information about your computer, your browser's brand, your operating system, Java support, flash version, your screen definition and connection speed and similar data
  • Details of the page on the computer that is used for connection when a request is made from our website
  • Volume of the data in bytes, transferred on our website
  • Contents of traceable cookies
  • CottGroup® websites use temporary session cookies to render your online activities secure and to enhance the website performance
  • Areas such as Login time, Username and User ID that are necessary for our software and self-service applications ("Applications")
  • Details of the URL over which the User has transmitted his last request through the Applications
  • Your browser's language

Please click Cookie Policy for details.

Purpose of Using Your Data

We may use your personal data which we record during your visits to our website, via automated or non-automated means, or which you may disclose to us in communication forms, e-mails or via other electronic transactions, primarily for the purpose of satisfying your requests and subsequently for ensuring improvement of the services offered to you. Overall purposes of use of such data may be listed as follows:

  • To contact you
  • To enable your access to the website or self-service options, by performing operations regarding your online account, including but not limited to the provision of a username and password
  • To answer questions received from you
  • To provide information about legislative changes and other important matters
  • To ensure the administration of our website
  • To improve our service quality

Please do not disclose such data that you would not want us to collect for the purposes above. Please remember that unless you provide such data, we will be unable to contact you, and that your certain data may still be collected by means of cookies during your visit to this website.

Data Security

CottGroup® places utmost importance on the security of your data. CottGroup® places utmost importance on the security of your data. We take measures conforming to sector standards to prevent unauthorized collection and use of your data. Exchange of information on the İnternet is not generally secure. Therefore, we recommend you exercise due care by user when exchanging information through our websites and online systems. If you do not take this care, CottGroup® cannot guarantee you about security of your information and communication on the website or capture them by third parties.

When your information arrives at CottGroup®, it is protected in accordance with our security and privacy standards. Your data are stored for the purposes set out above and only for the durations required by the needs of our business process or as prescribed by law.

Data Transfer

We may transfer the personal information we collect about you to other countries different from the country we collect the data, as we use their services of the internet service providers, hosting companies, e-mail providers, domain providers (for example: Microsoft 365). Data protection laws and regulations applied in these countries may differ from the laws applicable in Türkiye.

Hereby, we will protect your information in accordance with the applicable law as described in this Privacy Policy while transferring to other countries.

Protection for Children's Online Activities

We support parents willing to supervise and control online activities of their children. In no event do we ask children on purpose to share their personal data. If we come to know that a person whose personal data are collected by us is younger than 13 years old, we may use such data to try to promptly inform his/her parents. This rule shall be applicable for age 16 under the European Union General Data Protection Regulation (GDPR).

Designing New Processes in Line with Privacy Rules

CottGroup® takes the most appropriate technological and organizational measures to ensure confidentiality when developing new systems and applies necessary developments for the processing of personal data in line with their intended purposes (Privacy by design).

Should you have any queries about this Privacy Policy, please click the link.

CottGroup® website: https://www.cottgroup.com

Online Visitor Clarification Text On The Processing Personal Data

Data Controller: Boss Yönetişim Hizmetleri A.Ş.

Address: Astoria Towers Büyükdere Cad. No: 127 B Kule Kat: 8 34394 Şişli, İstanbul, Türkiye

Boss Yönetişim Hizmetleri A.Ş. ("Company") prepared this Clarification Text as the data controller to inform you, our valuable online visitors, about your personal data that we process in accordance with the Law on the Protection of Personal Data (hereinafter referred to as "KVKK") and the relevant legislation.

1. Your Personal Data Processed and The Scope of The Processing

Personal data is any data that identifies you or makes you identifiable. For example, your name, surname, eye color, phone number or bank account information are considered personal data. On the other hand, processing your personal data refers to all kinds of processes such as obtaining, amending, registering, storing, retaining, deleting, disclosing, and transferring your data. We have provided the following information about the personal data we process:

ID Data

Your Processed ID Data Purposes of Processing
Your ID Data
Collection Methods of
Your ID Data
Legal Reasons Behind Our Data Processing Activities
  • Name
  • Surname
  • Execution of Customer Relationship Management Processes
  • Conducting Activities for Customer Satisfaction
  • Execution of Goods/Service Sales Processes
  • Online Electronic Forms
  • Contact Forms
  • It is required to process your personal data as a party to the contract, provided that it is directly related to the establishment or performance of a contract.
  • It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm your fundamental rights and freedoms as a data subject.

Contact Data

Your Processed Contact Data Purposes of Processing Your Contact Data Collection Methods of Your Contact Data Legal Reasons Behind Our Data Processing Activities
  • Your contact data about your work (e-mail, address, phone number)
  • E-Mail Address
  • Address Information
  • Execution of Customer Relationship Management Processes
  • Conducting Activities for Customer Satisfaction
  • Conducting Communication Activities
  • Online Electronic Forms
  • Contact Forms
  • It is required to process your personal data as a party to the contract, provided that it is directly related to the establishment or performance of a contract.
  • It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm your fundamental rights and freedoms as a data subject.

Personnel Data

Your Processed Contact Data Purposes of Processing Your Contact Data Collection Methods of Your Contact Data Legal Reason of Our Data Processing Activities
  • Company name
  • Sector
  • Execution of Customer Relationship Management Processes
  • Execution of Sales Processes for Goods / Services
  • Conducting Activities for Customer Satisfaction
  • Conducting communication activities
  • Online Electronic Forms
  • Contact Forms
  • It is required to process your personal data as a party to the contract, provided that it is directly related to the establishment or performance of a contract.
  • It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm your fundamental rights and freedoms as a data subject.

Customer Transaction Information

Your Processed Customer Transaction Information Purposes of Processing Your Customer Transaction Information Collection Methods of Your Customer Transaction Information Legal Reasons Behind Our Data Processing Activities
  • Request/Complaint Information
  • Execution of Customer Relationship Management Processes
  • Online Electronic Forms
  • Online Contact Forms
  • It is required to process your personal data as a party to the contract, provided that it is directly related to the establishment or performance of a contract.
  • It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm your fundamental rights and freedoms as a data subject.

Transaction Security Information

Your Processed Transaction Security Information Purposes of Processing Your Transaction Security Information Collection Methods of Your Transaction Security Information Legal Reasons Behind Our Data Processing Activities
  • IP Address
  • Request Time and Date
  • Time zone Difference from Greenwich-mean-time (GMT)
  • Access Status/http Status Code
  • Amount of Data Transferred
  • Website to Which the Request Was Sent
  • Browser Information
  • Operating System and User Interface
  • Language and Version of the Scanner Software
  • Approximate Location Information
  • Execution of Customer Relationship Management Processes
  • Conducting Activities for Customer Satisfaction
  • Conducting Marketing Analysis Studies
  • Execution of Information Security Processes
  • Conducting Activities in Compliance with Legislation
  • Online Electronic Forms
  • Online Contact Forms
  • It is required to process your personal data as a party to the contract, provided that it is directly related to the establishment or performance of a contract.
  • It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm your fundamental rights and freedoms as a data subject.

2. Our Retention Period for Storing Your Personal Data

We store your personal data for a period of time stipulated in the relevant legislation or for the periods of time required by the processing purposes. We will delete, destruct or anonymize your data by ex officio or upon your request, if legal reasons requiring data processing disappear.

3. Your Rights Regarding Your Personal Data

Data subject refers to the natural persons whose personal data are processed. As a data subject, you, our valuable online Visitors, have the following rights regarding your personal data processed under KVKK:

  • To learn whether your personal data are being processed,
  • To request information if your personal data are processed,
  • To learn the purpose of processing your personal data and whether this data are used for the intended purposes,
  • To know the third parties to whom this personal data is transferred domestically or abroad,
  • To request the rectification of the incomplete or inaccurate data, if there are any,
  • To request the deletion or destruction of this personal data under the conditions set forth in KVKK,
  • To request notification to the third parties that the personal data have been transferred to about the rectification of incomplete or inaccurate data and the deletion or destruction of personal data upon your request,
  • To object to the issues that have arisen due to the analysis of your data exclusively through automated systems and are to the detriment of you,
  • To request compensation for the damage arising from the unlawful processing personal data.

4. Methods To Follow to Exercise Your Rights

You can share your application and requests regarding your personal data with Boss Yönetişim Hizmetleri A.Ş. via Data Subject Application Form,

  • By sending it with your wet signature and a copy of your identity card to Astoria Towers Büyükdere Cad. No: 127 B Kule Kat: 8 34394 Şişli, İstanbul, Türkiye,
  • By sending an e-mail to This email address is being protected from spambots. You need JavaScript enabled to view it.,
  • By applying in person with a valid identity document to Astoria Towers Büyükdere Cad. No: 127 B Kule Kat: 8 34394 Şişli, İstanbul, Türkiye

You, as a data subject, should include your name and surname, your signature if the application is in written form, your Turkish ID Number if you are a Turkish citizen, your nationality and passport number (or if you have an ID number) if you are foreigner, place of residence or business address for notifications, your e-mail address and fax number if you have one, and lastly, the subject of the request in your application with respect to legal requirements regarding the applications to data controllers. In addition, you should add documents and information confirming your identity to your application.

In order for us to operate the process in the most effective way for you, you should clearly and understandably indicate in your request which right you want to use and the details of the transaction you request.

We would like to emphasize that the request should concern the data subject itself. If the application is made on behalf of someone else, the person making the request should rely on a specially documented authorization for the requested transaction (power of attorney). Unauthorized applications will not be evaluated.

5. Evaluation of Your Application

By evaluating your applications, we respond to you as soon as possible and within 30 days of receipt as of the date of your application.

 

This website is using cookies.
In this website, we use cookies to develop your user experience, obtain efficient work and track statistical data. You are agreeing to our use of cookies by browsing our website. Please review Çerezler (Cookies) page for detailed information of how we manage the cookies. This choice is valid for 30 days until you delete the cookies in your web browser.
x