;

ARTICLES

  1. Home
  2. Articles

FACILITIES IN THE REGULATION ON FACILITATING CUSTOMS PROCEEDINGS...

While the Authorized Liability Status, aimed at facilitating trade, was in demand due to the advantages and prestige it provided for the companies, the number of companies that could afford it could not reach the desired rate. The reasons for this were investigated, revisions were made on many subjects such as the weight of the application conditions, unclear statements in the Questionnaire, and important changes were made in the Regulation on Facilitating Customs Procedures published in the Official Gazette dated 13 October 2017 and numbered 30209.

The first of these concerns the nature of the applicant company. The certificate application of the newly established company or the company that took over the certificate holder company, in case another company joins the certificate holder company by transfer, and the conditions sought for company splits have changed.

Regarding the reliability conditions to be sought for the YYS application, provisions have been added regarding the irregularity penalties applied in case of summary declaration deficiency, excess, in accordance with Article 237 of the Customs Law No. 4458.

In the new regulation, it has been made easier to answer and evaluate the Annex-2 Questionnaire in the application. It was rearranged to consist of a total of 96 questions. Annex-7, which was used by the inspectors in on-site inspections, has been removed. However, this regulation will enter into force 3 months after the publication of the Regulation amendment. Applications made before the amendments to the Annex-2 questionnaire will be finalized in accordance with the provisions of this regulation and the abolished regulation.

Customs Consultants, Assistant Customs Consultants and Authorized Customs Consultants are included in the definition of competent personnel to work in the foreign trade department of the companies. If such competent personnel cannot be employed, the issue of obtaining services from the legal entities of Customs Consultancy and YGM and from companies providing consultancy services on foreign trade issues that have been active for 3 years has been regulated in detail.

The fact that a lawsuit has been filed by the public prosecutor's office against the company partners and top managers for the crimes listed in the same paragraph will not prevent the issuance of the certificate, but within the scope of the issued certificate, the certificate holder will not be able to benefit from important simplifications such as green line and on-site customs clearance during this period.

The lump sum guarantee and the on-site customs clearance and authorized buyer guarantees in imports were separated and moved to different departments.

It has been clarified that the ISO 9001 and 27001 certificates, which allow the commercial records of companies to be reliable and traceable, are sufficient for 3 years instead of the current versions, and that they are limited to the departments listed in the regulation, and the areas subject to discussions are clarified. According to this; “ISO 9001 certificate, customs, foreign trade, production, logistics, management and administrative organization activities of the applicant, ISO 27001 certificate; customs and foreign trade transactions and the information assets of logistics, storage, accounting, finance and information processing activities related to these transactions and the security measures used to protect these assets.

New regulation In the annual audit, it is stipulated that if assistance is obtained from a legal entity such as a customs consultancy or authorized customs consultancy in customs procedures, this will be done by companies that have been active for 3 years and provide consultancy on foreign trade issues. It was stated that the 3-year audits will be carried out by the company by re-submitting the Annex-2 Questionnaire.

Risk analysis time in export transactions was reduced from 2 hours to 30 minutes. In the camera records, the records of the general areas were arranged for 1 month and the customs clearance records for 3 years.

Airline companies that were not in the old regulation were also authorized only for air cargo.

In YYS applications, the preliminary inspection period made by the Customs and Trade Regional Directorates, the duration of the on-site inspection made by the customs inspectors and the correction periods granted to the applicants have been extended. 30 business day periods 45 days; Those with 15 working days were revised to 20 working days.

It allowed import, export and transit transactions to be carried out more easily and simply in on-site customs clearance and authorized sender-receiver transactions.

A weighing instrument has been made mandatory in on-site customs clearance. Authorized sender-receiver authorization was made to cover all import and export transactions. The harmonization of the YYS with the new transit regime practices is also an important innovation. The problem of place allocation has been eliminated for on-site customs clearance permit holders and authorized senders, allowing them to perform export and transit transactions from any place they wish within their own facilities. It has been made possible for the owner of the on-site customs clearance permit to transport his goods to carriers who are not authorized consignors (but meet the conditions) without any regime restrictions.

Hoping that the changes will bring convenience to the companies…

Müge Balkış

Protection of Personal Data Do You Know The Law?

Law No. 6698 on the Protection of Personal Data; The identity, communication, health and financial information of the person, as well as the information related to his private life, religious belief and political opinion are considered as personal data.

Today, these data are collected by both the private and public sectors, frequently processed and transmitted over information systems.

