What is Data and Information?

First, let's look at the basic concepts of information. In its simplest terms, raw raw data is called data. The processed form of the data is information. The data or data expression is a numeric and logical value.

The main characteristics of information that must be protected are:

• Confidentiality of information: The confidentiality of information is called inaccessible and unexplained by persons, organizations, entities and processes that are not authorized.
• Integrity of knowledge: It refers to the preservation of the accuracy, integrity and unique qualities of knowledge.
• Accessibility of information: It is the feature that information can only be accessed and used at any time by authorized persons.

Information can be classified in various ways. However, it is basically possible to classify as follows:

• Confidential information is critical to business. Only the members of the management team can access this information. Access, use and sharing of such information by unauthorized persons is inconvenient for the enterprise. In short, it is essential to keep this information confidential.
• Information available within the enterprise is private information that is accessible only to the employees concerned. Information that other employees and third parties other than the unit employees should not access and see. It is essential to keep such information confidential.
• Personal information is the personal information of the employees. Only personal studies related to business activities are covered. Keeping and storing personal information that is not relevant to the job is not correct. It is essential that personal information is accessible.
• The information available to the company is for the use of employees only. Integrity and accessibility are essential for such information. Information shared between units falls into this class.

What is ISO / IEC 27001 Information Security Management System?

In order to ensure the security of all kinds of information, the ISO / IEC 2005 Information Security Management System standard has been published by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC).

In fact, the history of this standard constitutes the first part of the BS 1995 standard published by the British Standards Institute in 7799 and the second part published in 1998. These standards were revised together in 1999. By the year 2000, the ISO / IEC 17799 standard was published. In 2002, the BS 7799-2 standard was updated and by 2005 the following standards were issued by the International Standards Organization:

• ISO 7799: 2 standard instead of BS 27001-2005
• ISO 17799: 2000 standard instead of ISO 27002: 2005 standard

These two standards were most recently revised in 2013.

This standard family has been published by Turkish Standards Institute in our country as follows:

• TS EN ISO / IEC 27000 Information technology - Security techniques - Information security management systems - Overview and dictionary
• TS EN ISO / IEC 27001 Information technology - Security techniques - Information security management systems - Requirements
• TS EN ISO / IEC 27002 Information technology - Security techniques - Application principles for information security controls
• TS ISO / IEC 27003 Information technology - Security techniques - Information security management system application guide
• ISO / IEC 27004 Information technology - Security techniques - Information security management - Measurement
• TS ISO / IEC 27005 Information technology - Security techniques - Information security risk management
• TS ISO / IEC 27006 Information technology - Security techniques - Requirements for organizations conducting audit and certification of information security management systems
• TS ISO / IEC 27007 Information technology - Security techniques - Guidance for audit of information security management systems
• TSE ISO / IEC EN 27008 Information technology - Safety techniques - Information security controls guide for auditors

What is Risk, Risk Management and Threat?

The risk phrase placed in our language from French is defined as the danger of harm. Risk is the occurrence of an unexpected event and being affected by it. Therefore, risk is considered a negative situation, a danger. In this way, in order to protect against the negative effects of risks and avoid any harm, measures are taken by taking various possibilities into consideration. The method that includes these studies and planning activities is called risk management.

Risk management is the process of identifying, measuring, analyzing and evaluating a number of risk factors and minimizing the possible losses in order to prevent the interruption of the operability of an enterprise and ensure that the activities are not affected negatively. However, it is not possible to completely eliminate the risk in risk management activities.

The main elements of a risk management study are:

• Determination of the assets of the enterprise with information value
• Identification of internal and external hazards that threaten the business
• Detection of weak and open points that endanger the business
• Determining the probability of risk realization
• Determination of the effects of risks on the activities of the enterprise and the system

By asset, we mean everything that is part of the system and has a value for the enterprise. Therefore, assets are valuable for the business and need to be protected.

In terms of the information technology system, assets do not mean only software and hardware. The following are included in the concept of being: all kinds of information, personal computers, printers, servers and all similar hardware, operating systems, applications developed, office programs and all similar software, telephones, cables, lines modems, switching devices and all other communication devices , all documents, services produced and of course the reputation and image of the business in the market.

Risks are subject to a certain classification in risk management studies. For example, if the asset is damaged in the low risk group, the information system will not be damaged much and the system will continue to function. This situation does not harm the reputation of the enterprise. Information system is affected if the asset is damaged in the medium risk group. Although the system continues to function, the asset still needs to be put in place. This situation causes some damage to the reputation of the enterprise. Information system is highly affected if the asset is damaged in the high risk group. Almost half of the system becomes unusable. In order for the system to work, the asset must be replaced. This situation significantly affects the reputation of the enterprise. In the very high-risk group, the presence of information has been severely damaged, and in this case the operability of the system has been greatly affected. The information system is unavailable. This situation affects the reputation of the company in the market very badly.

A threat is the potential for any threat source, either intentionally or as a result of an accident, to exploit a vulnerability in the system and damage assets. Natural threats include earthquakes, landslides, floods, lightning strikes or storms. Environmental threats include air pollution, prolonged power outages and leaks. Threats caused by human beings are caused by people consciously or unknowingly. For example, entering wrong data into the system, external network attacks, installing malicious software on the system, stealing user credentials or accessing authorized persons to the system.

Openness to information systems is a weakness, error or flaw that is encountered in system security procedures, in practice or in internal audits, which violates information security. These openings alone are not a danger. There must be a threat to their realization.

What is the Scope of ISO 27001 Information Security Management System?

Enterprises produce certain information within the scope of their activities regardless of the sector or size in which they operate and this information is valuable for each enterprise. Efforts to protect information will be different from business to business, but generally the system will cover the following main elements:

• The top management of the enterprise should have defined and explained a policy to be followed in the field of information security.
• The information assets in the enterprise should be listed and put in order of importance.
• The possibility that employees make mistakes should be prevented.
• The risk of misuse of information assets in the enterprise should be reduced.
• Attacks on information sources and the risk of information corruption or alteration should be reduced.
• Operational computer systems should be sufficient and reliable.
• Only authorized persons should have access to the information.
• In case of any breach of security, timely and rapid response should be possible according to the form of the event.
• Attacks on information should not interrupt the main activities of the enterprise and should be able to return to the normal environment very quickly. In other words, continuity of activities should be ensured.
• The Information Security Management System must be at a level sufficient to meet the obligations of an entity's statutory regulations.

Although ISO 27001 Information Security Management System is perceived only as an information technology project in enterprises, it is actually an information security project that concerns the whole enterprise. Senior management is therefore directly responsible for the establishment and operation of the ISO 27001 standard. Today, ISO 27001 Information Security Management System is managed as a whole that includes all human resources, senior management, information systems and business processes in the enterprise.

The main objectives of the ISO 27001 standard are:

• To identify information security vulnerabilities, if any
• Identifying risks that threaten information assets
• To determine the audit methods to ensure the security of information assets at risk
• Ensuring that necessary controls are carried out and keeping possible risks at an acceptable level
• To ensure continuity of information security controls in the enterprise

What does ISO 27001 Information Security Management System Bring?

ISO 27001 standard allows establishment of risk assessment methodology, preparation of risk assessment reports and preparation of risk processing plans.

Over time, the nature of threats and vulnerabilities present in the system may change. Or as a result of controls carried out with the ISO 27001 standard applied, risks may be reduced or severity may be reduced. Therefore, risk monitoring activities of the enterprises are important. Businesses are obliged to carry out risk assessment studies in accordance with the accepted methodology within the period they have determined.

The information security policy under the ISO 27001 standard should mainly include: physical and environmental security, equipment security, operating systems and end-user security, password security, and server and system security.

The issue of physical and environmental security refers to preventing unauthorized access to the system and protecting information assets against various risks. Today, physical and environmental safety has become increasingly important. The presence of private security teams at the entrance of the business building, the storage of important information environments and access to these environments with encrypted security systems are examples of such measures. In order to protect information systems, it is common to install card-controlled access and similar physical security systems. Such physical border security is established based on the security needs of information assets and the risk assessment results. Environments with highly risky information are blocked from unauthorized access by means of authentication cards or PIN protection. In addition, physical protection measures should be taken and applied against damage caused by disasters such as fire, flood, earthquake, explosion or social turmoil.

Importance of ISO 27001 Information Security Management System

Information security aims to ensure the continuity of work in enterprises, to minimize loss in the event of unavoidable danger and to protect the confidentiality, accessibility and integrity of the resources in all cases. Today, not only with its employees, but also with business partners, shareholders and customers, the establishment of a trust environment for the protection and confidentiality of information is of strategic importance for business management.

Security problems experienced in various ways not only interrupt the continuity of activities, but also cause loss of market, create competitive difficulties and cause loss of trust against business partners, shareholders and customers. The cost of expenditures to recover these numbers is more expensive than the cost of measures to avoid losing them.

Information for businesses, like other commercial assets, is an asset that has value and therefore needs to be protected. Information is of great importance for the business to continue its activities. For this reason, it is important that information assets are kept confidential, their integrity is maintained and available at all times, in short, information security is ensured. ISO / IEC 27001 Information Security Management System is the only international and auditable system that defines the needs of the enterprises in this direction.

The ISO 27001 standard is particularly necessary in sectors where the processing and protection of information is of paramount importance, such as the public, financial, health and information technology sectors. This standard is also important for businesses that manage information for other people and organizations. In this way, businesses provide their customers with the assurance that their information is protected.

ISO 27001 Information Security Management System is a management system established by enterprises with the aim of providing information security, applying this standard, monitoring, reviewing, maintaining and continuously improving the application. Within this framework, risk analysis studies are carried out in order to determine the resources of the enterprise and to identify the possible risks. Risk assessment studies are the comparison of risk with given risk criteria in order to determine the significance of risk.

ISO 27001 Information Security Management System Planning

The establishment of the ISO 27001 standard in the enterprise depends on a number of steps. Namely,

• First, information about the infrastructure of the enterprise should be collected. This information is related to the fields of activity of the enterprise, the nature of the work done, the mission and settlement of the enterprise.
• Then, the key names that will serve in the establishment of the system should be determined. At this stage, those responsible for risk management and the purpose of establishing the system should be determined.
• Then the security situation of the enterprise should be determined in today's situation.
• Information should then be collected, such as locations, operations, business functions and information technologies, which will determine the scope of the system.
• At this stage, the objective and scope of ISO 27001 Information Security Management System should be determined and a work program should be established.
• Finally, at the last stage, the processes necessary for the establishment of the system and the continuity of the system should be determined.

The cycle, which traditionally applies to all quality management systems, is also the case here:

• Plan (Establishment of Information Security Management System)
• Apply (Implementation and operation of Information Security Management System)
• Check (Monitoring and reviewing the Information Security Management System)
• Take precautions (Maintenance and improvement of Information Security Management System)

Naturally, with the establishment of such a system, businesses gain enormous benefits. For example,

• The entity recognizes the existence and significance of all information assets.
• It protects the information assets by applying them to the specified control and protection methods.
• In this way, the continuity of the work is ensured. When any risk is encountered, activities are prevented from being interrupted.
• With this system, the company gains the trust of the related parties as it will protect the information of the supplier companies and customers.
• The protection of information is not left to chance.
• The business acts more systematically than its competitors when evaluating its customers.
• Motivation of employees in the business increases.
• As legal regulations will be ensured, possible legal follow-ups are prevented.
• The reputation of the business in the market increases and the business is one step ahead in the fight against its competitors.

The ISO 27001 Information Security Management System requires that all information assets in the enterprise be addressed and evaluated, and a risk analysis is made taking into account the weaknesses and threats of these assets. In order to achieve this, an enterprise should choose a risk management method appropriate to its structure and make risk planning. The standard includes control objectives and control methods for risk processing.

In accordance with the ISO 27001 standard, businesses are required to make risk management and risk processing plans, identify tasks and responsibilities, prepare business continuity plans, prepare emergency management processes and keep records of them during implementation.

Businesses also have to issue an information security policy covering all these activities. All senior management and employees should also be aware of information security and threats. In the implementation of ISO 27001 Information Security Management System, the selected control objectives should be measured and the suitability and performance of the controls should be continuously monitored. This process should be a living process, information security management, active support of senior management and participation of all employees should be ensured. Requesting enterprises can receive consultancy and expert support in risk management, policy-making, documenting security processes, identifying and implementing appropriate control methods.

In short, the ISO 27001 standard is a system that defines total information security and how to ensure information security as a living process. The steps of setting up this system can be described as follows:

• Classification of information assets
• Assessment of information assets according to confidentiality, integrity and accessibility criteria
• Risk analysis
• Determination of control methods to be applied according to the results of risk analysis
• Completion of documentation work
• Application of determined control methods
• Conducting internal audit studies
• Keeping records required by the standard
• Conduct of management review meetings
• Carrying out certification studies

Threats and Weaknesses Related to Electronic Communication

Within the framework of the relevant legal regulations, there are some things that businesses should do in order to ensure information security:

• Keep records of IP logs used by computers
• Keep records of which employees have IP addresses for the past
• Keep log records of employees' trips on the Internet
• Keeping e-mail log records sent by employees
• Keeping records of the pages on the internet that employees have spent and how long they have spent in the past
• Provide limited access to Internet access by filtering by content
• Ensuring the integrity of all records obtained and proving that they have not been altered

Within this framework, the main threats to employees' electronic communication are:

• Employees entering an area of ​​security sensitivity without authorization or exceeding existing authorization limits
• Employees attempt to disrupt data confidentiality, integrity and continuity without authorization or by exceeding existing authorization limits by deleting, adding, modifying, delaying, saving to another medium, or disclosing information
• Attempting to prevent, in whole or in part, the hardware and software components from meeting the requirements set out in accordance with legal regulations and domestic and foreign standards
• Providing the impression that electronic communication is being made with the right party by misleading the user
• Monitoring electronic communication using illegal methods
• Claiming that this information was obtained from another party by producing incorrect information or sending this incorrect information to another party
• To make the electronic communication infrastructure partially or completely inoperable or to consume the resources for this infrastructure in a way that prevents the provision of services

In the meantime, a few weak points for electronic communication can be listed as follows:

• Unforeseeable future threats
• Errors in designing a system or protocol
• Problems when installing a system or protocol
• Errors caused by software developers
• User errors
• Inadequacies or non-conformities that arise during the use of the system

Standard Structure of ISO 27001 Information Security Management System

The ISO 27001 standard was recently revised in 2013. In this version, the clauses of the standard are as follows:

1. Scope
2. Cited standards and documents
3. Terms and recipes
4. The context of the organization

• Understanding the organization and its context
• Understanding the needs and expectations of interested parties
• Determination of the scope of information security management system
• Information security management system

1. leadership

• Leadership and commitment
• Politics
• Corporate roles, responsibilities and authorities

1. Planning

• Activities dealing with risks and opportunities
• Information security objectives and planning to achieve these objectives

1. Help

• Resources
• Qualifications
• Awareness
• Contact
• Written information

1. Operating

• Operational planning and control
• Information security risk assessment
• Information security risk processing

1. Performance evaluation

• Monitoring, measurement, analysis and evaluation
• Internal audit
• Management review

1. rehabilitation

• Nonconformity and corrective action
• Continuous improvement

ISO 27001 Information Security Management System Certification

After establishing the ISO 27001 Information Security Management System, businesses will want to obtain ISO 27001 certificate in order to prove this situation to their customers, competitors and related official and private organizations. However, the purpose of the installation of this system should not be only to have this document. Otherwise, the system cannot be expected to provide the benefits described above.

According to the control methods determined during the implementation process, protection of information assets, control of risks that threaten information assets, taking measures to eliminate or mitigate risks, assessment of new risks that arise over time and assessing these risks if there are risks that cannot be prevented but acceptable. for these, top management approvals are required. This process will continue as long as the business exists.

Businesses that meet the requirements of the ISO 27001 standard and implement the Information Security Management System can now request an ISO 27001 certificate by applying to a certification body. At this point, it is extremely important that the certification body is accredited from a local or foreign accreditation body. Otherwise, the reports and documents to be issued cannot have validity.

The first stage of the certification work is done through the existing documentation work. At this stage, information security policy, risk assessment reports, risk action plans, declaration of conformity, security procedures and application instructions prepared by the enterprise are handled individually. If any nonconformity is detected in these documents, they are expected to be completed before proceeding to the second stage.

After completing the first stage, the certification body appoints one or more auditors and initiates audit work in the work environment of the enterprise. In these on-site audits, it is observed whether the information security controls determined by the entity depending on the field of activity comply with the requirements of ISO 27001 standard. After the second stage audits are completed, the auditors prepare a report and submit it to the certification body.

The certification body conducts evaluation studies based on this report and prepares the ISO 27001 Information Security Management System Certificate if it deems appropriate and delivers it to the enterprise. The validity period of the certificate is three years. However, after this document is issued, interim audits are conducted once or twice a year in accordance with the request of the enterprise. After three years, certification studies have to be carried out again.