Regardless of the sector in which an organization operates, regardless of size, it produces information within itself and every information is valuable. Although the activities to be done for information protection and the scope of these studies vary according to the characteristics of the organization, they will be established as a basis. Information Security Management Systemwill have the following scope:

  • Security policy: Top management of the organization, information security the policy to be followed and explained.
  • Classification of information: Information assets should be inventoryed and their importance should be determined.
  • Ensuring personnel safety: This study prevents employees from making mistakes and minimizes the risk of misuse of information.
  • Ensuring physical security: Minimizes attacks on information sources and the risk of information corruption or alteration.
  • Ensuring operational safety: Computer systems should be sufficient and reliable. In addition, these systems must be continuously developed.
  • Control of access to information: Only authorized persons should have access to the information.
  • Ensuring rapid response at the time of incident: Timely and rapid response should be possible according to the manner in which security breaches occur.
  • Ensuring the continuity of the work: The attacks on the information should not interrupt the main works of the organization and should be able to return to the normal environment very quickly.
  • Compliance: The Information Security Management System must be at a level sufficient to meet the requirements of regulatory requirements.

Contrary to popular belief, Information Security Management System is not only a project of information technologies in the organization. This system is an information security project that concerns the whole organization. Therefore, the top management is not responsible for establishing and operating this system, but for the data processing units.

Although the Information Security Management System appears to be related to the information processing unit, it is actually related to all the units and processes of the organization.

These misunderstandings may be influenced by the fact that legal regulations on information security have not yet been made. Establishing an Information Security Management System Since there is no obligation, information security management has not become widespread in public institutions or private sector as expected.

For more information on the standard scope of the ISO 27001 Information Security Management System, please contact the experienced managers and employees of the TURCERT certification body.