Although the use of this information provides some convenience or advantages for individuals and those who provide goods and services, this situation brings the risk of abuse of the information in question. The acquisition, use and disclosure of this data by unauthorized persons is a violation of both the contracts we are a party to and the fundamental rights protected by our Constitution.

Businesses/individuals collecting and processing personal data have a number of responsibilities and obligations imposed by law. Intentional or unintentional access to data by unauthorized persons may result in many financial penalties and sanctions, including imprisonment.

The concept of data controller, which every business will appoint and report to the board, is important.

As the BTYS family, within the scope of Personal Data Management Studies:
• responsible for personal data,
• data collection general principles and disclosure responsibility processing policy,
• personal data format, transfer and storage risks,
• your storage and disposal responsibilities,
• Ensuring the security of Communication and Information Technologies methods and products
• understanding the differences between your current structure and the sanctions imposed by the law,
• the measures you will take against legal sanctions and penalties
• on issues such as responding to complaints that may be made about you
We aim to meet the obligations of the law numbered 6698 with the consultancy of BS 10012 Personal Information Management System standard.

In All Kinds of Wet Signatures Preserving Sensitivity is a must

In electronic signature, which offers a much more secure structure against wet signature, user awareness is of great importance as always. Penal sanctions for illegal steps are also very clear.

An e-signature has the same legal validity as a handwritten signature and is created on behalf of real persons. As Burak Bestel, Manager of Innova Management Systems Consulting, reminded that "no e-signature is created on behalf of the institution", e-signature allows the user to prove that he/she signed a legally shared document, letter or similar document with his/her own signature. In this respect, sending all kinds of electronic correspondence, such as contracts, offers, personnel contracts, which may be legally binding, with e-signature, provides a serious legal guarantee. It also ensures that the document is not changed later, bringing the power of proof to e-signed documents.

Forgery and unauthorized use of the e-signature constitutes a legal crime, just as in the case where the wet signature is imitated. According to Bestel, who reminded that “It is very important that the e-signer should not sign under a blank paper, it is also very important that they keep their e-signature information secure and not share it with anyone.” . However, technology, especially communication technologies, has a rapidly developing and changing dynamic. Therefore, it is necessary to constantly make new regulations regarding the missing parts of the law regarding the new digital threats that emerged in this process, the communication infrastructures that have just started to be used, and all similar changes. As Bestel pointed out, this situation is not just about e-signature anyway. All laws regulating cybercrime and IT applications are in need of new regulation in a much shorter time than many other laws.

Certificate producers are also responsible
With the Electronic Signature Law No. 5070, which was published in the Official Gazette dated 23 January 2004 and numbered 25355, and entered into force on 23 July 2004, it was regulated that the secure electronic signature has the same power of proof as a handwritten wet signature and that the electronic data created in this way will be legally valid. . Looking at the relevant articles, Article 5 "Has the same legal consequence as a handwritten signature", and Article 22 "Has the same power of proof as a handwritten signature." and in accordance with Article 23, "The electronic data created is like a bill". In the light of the information added by TNB E-signature Corporate Sales Manager Berkan Çağlar, as stated in Article 16 of Law No. 5070, those who resort to such illegal means are punished with imprisonment from one year to three years and heavy fines of not less than five hundred million liras. Adding the information, "If the perpetrators of this crime are the employees of the electronic certificate service provider, the penalty for this crime has become heavier and it has been stated that the penalty can be increased up to half", and underlined that besides the legal sanctions, the companies that produce the certificate have important duties.

A reliable tool
The most important reason for the need for electronic signature in Turkey is the desire to provide features such as security, identification and non-repudiation in legal transactions. Electronic data created with a secure electronic signature in accordance with the procedures in the Electronic Signature Law are considered promissory notes. These data are considered conclusive evidence until proven otherwise. The fact that an electronic signature is as binding as a wet signature also certifies its legal power. As Anadolu Bilişim Corporate Application Services Director Atakan Karaman informed that "There are 2-5 years imprisonment and heavy fines specified in the law regarding the unauthorized use of electronic signature", forging electronic signature is a crime that is equated with forging wet signature and official documents. . According to Karaman, who said, “Despite the possibility of creating fake and counterfeit electronic certificates during the formation and development of the electronic signature market, the articles in the law prevented such negative behaviors,” says Karaman.

