Open menu

09 February 2022

Relationship Between ISO 27001 & KVKK

Category KVKK - GDPR

Relationship Between ISO 27001 & KVKK

    Providing security of your information assets is part of Turkish Personal Data Protection Law (KVKK) and by creating an information security system for your business, having an ISO 27001 certification is the best way to document the measures taken by your organization in this context.

    The purpose of ISO 27001 standard is to lay down conditions for establishing, implementing, maintaining, and continually improving an information security management system.

    Information Security Management System maintains the confidentiality, integrity, and accessibility of information by applying the risk management process and provide assurance to related parties / parties interested that risks are managed properly.

    The international ISO 27001 standard which consists of general requirements and Annex A controls, explains the details required for organizations to ensure information security.

    Are Organizations with ISO 27001 Certificate Compliant with KVKK?

    The first paragraph of Article 12 of KVKK that came into force in April 7th, 2016, sets forth the following provisions:

    "The data controller is obliged to

    a) prevent unlawful processing of personal data,

    b) prevent unlawful access to personal data,

    c) take all necessary technical and organizational measures to provide an appropriate level of security."

    The measures to be taken within this scope are elaborated in the Personal Data Security Guide (Technical and Administrative and Organizational Measures) published by Turkish Data Protection Authority.

    The fact that the general principle of both ISO 27001 and KVKK is to ensure confidentiality and security, surely enables Organizations with ISO 27001 certification to adapt to KVKK faster and smoothly.

    However, it would be a great mistake for the organizations to think that they have become fully compliant with KVKK by taking only the measures within the scope of the standards due to existence of important points that distinguish KVKK and ISO 27001 from each other.

    What are the similar aspects between the technical measures to be taken within the scope of the Law on the Protection of Personal Data and the control items included in the ISO 27001 standard?

    Summary of Technical Measures to be Taken within the Scope of Personal Data Security Guide
    (Technical and Organizational Measures)
    ISO/IEC 27001:2013 Standard Clause
    Authorization Matrix
    Authorization Control
    A.9.2 User Access Management
    Access Logs A.12.4.1 Event logging
    User Account Management A.9.4.2 Secure log-on procedures
    Network Security A.13.1.2 Security of network services
    Application Security A.14.2.6 Secure development environment
    Encryption A.10.1 Cryptographic controls
    Penetration Test
    Intrusion Detection and Prevention Systems
    A.12.6.1 Technical Vulnerability Management
    Log Records A.12.4.1 Event logging
    Data Masking N/A
    Data Loss Prevention Software A.12.6.1 Technical vulnerability management
    Backup A.12.3.1 Information backup
    Firewalls A.14.1.2 Securing application services on public networks
    Up-to-date Anti-Virus Systems A.12.2.1 Controls against malware
    Deletion, Destruction, or Anonymization A.8.3.2 Destruction of Media
    Key Management A.10.1.2 Key Management

    What are the similar aspects between the administrative measures to be taken within the scope of the Law on the Protection of Personal Data and the control items included in the ISO 27001 standard?

    Summary of Organizational Measures to be Taken within the Scope of Personal Data Security Guide
    (Technical and Organizational Measures)
    ISO/IEC 27001:2013 Standard Clause
    Preparing Personal Data Inventory A.8.1.1 Inventory of Assets
    Corporate Policy
    (Access, Information Security, Usage, Retention and Destruction vb.)
    5.2 Policy
    (Data Controller – Data Controller & Data Controller – Data Processor)
    A.7.1.2 Terms and Conditions of Employment
    Non-disclosure Agreements A.15.1.2 Addressing Security Within Supplier Agreements
    Internal Periodic and Random Audit 9.2 Internal Audit
    Risk Analysis 6.1.2 Information security risk assessment
    Employment Contract, Disciplinary Regulation (Addition of Appropriate Provisions to Law) A.7.2.3 Discipline process
    Corporate Communication
    (Crisis Management, Processes of Informing Board and Data Subject, Reputation Management etc.)
    A.16 Information security incident
    A.17 Information Security Aspects of Business Continuity Management
    Training and Awareness Activities
    (Information Security and Law)
    A.7.2.2 Information security awareness, education and training
    Register with VERBIS (Data Controllers' Registry Information System) N/A

    The points stated in the tables above indicate that the Standard and the Law have controls over the same headings, however the terms and requirements of the controls are not exactly the same.

    For example, while training and awareness activities are a control item in both aspects, the content and conditions of the training should be customized.

    In addition, although the inventory preparation required within the scope of KVKK is also encountered in ISO 27001 as Inventory of Assets, it is not possible to state that an organization with an Inventory of Assets also has a Personal Data Inventory, as the conditions for the preparation of inventories differ from each other.

    Our consultants offer you the most suitable solutions for your business in order to ensure your KVKK compliance and to provide you to have an ISO 27001 certificate by considering the similarities and differences. Besides, they carry out compliance processes and information security system setup at the same time, which enables ease of implementation.

    Contact us to set up your information security system and determine the measures your business needs.


    Contents provided in this article serve to informative purpose only. The article is confidential and property of CottGroup® and all of its affiliated legal entities. Quoting any of the contents without credit being given to the source is strictly prohibited. Regardless of having all the precautions and importance put in the preparation of this article, CottGroup® and its member companies cannot be held liable of the application or interpretation of the information provided. It is strictly advised to consult a professional for the application of the above-mentioned subject.

    For each concrete situation, it is strongly advised to seek guidance from a professional advisor. If you are a customer of ours, please consult with your customer representative before taking any action related to the announcement. If you are not a customer, seek advice from an expert.

    About The Author


    Other Articles

    Let's start
    Get a quote for your service requirements.

    Would you like to know more
    about our services?

    Bu web sitesi çerez kullanıyor.

    Bu internet sitesinde, kullanıcı deneyimini geliştirmek, verimli çalışmasını sağlamak ve istatistiki verileri takip etmek için çerezler kullanılmaktadır. Sitemizi kullanarak çerezleri kabul etmiş olursunuz. Çerezleri nasıl kullandığımız ile ilgili detaylı bilgi için lütfen Çerezler (Cookies) sayfasını okuyunuz. Bu seçim 30 gün süreyle ya da tarayıcınızdaki çerezleri siz silene kadar geçerlidir.

    Çerez Tercihleri Cookie Preferences

    Çerezleri Ayarla

    Çerezler, web sitelerinin kullanıcı deneyimini daha verimli hale getirmek için kullanabileceği küçük metinlerdir. Kanun, bu sitenin işleyişi için kesinlikle gerekli olan çerezlerin cihazınıza saklanabileceğini belirtir. Diğer tüm çerez türleri için izninize ihtiyacımız var. Bu site, çeşitli türde çerezler kullanmaktadır. Bazı çerezler, sayfalarımızda görünen üçüncü taraf hizmetler tarafından yerleştirilir.

    Verdiğiniz izinler aşağıda yer alan web siteleri için geçerlidir: