INFORMATION SECURITY POLICY
The purpose of this policy is to define the approach and objectives of senior
management to prevent breaches of law, legal, regulatory or contractual obligations and any
security requirements, and to communicate these objectives to all employees and relevant
This policy covers the commercial activities carried out within the Company and the
protection of electronic information assets obtained from logistics, storage, accounting,
finance, quality assurance, purchasing, human resources, law, sales, marketing, internal
audit and information processing activities related to these transactions, and the information
security processes used for the processing, storage, protection, protection, confidentiality
and integrity of personal data kept within the company within the scope of the law.
2.1. Internal Scope
Administration, organizational structure, roles and obligations;
2.1.1. The departments within the scope of the Company's Senior Management are;
Financial and Administrative Affairs, Purchasing, Finance, IT, Corporate
Communications and Business Development, Human Resources, Quality,
Export, Import, Logistics, Legal, Internal Audit, Sales, Marketing
2.1.2. Roles specified in the General Management Organization Chart and
responsibilities in job descriptions.
2.1.3. Policies, procedures, objectives and strategies to be fulfilled;
22.214.171.124. Information Security Management System Policy,
126.96.36.199. All Information Security management systems procedures,
188.8.131.52. Annual Information Security management systems objectives set by management,
184.108.40.206. Capabilities, understood in terms of resources and know-how (e.g.,
capital, time, people, processes, systems and technologies),
220.127.116.11.Management Representatives and Information Security Management
System team appointed by the management for the establishment,
operation and maintenance of the Information Security Management
18.104.22.168. Relationships with internal stakeholders and their perceptions and
values, the culture of the organization, the standards, guidelines and
models adopted by the organization, the form and breadth of
2.2. External Scope
2.2.1. The social and cultural, political, legal, regulatory, financial, technological,
economic, natural and competitive environment, whether international,
national, regional or local,
2.2.2. Global Competition Law, Policies and Procedures,
2.2.3. Confidentiality of supplier and customer data,
2.2.4. Quality Orientation,
2.2.5. Relationships with stakeholders who have influence on the organization's
objectives and their perceptions and values;
2.2.6.All Company employees, including Senior Management, to ensure customer
2.2.7. All relevant legislative, regulatory, contractual requirements, standards,
2.2.8. Product certifications with TSE and other organizations are external.
3.1. BGYS: Information Security Management System
3.2. Inventory: Any information asset that is important for the company.
3.3. Senior Management: Company Senior Management.
3.4. Know-How: It is the ability to do something.
3.5. Information Security: Information, like all other organizational and business assets,
is an asset that has value to a business and therefore needs to be appropriately
protected. Within the Company, know-how, process, formula, technique and method,
customer records, marketing and sales information, personnel information,
commercial, industrial and technological information and secrets are considered as
3.6. Confidentiality Restricting the viewing of the content of information to access only by
those who are authorized to view the information/data. (Example: Sending encrypted
e-mails can prevent unauthorized persons from reading e-mails even if the e-mail is
intercepted - Registered electronic mail (REM)
3.7. Integrity Detection of unauthorized or accidental alteration, deletion or additions or
deletions of information and guaranteeing detectability. (Example: Storing the data
stored in the database with summary information - electronic signature - mobile
3.8. Accessibility/Usability: It is the readiness of the asset to be used whenever it is
needed. In other words, systems must be continuously available for service and the
information in the systems must not be lost and must be continuously accessible.
(Example: Use of uninterruptible power supply and redundant power supply in chassis
(UPS) so that servers are not affected by power line fluctuations and power outages.
It will be used as "Accessibility" in this policy.
3.9. Knowledge Asset: Assets owned by the Company that are important for the
Company to carry out its activities without interruption. Information assets within the
scope of the processes subject to this policy are as follows:
3.9.1. Any information and data presented in paper, electronic, visual or audio
3.9.2. All kinds of software and hardware used to access and manipulate
3.9.3.Networks that enable the transfer of information,
3.9.4. Facilities and private areas,
3.9.5. Departments, units, teams and employees,
3.9.6. Solution partners,
3.9.7. Services, services or products provided by third parties.
4. The qualifications and competencies of the tasks for which responsibilities
and authorities have been determined are defined in the job descriptions. The IT Team and
the Management Representative are responsible for the maintenance and development of
activities related to information security. The ISMS Team and Management Representatives
have been appointed by the Senior Management. ISMS representatives were identified from
the departments within the scope. Assignments were made on a name basis as ISMS team
4.1. Responsibility of Management
4.1.1. The Company Management undertakes that it will comply with the defined, put
into effect and implemented Information Security System, allocate the
necessary resources for the efficient operation of the system, and ensure that
the system is understood by all employees.
4.1.2. During the ISMS installation, the ISMS Management Representative is
appointed with an appointment letter. When necessary, the document is
revised by the senior management and the assignment is made again.
4.1.3. Managers at managerial level help lower level staff in terms of assigning
responsibility for safety and setting an example. The understanding that starts
from the upper echelons and is applied, it is obligatory to go down to the
lowest level personnel of the company. Therefore, all managers support their
employees to comply with safety instructions and to participate in safety-
related activities, either verbally or in writing.
4.1.4. Senior Management creates the budget required for Information security
4.2. Management Representative Responsibility
4.2.1. Planning the ISMS (Information Security Management System), determining
the acceptable risk level, determining the risk assessment methodology,
4.2.2.Providing the necessary resources for supporting and complementary
activities in ISMS installation, providing/improving user capabilities and raising
awareness, providing trainings, ensuring communication, providing
4.2.3.Execution and management of ISMS practices, ensuring the continuity of
assessments, improvements and risk assessments,
4.2.4. Assessment of ISMS and controls through internal audits, objectives and
management review meetings,
4.2.5. Maintaining the existing structure in ISMS and ensuring continuous
4.3. Responsibility of ISMS Team Members
4.3.1. Conducting asset inventory and risk analysis studies related to its
4.3.2. When there is a change in the information assets under its responsibility that
will affect information security risks, informing the Management
Representative for risk assessment,
4.3.3. Ensuring that department employees work in accordance with policies and
4.3.4. Raising awareness about their departments within the scope of ISMS,
ensuring communication, ensuring documentation requirements,
4.3.5.It is responsible for maintaining the existing structure in ISMS and ensuring
4.4.Responsible for conducting and reporting audit
activities in the internal audits assigned in line with the internal audit plan.
4.5. They are responsible for implementing the
Information Security Policy and ensuring that employees comply with the principles,
ensuring that third parties are aware of the policy and reporting security breach
incidents related to information systems that they notice.
4.6. Responsibility of All Employees
4.6.1. Carrying out its activities in accordance with information security objectives,
policies and information security management system documents,
4.6.2. Follows the information security targets related to his/her unit and ensures
that the targets are achieved.
4.6.3. Paying attention to and reporting any observed or suspected information
security vulnerabilities in systems or services,
4.6.4. In addition to service contracts (consultancy, etc.) made with third parties that
are not under the responsibility of Purchasing, it is responsible for making a
confidentiality agreement and ensuring information security requirements.
4.7.Responsible for knowing and implementing the
information security policy and complying with the behaviors determined within the
scope of ISMS.
5. The Information Security Policy aims to protect the
physical and electronic information assets that affect the entire operation of the company in
order to guide the company employees to act in accordance with the security requirements of
the company, to increase their level of awareness and awareness, to ensure that the
company's core and supporting business activities continue with minimal interruption, to
protect its reliability and image, and to ensure the compliance specified in contracts with third
parties. Targets set by the Management are monitored at specified intervals and reviewed at
Management Review meetings.
6. The company's risk management framework covers the
identification, assessment and processing of information security risks. Risk analysis,
statement of applicability and risk treatment plan define how information security risks are
controlled. The ISMS Executive and Management Committee is responsible for the
management and realization of the risk processing plan. All these activities are described in
detail in the asset inventory and risk assessment instructions.
7. General Principles of Information Security
7.1. Details of the information security requirements and rules outlined in this policy,
Company employees and third parties are obliged to know these policies and
procedures and to carry out their work in accordance with these rules.
7.2. Unless otherwise stated, these rules and policies must be taken into account for all
information stored and processed in printed or electronic form and for the use of all
7.3.The Information Security Management System is configured and operated based on
the TS ISO/IEC 27001 "Information Technology Security Techniques and Information
Security Management Systems Requirements" standard.
7.4. It carries out the implementation, operation and improvement of the ISMS with the
contribution of the relevant parties. It is the responsibility of the ISMS Management
Representative to update the ISMS documents when necessary.
7.5. Information systems and infrastructure provided by the Company to employees or
third parties and all kinds of information, documents and products produced using
these systems belong to the Company, unless there are legal provisions or contracts
7.6. Confidentiality agreements are made with employees, consultancy, service
procurement (security, service, catering, cleaning company, etc.), suppliers and
7.7. Information security controls to be applied in recruitment, reassignment and
termination processes are determined and implemented.
7.8. Trainings that will increase employees' awareness of information security and enable
them to contribute to the functioning of the system are regularly provided to existing
company employees and newly recruited employees.
7.9. All actual or suspected violations of information security are reported; nonconformities
that cause violations are identified, the main causes are found and measures are
taken to prevent recurrence.
7.10. Inventory of information assets is created in line with information security
management needs and asset ownerships are assigned.
7.11. Enterprise data is classified and the security needs and usage rules for each class of
data are determined.
7.12. Physical security controls are applied in parallel with the needs of the assets stored in
7.13. Necessary controls and policies are developed and implemented for the company's
information assets against physical threats that they may be exposed to inside and
outside the company.
7.14. Procedures and instructions for capacity management, relations with third parties,
backup, system acceptance and other security processes are developed and
7.15.Audit log generation configurations for network devices, operating systems, servers
and applications are set in line with the security needs of the respective systems.
Audit records are protected against unauthorized access.
7.16. Access rights are assigned on an as-needed basis. The most secure technology and
techniques possible are used for access control.
7.17. Security requirements are determined during system procurement and development,
and it is checked whether the security requirements are met during system
acceptance or testing.
7.18.Continuity plans for critical infrastructure are prepared, maintained and exercised.
7.19. The processes required for compliance with laws, internal policies and procedures,
and technical safety standards are designed, and compliance assurance is ensured
through continuous and periodic surveillance and audit activities.
8. Violation of the Policy and Sanctions In the event that it is determined that the Information
Security Policy and Standards are not complied with, the employees who are responsible
for this violation will be disciplined according to the Disciplinary Directive and Procedure 3.
The sanctions set out in the relevant articles of the agreements that are valid for both
parties are applied.
9. Management Review Management review meetings are organized by the ISMS Quality
Management Representative and held with the participation of Senior Management and
Department managers. These meetings, where the suitability and effectiveness of the
Information Security Management System are evaluated, are held at least once a year.
10. Updating and Reviewing the Information Security Policy Document ISMS Management
Representatives are responsible for ensuring the continuity and review of the policy
document. Policies and procedures should be reviewed at least annually. It should also be
reviewed after any change that will affect the system structure or risk assessment, and if
any changes are required, they should be approved by senior management and recorded
as a new version. Each revision must be published in a way that is accessible to all users.