CAUTION AGAINST IMPACT AND DESTRUCTION
E-signature ensures that the information sent in electronic transactions does not change on the way, belongs to the sender, cannot be denied, and the identity information of the persons is correct in electronic transactions. Users, in their transactions with e-signature within the scope of Electronic Signature Law No. 5070, create a legally valid evidence just like a wet signature. As E-Trust General Manager Can Orhun pointed out, the responsibility in e-signature rests on different institutions and individuals at certain stages. Electronic certificate service providers are responsible for the security of all steps in the process until the delivery of the electronic signature to the user. Electronic certificate service providers authorized by the BTK are responsible for the process from authentication to the delivery of highly secure devices loaded on the electronic signature to the user and the delivery of the latest passwords to the user through secure channels. As Orhun stated, until this stage, the responsibilities and sanctions are determined within the scope of the electronic signature law no. 5070. “After the electronic signatures are delivered to the user, the responsibility passes to the signatory. In other words, after that stage, all the sanctions that are valid for wet signatures are also valid for electronic signatures”, Orhun added: “In addition, the possibility of attempting to imitate or destroy electronic certificates that are validly created is one of the issues we consider. The qualified electronic certificate market insures itself with heavy fines against those who commit such illegal transactions.”

TWO CRITICAL ISSUES NEED REGULATION
E-signature is strictly regulated by the Electronic Signature Law No. 5070. In addition to the authorities and responsibilities of the companies providing services, the responsibilities of e-signature holders and other persons are determined by law. In addition to the general provisions of the Turkish Penal Code, fraud, unauthorized use and similar cases are also met with heavy penal sanctions in the electronic signature law. “Here, I would like to remind our citizens, especially those who have e-signatures, that they should not give their e-signatures to others or let them use it. It should be kept in mind that serious grievances and damages may arise from the consequences,” said TürkTrust General Manager Dr. Tolga Tüfekçi said, “Another important issue is this: E-signature companies carry out commercial activities in a competitive market in our country as well as in the world. However, as in the banking sector, it is extremely important that the competition in the e-signature market is carried out within strictly defined limits, and that service is provided without compromising service quality and reliability. Otherwise, it is inevitable to face public harm.” According to Tüfekçi, information security is a very difficult field to regulate. E-signature is just one of many areas under the heading of security and, in Tüfekçi's words, it is the best regulated area in our legal system. Apart from e-signature, there is not much regulation that deals with the electronic environment in terms of "security", apart from the Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications and the Turkish Penal Code. In this context, Tüfekçi believes that there is a need for regulation on two critical issues. One of them is "protection of personal data" and the other is "institutional structuring regarding cyber security". Tüfekçi reminded that "These regulations will not yield the desired results only with the perspective of "crime and punishment" and continued his comment as follows.

TWO CRITICAL ISSUES NEED REGULATION
E-signature is strictly regulated by the Electronic Signature Law No. 5070. In addition to the authorities and responsibilities of the companies providing services, the responsibilities of e-signature holders and other persons are determined by law. In addition to the general provisions of the Turkish Penal Code, fraud, unauthorized use and similar cases are also met with heavy penal sanctions in the electronic signature law. “Here, I would like to remind our citizens, especially those who have e-signatures, that they should not give their e-signatures to others or let them use it. It should be kept in mind that serious grievances and damages may arise from the consequences,” said TürkTrust General Manager Dr. Tolga Tüfekçi said, “Another important issue is this: E-signature companies carry out commercial activities in a competitive market in our country as well as in the world. However, as in the banking sector, it is extremely important that the competition in the e-signature market is carried out within strictly defined limits, and that service is provided without compromising service quality and reliability. Otherwise, it is inevitable to face public harm.” According to Tüfekçi, information security is a very difficult field to regulate. E-signature is just one of many areas under the heading of security and, in Tüfekçi's words, it is the best regulated area in our legal system. Apart from e-signature, there is not much regulation that deals with the electronic environment in terms of "security", apart from the Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications and the Turkish Penal Code. In this context, Tüfekçi believes that there is a need for regulation on two critical issues. One of them is "protection of personal data" and the other is "institutional structuring regarding cyber security". Tüfekçi reminded that "These regulations will not yield the desired results only with the perspective of "crime and punishment" and continued his comment as follows:

“The aim of the regulations should be the protection of individual rights and freedoms. While it is possible for our people to benefit from information technologies at the highest level, it should not be forgotten that the general public order can only be achieved in this way. Efforts to increase knowledge and awareness in this field will benefit more than many legal regulations.

