ISMS Framework Policy

ISMS AND LPPD FRAMEWORK POLICY

BI Stratejik Yazılım Sanayi Tic. A.Ş. aims to maintain the ISO 27001:2022 Information Security Management System Standard (ISMS) and the ISO 27701 Privacy Information Management System (PIMS), and to comply with the Law on the Protection of Personal Data No. 6698 (LPPD/KVKK) in order to ensure national and international regulations, relevant legislation and standard requirements, obligations arising from agreements, and information security requirements resulting from corporate responsibilities towards internal and external stakeholders.

BI Stratejik Yazılım Sanayi Tic. A.Ş. undertakes to provide secure access to the information assets and personal data of itself and its stakeholders; to protect the availability, integrity, and confidentiality of information; to evaluate and manage risks that may arise regarding the information assets and personal data of itself and its stakeholders; to protect the reliability and brand image of the institution; to apply necessary sanctions in case of information security breaches; to fulfill the requirements of legal and relevant legislation arising from national, international, or sectoral regulations to which it is subject; to meet obligations arising from agreements; to provide information security requirements resulting from corporate responsibilities towards internal and external stakeholders; to reduce the impact of information security threats on business/service continuity and to ensure the continuity and sustainability of the business; and to protect and improve the level of information security with the established control infrastructure.

To this end, BI Stratejik Yazılım Sanayi Tic. A.Ş. commits to achieving the following:

a) Organizing training activities to increase the ISMS and PIMS awareness of the employees and relevant stakeholders of BI Stratejik Yazılım Sanayi Tic. A.Ş., and training them within the scope of technical and administrative measures to be taken under the KVKK (Law on the Protection of Personal Data);

b) Enabling continuous and systematic evaluation and development;

c) Supporting the ISMS and PIMS / KVKK framework and periodically reviewing the security policy;

d) Providing necessary assignments, appointments, and resource allocation under the leadership of senior management;

e) Implementing a sustainable Information Security and Personal Data Management system based on risk assessment and risk management;

f) Creating a data inventory within the scope of KVKK, ensuring the update of corporate policies and procedures according to KVKK (Data processing and retention policy, destruction policy, information security policy, special categories of data policy, etc.), implementing all administrative and technical measures within the scope of KVKK, and complying with Law No. 6698 (https://www.mevzuat.gov.tr/MevzuatMetin/1.5.6698.pdf);

g) Reviewing clarification texts (for employees and 3rd parties);

h) Updating the VERBIS (Data Controllers Registry Information System) registration;

i) Conducting business by taking Information Security and Personal Data Privacy obligations into account in the processes of receiving and providing services with customers and other stakeholders;

j) Collecting and processing personal data in compliance with the laws of Turkey and European Union Member States in the context of protecting the fundamental rights and freedoms of individuals, especially the privacy of private life;

k) Regarding the processing of personal data: carrying out personal data processing activities in accordance with the law and rules of honesty, accurately and when necessary up-to-date, pursuing specific, clear, and legitimate purposes, and in a manner that is relevant, limited, and proportionate to the purpose;

l) Retaining personal data for the period stipulated in the laws or required by the purpose of personal data processing;

m) Informing personal data subjects and providing the necessary information if personal data subjects request information;

n) Acting in accordance with the regulations stipulated for the processing of special categories of personal data and not performing acts and activities without explicit consent, except for cases clearly stipulated in the laws;

o) Performing acts and activities regarding the transfer of personal data in accordance with the regulations stipulated in the law;

p) Providing the service in a way that takes into account legal and regulatory requirements and security obligations related to customer contracts;

q) Providing secure access to the information assets and systems containing personal data of itself, its stakeholders, and its employees;

r) Protecting the availability, integrity, and confidentiality of the personal and corporate information for which it is responsible;

s) Evaluating and managing the risks that may arise regarding the information assets of itself and its stakeholders;

t) Protecting the reliability and brand image of the institution;

u) Applying necessary sanctions in case of Information Security and Personal Data breaches, notifying the KVKK (Personal Data Protection Authority) within 72 hours, and providing our services as soon as possible and without interruption to ensure compliance with all legal legislation and contracts related to Information Security and KVKK;

v) Protecting and improving the level of information security and privacy of personal data with the control infrastructure established to fulfill the requirements of the TS ISO/IEC 27001 and 27701 ISMS & PIMS standards;

w) Ensuring the allocation, establishment, operation, and continuous improvement of resources;

x) Being audited by internal audits and independent 3rd party institutions to determine the compliance of the information security and KVKK activities carried out with laws and standards,

It commits.