EGEROBOT
Information Security Management System

Information Security Policy

ISO 27001:2022, GDPR and Data Protection Compliant Information Security Management System

Last Updated: 2026-02-04

Purpose

EGEROBOT considers corporate information as an extremely valuable asset. Information is critically important for the sustainability of our business activities and must be protected appropriately.

EGEROBOT aims to minimize the risks that may arise in terms of Confidentiality, Integrity and Availability of corporate information and the effects of these risks by implementing the ISO 27001:2022 standard within the scope of the Information Security Management System (ISMS).

Our primary objective is to ensure the trust of the organizations and institutions we serve and to ensure the security of the information assets we use. In this context, our relationships with customers, stakeholders, official institutions and suppliers we cooperate with are extremely valuable.

Scope

EGEROBOT Information Security Management System covers the entire organization, business partners, suppliers and customer relationships. This policy applies to all information processing activities including physical environments, digital systems, cloud infrastructures and remote working environments.

Commitments

As EGEROBOT and our employees, in order to eliminate and manage all kinds of risks to our business continuity, information assets and personal data;

  1. 1To document, certify and continuously improve our information security management system to meet the requirements of ISO 27001:2022 standard
  2. 2To ensure the confidentiality, integrity and accessibility of information belonging to customers, business partners, stakeholders, suppliers or other third parties
  3. 3To ensure compliance with all legal regulations and contracts related to information security
  4. 4To conduct training to develop technical and behavioral competencies in order to increase information security awareness
  5. 5To protect the confidentiality of critical data such as strategic goals, supply sources, customer, stakeholder, business partner and employee information and personal data related to our services
  6. 6To create appropriate physical and electronic environments for the security of information assets, to ensure continuity and control of confidentiality, integrity and accessibility of information assets
  7. 7To provide the necessary plans and technical infrastructure for the continuity assurance of our information technology services
  8. 8To detect situations contrary to information security in a timely manner and to respond immediately
  9. 9To take the measures specified in the Personal Data Protection Law No. 6698 and to work in full compliance with the Personal Data Protection Policy
  10. 10To protect all personal data and information assets owned by EGEROBOT, to ensure information security conditions within the framework of national-international standards, laws and regulations, to continuously improve, develop and review information security by managing existing and potential risks

we commit.

Legal Framework and Standards

This policy has been prepared in accordance with the following national and international regulations:

International Standards

ISO/IEC 27001:2022Information Security Management System
ISO/IEC 27002:2022Information Security Controls
ISO/IEC 27701:2019Privacy Information Management
ISO 22301:2019Business Continuity Management System

European Union Regulations

GDPRGeneral Data Protection Regulation – EU 2016/679
NIS2 DirectiveNetwork and Information Systems Security

Turkish Legislation

Law No. 6698 KVKKPersonal Data Protection Law
Law No. 5651Regulation of Internet Publications
Law No. 5237 TCCCybercrimes (Articles 243-246)
Law No. 6102 TCCCommercial Books and Document Retention Obligations

Fundamental Principles

EGEROBOT's information security policy is based on the following principles:

Confidentiality

  • Information is protected against unauthorized access
  • Cannot be disclosed to unauthorized persons intentionally or through negligence
  • Data classification and access control are applied

Integrity

  • The accuracy and consistency of information is ensured
  • Protection mechanisms against unauthorized changes are applied
  • Log records and audit trails are maintained

Availability

  • Timely access to information by authorized users is ensured
  • Precautions are taken against system outages
  • Business continuity plans are implemented

Security by Design

  • Systems are developed with a security focus from the design stage
  • Privacy by Design principle is adopted

Modern Threat Categories and Measures

Ransomware

  • Regular and isolated backup strategies
  • Data encryption against double extortion attacks
  • Endpoint Detection and Response (EDR) systems

Social Engineering and Phishing

  • Employee awareness training
  • Verification protocols against AI-supported deepfake threats
  • Email security filters and SPF/DKIM/DMARC configuration

Advanced Persistent Threats (APT)

  • Behavior-based threat detection
  • Network segmentation
  • Zero Trust architecture

Supply Chain Attacks

  • Third-party risk assessment
  • Software component analysis (SBOM)
  • Supplier security audits

IoT and OT Security

  • Isolation of industrial control systems
  • IoT device inventory and security updates
  • Network traffic monitoring

Cloud Security Policy

General Principles

  • Cloud service providers' security certifications are verified
  • Zero Trust architecture is applied
  • Data is encrypted in transit and at rest