ATTENTION TO THE RISKS ON THE FIELD
Electronic signature provides the power to prove himself and his actions legally and to protect himself against attacks in electronic environment. Electronic signature is currently the most secure legal method, provided it is used correctly. EGA Electronics General Manager Muzaffer Yıldırım pointed out the following details that should be noted about this structure:

“The responsibility for the use of the electronic signature lies with the individuals. As long as the signature and access password are well protected, it is not possible to imitate or commit fraud. As long as the person uses the electronic signature correctly and does not share his password with anyone, there is no fraud or unauthorized use. However, in electronic signature, it is useful to look at the issue in terms of the application and production processes of certificates. There may be cases where CSPs produce certificates without correct identification, and couriers deliver certificates to wrong people. Although the control of the correct management of these processes is in the hands of the BTK, people should be careful for special situations that may occur in the field.”

You Are Very Mobile But How Safe Are You?

The information systems infrastructure, which forms the basis for the information flow in your company, has become the new favorite of those who want to make an easy profit with the widespread use of technology in business processes. Those who manage to infiltrate critical systems with appropriate methods can infiltrate huge data packets without even hearing your soul - just as if Fort Knox's gold reserves were hit. Valid credit card information of millions of users, industrial designs that haven't been released yet, trade secrets that normally no one should know, new business ideas in the planning stages and much more...

In fact, although you are not aware of it in most cases, the data you carry with your mobile devices also puts the responsibility of others on your shoulders. Apart from the financial damage you will face due to the loss of this data, both due to the device and the applications you use, the damage to commercial reputation and legal responsibilities can go to places you never expected.

On the other hand, being able to predict what these vulnerabilities might cause in mobile is a subject that requires expertise in itself. Today, almost every institution has network infrastructures with different features, virtualization and cloud-based systems, user-oriented operating systems, hundreds of mobile devices and countless applications on all these. We are talking about a structure that communicates with the data flow.



You also need some SANS to be protected

The most important thing in this regard is knowing where and how to look. That's why there has been a concept called penetration testing in our lives for a while. The purpose of this test is to reveal the elements that threaten data security, from common vulnerabilities in systems to security (mobile security) awareness of users, and to encourage them to take precautions.

1) Which methods are you sensitive to or weak?
2) How well do the people or solutions you believe are protecting you doing their job?
3) What steps should you take first to ensure mobile security if someone manages to break through all the obstacles you put and infiltrate your systems?
This is where the SANS Institute and its methodologies (SEC575) come into play.

The SANS Institute (SANS Institute), which has been the center of mobile security-focused training for more than 25 years, is the institution that sets standards in many areas of the subject, as well as offering intensive training programs that ensure systems and networks are protected against threats and are known with the SEC 575 code.

SANS Institute, which has published many research documents and whitepapers for information security professionals in the field of information security, plays a guiding role in many applications in the world on mobile security. Systems, desktop software and mobile applications are developed, tested and made available to the masses, adhering to the rules that emerged as a result of SANS training and research.

The most solid step that can be taken in mobile application security tests: Using the methodologies and test methods (SEC575) prescribed by the SANS Institute, which has been operating in the field of security for many years and leading the sector, or trusting the professionals approved by SANS...

Because only; Having the GMOB (GIAC Mobile Device Security Analyst) certificate given by the SANS Institute, experts can run platform-independent test processes, reveal all risks in applications with detailed reports, and prepare tailor-made solutions for you.

BYOD: Should Employees Choose Their Own Device? Wouldn't you choose?

Not much, until 7-8 years ago, the newest technologies were always produced to appeal to corporate users, became widespread in institutions, and then descended to the end user. The highest performance processors, the highest resolution screens, the most flamboyant portable devices were always in the hands of company representatives, and their prices were within the limits of easy access by the end user.

Then something happened. Especially with the spread of portable smart devices, we watched the end-point of design and performance shift towards the end user. In addition to devices that appeal to the expectations and tastes of different users with their functions and designs, corporate devices have begun to remain cold and cumbersome.

In fact, this is the case today. On the one hand, the standards that you have to adhere to due to corporate data security, on the other hand, different devices renewed every year. On the one hand, a laptop design that needs to be physically strong, on the other hand, laptop models that weigh up to 1 kilo and offer 10 different color alternatives…

So which one would you prefer?

Most users prefer the device they prefer. This is the case with the laptop, the same with the smartphone. Research shows that when employees have the chance to use their own devices at work, their motivation increases and they become more creative and productive.

