The TS EN ISO / IEC 27001 standard is a general framework for information protection. According to Law No. 6698 on Protection of Personal Data, personal data are critical assets that all institutions need to protect. Certainly there are some KVKK requirements that are not directly covered by ISO 27001, such as supporting the rights of personal data subjects: the right of people to know, the right to delete data, and data portability. However, if the personal data is identified as an information security entity by the application of the ISO 27001 standard, most of the requirements of the personal data protection law number 6698 will be addressed.

In addition to the accepted technical controls, structured documentation, monitoring and continuous improvement, the application of the ISO 27001 standard creates a culture in institutions and promotes awareness of security incidents. Information security is not just about technology, it's about people and processes at the same time.

The ISO 27001 standard is an excellent framework for compliance with the Protection of Personal Data Act No. 6698. The first thing an operator needs to do is to perform a KVKK GAP Analysis to determine what needs to be done to fulfill the requirements of KVKK No. 6698 and these requirements can be easily added through the Information Security Management System specified by ISO 27001.

ISO 27001 provides ways to provide protection for personal data. There are many points that the ISO 27001 standard can help companies adapt to this Law of Personal Data Protection No. 6698. Here are just a few of the most relevant ones listed below:

Risk Appraisal - It is quite natural that the risks arising during the risk assessment of personal benefits are not taken into consideration due to the large financial impacts on the high monetary fines and institutions described in the KVKK. On the other hand, one of the new requirements of the KVKK is the implementation of the Data Protection Impact Assessments, which companies will have to analyze their own confidentiality as envisioned by ISO 27001.

Compliance - Control Due to the requirement of A.18.1.1 (defining applicable laws and requirements subject to contract), it is obligatory to implement a standard ISO 27001 and maintain a list of relevant statutory, statutory, regulatory and contractual conditions. If the Foundation's KVCC numbered 6698 must be appropriate, this directive will have to be part of this list. In any case, A.18.1.4 (Confidentiality and protection of person identification information), which is the control of ISO 27001, guides organizations through the implementation of a data policy and the protection of personally identifiable information.

Declaration of data breaches- Companies will have to inform the data authorities after a breach of personal data has been identified. Implementation of ISO 27001 control A.16.1 (management of information security breach incidents and improvements) will provide a "consistent and effective approach to the management of information security incidents, including communication about security incidents". The reporting of personal data incidents will bring an improvement to the organization that wishes to comply with KVCK No. 6698.

Asset Management - ISO 27001 control material A.8 (Asset Management) involves the inclusion of personal data as information security assets and identifies which personal data is included and maintained in the organizations with all the requirements of the KVKK, to let you know who is who.

Supplier Relations - ISO 27001 control A.15.1 (Information security in supplier relations) requires "protection of assets that can be accessed by the suppliers of the organization". According to the KVKK, the organization will need to comply with the requirements of the suppliers to handle official data in order to process and store personal data.

Applying the ISO 27001 standard alone KVKK is not sufficient for compliance alone. However, almost every company that operates will have to comply with this arrangement. As ISO 27001 is internationally recognized and enforced worldwide, it may be best to facilitate immediate compliance with the Laws and Regulations for the Protection of Personal Data No. 6698.