Access Control

  • Multi-factor authentication (MFA) is mandatory
  • Least Privilege principle is applied
  • Role-based access control (RBAC) is used

Configuration Security

  • Cloud Security Posture Management (CSPM) tools are used
  • Regular configuration audits are performed
  • API security is ensured

Remote Work Security Policy

Network Security

  • VPN usage is mandatory
  • Secure home network configuration is recommended
  • Sensitive data is not processed on public Wi-Fi networks

Device Security

  • Devices accessing company data are encrypted
  • Up-to-date antivirus and security patches are mandatory
  • Mobile Device Management (MDM) is applied

Data Protection

  • Sensitive data is not stored on local devices
  • Cloud-based file sharing is used
  • Screen sharing and viewing rules are applied

Third Party and Supplier Security

Assessment

  • Supplier security assessments are conducted
  • ISO 27001 certification or equivalent is required
  • Regular security audits are performed

Contract Requirements

  • Non-disclosure agreements (NDA) are signed
  • Data processing agreements (DPA) are made
  • Security breach notification obligations are defined

Incident Response and Breach Management

Incident Response Plan

  • Incident detection, classification and escalation procedures
  • 24/7 security monitoring
  • Incident response team (CSIRT) is defined

Data Breach Notification

  • KVKK: Notification to Personal Data Protection Authority 'as soon as possible'
  • GDPR: Notification to relevant supervisory authority within 72 hours
  • Affected persons are informed

Post-Incident

  • Root cause analysis is performed
  • Improvement measures are implemented
  • Lessons learned are documented

Business Continuity and Disaster Recovery

Business Continuity Plan (BCP)

  • Critical business processes are identified
  • Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are defined
  • Alternative work sites are planned

Disaster Recovery (DR)

  • Regular backup and test procedures
  • Geographically distributed backup
  • Annual disaster recovery drills

Protected Assets

Identity information and personal data
Customer and business partner information
Software packages and source codes
Servers and network infrastructure
Cloud resources and databases
Intellectual property rights
Trade secrets and commercial information

Supporting Policies

Clean Desk and Clear Screen Policy
Email Usage Policy
Access Control Policy
Cryptographic Controls Policy
Password Management Policy
Mobile Device Usage Policy (BYOD)
Social Media Usage Policy
Data Classification Policy
Backup and Recovery Policy
Change Management Policy

Objectives

  1. 1Identify the value of information assets through appropriate risk assessment
  2. 2Understand vulnerabilities and potential threats
  3. 3Reduce risks to acceptable levels
  4. 4Comply with national legislation (KVKK, 5651, TCC)
  5. 5Ensure compliance with international regulations (GDPR, ISO 27001:2022)
  6. 6Comply with customer contract terms
  7. 7Comply with control procedures and instructions
  8. 8Continuously increase cyber security maturity level

Training and Awareness

  • Annual information security training is provided to all employees
  • Orientation training is mandatory for new hires
  • Phishing simulations and awareness tests are conducted
  • Role-based specialized security training is organized
  • Training records are documented

Responsibilities

Senior Management

  • Approves and supports this policy
  • Provides necessary resources
  • Participates in annual review meetings

Chief Information Security Officer (CISO)

  • Coordinates the implementation of the policy
  • Manages security incidents
  • Conducts risk assessments
  • Reports to management

Unit Managers

  • Ensures policy implementation in their units
  • Reports security vulnerabilities
  • Supports employee awareness

All Staff

  • Complies with information security policy
  • Reports security incidents
  • Participates in training
  • Reports suspicious situations

Sanctions

Any intentional or negligent act that jeopardizes the security of information belonging to EGEROBOT, its customers or suppliers:

  • Disciplinary action
  • Termination of employment
  • Legal proceedings (Law No. 5237 TCC - Cybercrimes)
  • Compensation claims

is subject to.

Continuous Improvement (PDCA Cycle)

EGEROBOT applies the Plan-Do-Check-Act (PDCA) cycle to continuously improve the information security management system:

Plan

  • Risk assessment and determination of security objectives
  • Creation of policies and procedures
  • Resource planning

Do

  • Implementation of controls
  • Delivery of training
  • Documentation

Check

  • Internal audits
  • Performance measurement
  • Incident analysis and trend evaluation

Act

  • Corrective actions
  • Preventive measures
  • Continuous improvement recommendations

Review

This policy:

  • Is reviewed at least once a year
  • Is revised for significant changes, security incidents or regulatory updates
  • Is evaluated at Management Review (MR) meetings

Contact

Contact us for your questions about information security or to report incidents.

Contact Page
This document is part of the EGEROBOT Information Security Management System.