Moreover, they do not hesitate to open the mouth of the purse for this. Research shows that in more than half of the companies that have implemented the BYOD concept, employees pay for all equipment and service costs themselves, and they are very satisfied with this situation. This; It is perceived as a reasonable price for the privilege of using a single device that is easily portable, lightest, and has the most features, at work, at home, on vacation, on travel.

But there is an important issue here that is often overlooked. Today, with the development of communication technologies, it is no longer possible to separate private life and business life with sharp rules, due to the possibility of 24/7 connection, mobile devices and the way they do business, the need to be constantly on the go. When you include BYOD, you make this distinction almost invisible with your own hands.



What about the employer? Is he as satisfied with this situation as you are?

It is a fact that the concept of BYOD puts a great strain on the management and security layers of the company's technological infrastructure. Unforeseen problems that may arise due to the use of different devices, management and backup processes of mobile devices, ensuring compatibility with existing infrastructures and applications, standardization problems, security vulnerabilities, whatever comes to mind.

Of course, there is also the application dimension of the work. No matter how solid you keep the system, things can turn into a mess on the application side. According to a study conducted last year, 84 percent of cyber attacks today occur at the application layer.

What does all this mean now? Are we going to remove the concept of BYOD and put it aside?

In any case, it is a fact that BYOD puts more responsibility on employees. For this reason, it is important for companies that work or will pass through the BYOD system to approach work not only from a technological point of view, but also from a human resources point of view.

Fear of change is not the solution. Change has to be understood and managed.

When you take a look around you, you will see that there are many things you can do about this issue and many solutions that you can benefit from.

With a Thief for 416 Days You May Be Alive

94 percent of institutions have heard from someone else that they have been cyber-attacked. The average time that people who infiltrate their cyber systems are inside before being caught is exactly 416 days.

It is often said that Turkish people are hospitable. Our culture is full of stories and quotes about accepting strangers as guests of God, opening doors to the needy. But things change when it comes to servers that you entrust your most valuable secrets to, who take on almost all the load for business continuity in today's competitive environment. You need to protect your systems from intruders, evil eyes, snoopers. Otherwise, it is not possible to predict how far the damage will extend, from information theft to systems becoming inoperable.

Moreover, research on the security of institutions' information systems reveals how weak awareness is actually on this issue. For example, 94 percent of institutions hear that they have been hacked, not from their own means, but from someone else. The average stay inside the cyber systems before being caught is 416 days! The thief who broke into your house lies in your office for months, reads your messages, uses your resources, and you realize this after an average of 416 days. Unbelievable. So how do you ensure security? Antivirus? Firewall? Unified threat management solutions? These are essential elements that strengthen security, admittedly. You definitely need to use it. But what if someone overcomes these obstacles? What if the Firewall fails to block it? What if they find a way to bypass your antivirus and network security systems?

Do we trust ourselves in vain?

In fact, as long as you construct all these solutions properly and keep them up to date, it is quite difficult to overcome them unless you exceed a certain skill level. But we make some mistakes involuntarily as we bring the systems closer together like a castle wall. Standards make us predictable. The realization of investments in budget periods creates weak interim periods in which technology investments are weak. The integration of different systems is not always achieved in the ideal way it should be.

That is why a concept called penetration testing has entered our lives. Here's the thing: You welcome institutions that run this test into your system, and they simulate an attack on your system, using common vulnerabilities and incorporating their own skills. Since the purpose of these well-intentioned attempts to infiltrate systems is only to "detect vulnerabilities and vulnerabilities", you have the chance to see and strengthen the weak points of the existing system before someone with a different purpose forces your systems.
That is why a concept called penetration testing has entered our lives. Here's the thing: You welcome institutions that run this test into your system, and they simulate an attack on your system, using common vulnerabilities and incorporating their own skills. Since the purpose of these well-intentioned attempts to infiltrate systems is only to "detect vulnerabilities and vulnerabilities", you have the chance to see and strengthen the weak points of the existing system before someone with a different purpose forces your systems.

Those who do this work often call themselves "white hat hackers" or "ethical hackers". They have been very popular lately. There are institutions that provide training on this job, there are standard studies on penetration testing, there are even software that do this job automatically.

As for what the outcome is in the end… First of all, you understand which methods you are sensitive to. You are testing potential risks that fall outside the control of malware. You see how well the people or solutions you believe are protecting you are doing their job. And most interestingly, you can gauge what it would cost you to fix it if someone manages to break through all the obstacles and infiltrate the system.

Penetration tests are considered a mandatory part of some comprehensive security audits, especially in the financial sector. In today's world, where economic activities have become more information-oriented and business continuity has become a standard rather than a privilege, you must somehow bring this issue to the agenda.

In the Energy Sector Information Security Communiqué

The Energy Market Regulatory Authority (EMRA) is preparing to issue a communiqué on the provision of information security in the energy sector.

According to the information we have obtained from the sector, the information security processes in the energy sector will be discussed in detail with the communiqué to be published within the scope of the "Regulation on Ensuring Information Security in the Energy Sector".

As you know, information security issues are among the top priorities of governments and decision makers. Many countries, including Turkey, are now establishing information security units, and important measures are taken in the private and public sectors in the field of information security. Deactivating a country's critical infrastructure and facilities such as energy, communication and finance means that country is hoisting a white flag. That's why today's cyber-attacks - as in attacks on Iranian nuclear facilities and Estonian IT infrastructure - are also targeted by the energy sector.



In the energy sector, which is vital for today's systems and human life; It requires a healthy operation of complementary infrastructures such as electricity, natural gas, oil, transmission lines, load balancing systems and SCADA systems, and raw material traffic.

EMRA takes important steps in information security

In this structure, which includes the Energy Market Regulatory Authority (EMRA), the institutions and organizations under the Ministry of Energy and Natural Resources, and private sector companies in Turkey, information security is among the topics that have been talked about frequently recently. The fact that the components of the energy sector are predominantly based on information infrastructures, the circulation of the data here in the digital environment, the monitoring of information systems processes and the provision of security are also preparing to become a necessity.

It is among the information we have obtained that EMRA has reached the final stage in its efforts to ensure information security in the energy sector and is preparing a communiqué. With the prepared communiqué, the aim of EMRA will be to define the work that needs to be done to ensure the integrity, continuity and confidentiality of the organizations in the energy sector, the information systems and the information circulating on these systems. In the prepared regulation, it is stated that the organizations subject to this communiqué must obtain the ISO27001 Information Security Management System certificate by the end of 2014.

In this way, it will be ensured that the players of the energy sector will intervene in the fastest and systematic way against possible risks with a common language and cooperation with relevant institutions and organizations will be established.

Steps to be taken in critical information infrastructures in the energy sector

Establishing an asset inventory of critical information infrastructures in the energy sector and determining risk management appear as the first step. Competence status of private and public institutions and organizations on the energy sector ecosystem is of critical importance in terms of determining the first rule of information security, "You are only as strong as the weakest link in the chain" approach.

Creating the topology of system components on systems and networks will be another important topic. In this way, it will be possible to address the mobility on the systems and to take local measures quickly.

At the point of determining the measures to be taken at the minimum level, it will be aimed to maintain the up-to-dateness of the components in the ecosystem against changing risks and to establish standards. Of course, the adoption of ISO27001 standards in terms of information security will also be important in terms of information security management. In addition, ISO27001 will be the determining factor in cooperation with third parties included in the system in the next step.

Access to networks and authorizations will stand before us as processes that need to be carefully determined from endpoint users to senior decision makers. The most basic concept we learned in information networks is that no matter how much you provide the physical security of the systems, individual errors, negligence and abuses will leave these structures vulnerable.

Information security is not a static process, it requires much more attention, especially for a sector with intense movements such as the energy sector. Therefore, it is worth noting that the implementation of a structure in which processes are defined correctly, updates itself in its own internal dynamics, self-control mechanisms work and improves itself with reporting processes is also important for critical infrastructure security to be provided in this area.

Information security: The New Dimension of Competition

How can information security be ensured in a world where the boundaries of accessing information are blurred?

Indeed, we are faced with a difficult question whose answer often changes. On the one hand, we must provide transparency around emerging concepts such as governance, on the other hand, we must secure our most valuable corporate asset, our intellectual property, in the conditions of increasing competition.

According to the Deloitte 2013 TMT Global Security Study, information security has become a point of differentiation in intercompany competition. While 33 percent of small companies perceive industrial espionage as a medium to high threat, this rate goes up to 67 percent in large companies. 88 percent of all technology, media and telecommunications companies and 92 percent of technology companies that participated in the study think that they are more or less secure against external cyber threats.

Information security, which has reached an international standard with ISO 27001, outlines the management policies of institutions, the responsibilities they impose on their employees, and business development platforms with different institutions. Many institutions in the public and private sectors carry their information security to a sustainable environment with ISO 27001. In this way, it can quickly evaluate different alternatives such as cloud computing with the necessary criteria. In today's world, threats to information security are not limited to potential damages that may come from outside the organization. Many threats, whether malicious or not, can occur from within the organization. Determining employee responsibility with the right authorization policies is an important part of this information security and ISO 27001. The large number of employees, the increase in the institutions with which business partnerships are developed, and the determination of authorizations in the projects shape information security as a process consisting of different layers.

ISO 27001 and ISO 27002 Standards Are Changing

New version drafts of Information Security Management System Standards ISO 27001 and ISO 27002 have been published.

The Joint ISO/IEC Committee, which sets, updates and supports IT standards to meet the needs in the field of information technologies, has published the drafts that will create the new version of ISO/IEC 27001 and ISO/IEC 27002 standards. The purpose of publishing the draft is to get the opinions of the relevant parties on the changes made and to be able to finalize the standard according to these opinions.

Deadline March 23

The committee awaits further comments on the draft standard by March 23, 2013. After the feedback to be evaluated by the Joint ISO/IEC Committee, the draft standard is planned to be updated according to this evaluation. The final draft, called the 'Final Draft International Standard' (FDIS) by ISO, is expected to be published.

What changes are there in ISO 27001?

When the new version of the ISO 27001 Information Security Management System (ISMS) standard is examined, it is striking that there are significant changes in the structure and content of the standard.

◆ The “5. The article 'Management Responsibility' is for the management system in the new version; Leadership, effectiveness measurement, setting goals for information security are becoming more emphasizing.
◆ Considering that the institution can now follow other methodologies in order to ensure continuous improvement, monitoring the PDCA cycle is no longer a requirement.
◆ There are major changes in the risk assessment approach of the standard, which is based on the identification of information security risks and taking actions to reduce risks. Instead of assessing risk on assets as in the past, organizations will be able to adopt a broader, more generic assessment approach. The standard now emphasizes that the information that institutions have is more important than their information assets. This innovation means that organizations need to evaluate the risks on the information they have, rather than assessing the risks on their assets such as hardware and software.
◆ With the new version ISO 31000 and ISO 27001, the risk management standard, the risk management approaches of the Information Security Management System (ISMS) are aligned with each other and the concepts of corporate risk management and information security risk management that we encounter in many institutions are overlapped.
◆ In the 2005 version of ISO 27001, the measurement of the effectiveness of the security measures and controls for the standard is more uncertain and may vary according to the institution, while the monitoring, measurement and improvement processes in the new version require more clear, specific and defined practices. This situation brings a new requirement for institutions that will adapt to information security requirements and aim to be certified: Now, institutions will not only need to establish and operate the system in order to be certified, but also to monitor and measure the effectiveness of the security measures they take, and to extract opportunities for improvement from the results.
◆ The 'Annex A' part of the standard, which includes the basic security measures, is also available in the new version. Organizations still need to prepare a 'Statement of Applicability' document to demonstrate how they have complied with the controls in Annex A.
◆ While control targets were handled under 11 main headings in the old version, there are now controls in 14 different categories. While the 2005 version has 133 control targets, the new standard is expected to have 113 controls. When we examine the standard, we see that there are clearer information in the control items compared to the old version. For example, the old standard emphasized that every institution should have a business continuity plan and information security should be taken into account in these plans. In the 2013 version, it is now possible to define the need for a business continuity plan and to create continuity plans according to this need...

How Will The New Standard Affect Institutions?

What kind of process awaits the institutions that have ISO 27001 certificate or aim to obtain a certificate? When the new standard is published, the old ISO 27001 standard with the 2005 revision will be out of date and will be deemed invalid. Institutions that have the certificate and continue to implement the system will be given a certain period of time for the transition to the new standard. In each country, transitions to the new version are generally carried out by national accreditation bodies (example in Turkey: TÜRKAK).

Here's how the transition process works:
◆ Generally, 18 - 24 months are allowed from the date of publication of the new standard in order for the certified institutions operating the system to switch to the new version.
◆ Institutions that started ISMS projects before the 2013 revision of the standard was published and are working to comply with the standard requirements are usually given 6 - 12 months to continue their certification according to the old version. However, after the new revised standard is published, institutions certified according to the 2005 version will be requested to switch to the 2013 version until the end of the transition period.

The transition to the new version will be comfortable

Generally, after new standards are published, it usually takes some time for institutions, certification companies and auditors to interpret the new standard items, determine how they can be applied in organizations and assimilate them. For this reason, institutions that are currently carrying out ISO 27001 installation projects should prepare for the 2005 version and start the compliance process with the 2013 version standard after an effective Information Security Management System (ISMS) has been established, enabling them to have a more comfortable transition period.

Target: October 19, 2013

It is aimed by ISO to publish the 2013 revision of the ISO 27001 standard on October 19, 2013. However, it is stated that the publication date of the last revision may be extended until April 2014, depending on the intensity and importance of the comments and feedback on the draft standard. Information security, which has reached an international standard with 27001, outlines the management policies of institutions, the responsibilities they impose on their employees, and business development platforms with different institutions. Many institutions in the public and private sectors carry their information security to a sustainable environment with ISO 27001. In this way, it can quickly evaluate different alternatives such as cloud computing with the necessary criteria. In today's world, threats to information security are not limited to potential damages that may come from outside the organization. Many threats, whether malicious or not, can occur from within the organization. Determining employee responsibility with the right authorization policies is an important part of this information security and ISO 27001. The large number of employees, the increase in the institutions with which business partnerships are developed, and the determination of authorizations in the projects shape information security as a process consisting of different layers.

Understanding the ISO 9001:2015 Revision Why has it changed?

All ISO management system standards are subject to regular review in accordance with the rules for which they were written. In this context, revision studies of the ISO 9001 standard have been continuing since 2012. The draft International Standard was published on 09.05.2014, and the standard was completed and published in September 2015.

ISO 9001 quality management is built on "High Level Structure" in order to integrate with other management system standards, and it is aimed to facilitate its management.

Purpose of change:
• Integration with other management systems
• providing an integrated approach to corporate governance
• Providing a consistent foundation for the next 10 years
• Reflecting the increasingly complex environments in which organizations operate
• Ensuring that the new standard reflects the needs of all potential user groups
• Improving an organization's ability to satisfy its customers

High Level Structure What is "High Level Structure"?

This new common format, developed to use all management system standards, will enable better integration and ease of implementation for organizations implementing multiple management systems (eg quality, environment, information security).

High Level Structure” and the common text are publicly available information and can be found on the website www.iso.org/directives “Annex SL”. “Annex SL” is a guide for developers of standards to create a text suitable for all ISO management systems.

What are the Key Features and Innovations of ISO 9001:2015?

• More applicable structure for service providers
• More specific definition of the process approach and related demands
• Reducing mandatory requirements (flexible structure)
• Risk-based approach. There is a demand for risk management and a preventive approach. Demanding to identify risks and opportunities in many items for the QMS
• Leadership emphasis is more prominent in the standard  Strategic approach
• No reference to management representative  No reference to quality manual
• No reference to items for exclusions
• The concept of document and record is replaced by the concept of “documented information”
• The concept of inappropriate process outputs
• Clarification of outsourcing
• The concept of supplier ownership is coming  The new structure of the standard has common aspects with other management systems
• The aim is to create a common terminology for basic management systems
• “High Level Structure” application and creation of ISO 9001:2015 using “Annex SL”

Content differences between ISO 9001: 2008 and ISO 9001: 2015 Standard:

ISO 9001:2008 ISO 9001:2015
0. Introduction 0. Login
1. Scope 1. Scope
2. Referenced Standards and/or Documents      2. Referenced Standards and/or Documents
3. Terms and Definitions 3. Terms and Definitions
4. Quality Management System 4. Scope (Content) of the Organization
5. Management Responsibility 5. Leadership
6. Resource Management 6. Planning
7. Product Realization 7. Support
8. Measurement, analysis and improvement Operation 8
9. Performance Evaluation
10. Improvement

How will the transition process be?

ISO 9001:2008 will be valid and auditable until September 2018, the end of the 3-year transition period for ISO 9001:2015. It is best to start your transition planning as soon as possible so that you can effectively manage this process. All organizations must migrate to the new standard by the transition deadline, when ISO 9001:2008 certification will no longer be valid.

If you have already started implementing ISO 9001:2008, proceed as planned - you still have until September 2018 to transition to the new standard. However, please do not forget that the date of your document is also among the important criteria for the transition. We recommend that you get support from your certification body in this regard.

To make the transition easier :
• First of all, you must obtain the ISO 9001:2015 Standard.
• You should receive information training on ISO 9001:2015 and train the relevant people in your organization.
• You can then start preparing for the transition right away by addressing your existing processes, documentation and restructuring them in line with the new high-level structure.