Ensuring Top Management AwarenessThe issues that need to be known at the management level for the Information Security Management System and the ISO 27001 standard and the senior management support requirements for the management system are conveyed to the senior management in detail. Presentation duration is approximately 2 hours. During the session with senior management, the necessary information is provided to determine the scope and prepare the policy.

Determination of ISMS ScopeThe scope of ISMS can be a certain part of the institution or the entire institution. However, in both cases, the organization must define the ISMS scope and boundaries completely and accurately. The scope of ISMS is determined by taking into account internal and external issues, the intention of the top management and the needs and expectations of the relevant parties. The ISO 27001 standard does not provide any specific guidance or enforcement on this matter. When determining the scope, it is necessary to take into account interactions with entities and other institutions excluded from ISO 27001 ISMS. The institution must be able to explain with solid justifications why those excluded from the scope were excluded. At the end of this step, a scope document should be published and approved by senior management.

ISMS PolicyThis policy provides a framework that sets out the objectives, directs and mobilizes the management, and determines the risk management scope and criteria for which risks will be evaluated. In order for the ISO 27001 ISMS policy to find its purpose, management must make employees feel its determination that the items in the policy will be implemented.

Asset Management Approach
A systematic approach should be put forward to determine the assets that need to be protected within the scope of ISO 27001 ISMS and to determine their value in terms of confidentiality, integrity and accessibility. Using this approach, information asset inventory and asset value for each information should be determined. Keeping the asset inventory up to date should be defined within the method. Your business's asset management approach will be tailored to your organization's needs.

Creating an Information Asset Inventory
Your business's information asset inventory should be created in accordance with the determined approach. BTYÖN will provide consultancy support at the points needed during the creation of the asset inventory.

Risk Management Approach
In accordance with the ISO 27001 ISMS standard, a systematic risk management approach should be determined based on the information security policy. The institution is free to choose an approach that suits itself. The chosen risk management approach must guarantee to produce comparable and repeatable results. In this step, acceptable risk levels should be determined and criteria should be developed for them. The risk management approach will include all rules regarding the identification, leveling, prioritization and treatment of risks.

Risk Identification
The risks posed by assets that need to be protected according to the ISO 27001 standard should be determined using the determined approach. The previously created information asset inventory constitutes input for this study. Within the scope of the risk identification study, the vulnerabilities of the information assets in the asset inventory and the threats that can harm the asset and therefore your business by using these vulnerabilities will be determined. Afterwards, risks will be revealed in accordance with the method determined in the risk management approach. While determining the vulnerabilities, the study of determining technical vulnerabilities should also be carried out. In order to support the risk identification study, necessary analysis activities should be carried out to identify technical vulnerabilities. Findings should be documented in accordance with the risk management approach. The risks posed by your business's information assets should be collected by interviewing the asset owners.

Risk Treatment Plan
As a requirement of ISO 27001, appropriate risk treatment methods should be determined based on the identified risks. Four different attitudes can be taken against a certain risk:   
1. Eliminating the risk or reducing it to an acceptable level by applying appropriate controls   
2. Avoiding risk by eliminating the factors that cause the risk to occur    
3. Transferring risk to parties outside the organization, such as insurance companies or suppliers    
4. Accepting the risk objectively and knowingly, provided that it complies with the corporate policies and risk acceptance criteria.
A risk treatment plan should be created for the risks identified as a result of this study. The risk remaining after the risk treatment process is called residual risk. These may be risks that are accepted or risks that cannot be completely eliminated. The organization's senior management must approve residual risks. At the end of this step, a risk approval document should now be created.

Declaration of Applicability
As required by the ISO 27001 standard, a Declaration of Applicability must be prepared containing the controls selected against risks. The Declaration of Applicability should explain what the selected controls are and the reasons why they were selected. The controls that are not selected from ISO 27001 ANNEX-A and the reasons for not selecting them should also be given in the Declaration of Applicability.

ISO27001 ISMS Process, Procedure, Plan Preparation and Commissioning
In the work to be done, the processes, procedures, forms and plans needed within the scope of the information security management system should be prepared. Documents for the controls selected in the applicability declaration and documents that meet all the requirements of the ISO 27001 standard must be prepared. Examples of topics that will be subject to possible policies and procedures are as follows.
• Human Resources Security  
• Physical and Environmental Security    
• Communication and Operational Security    
• Access Control    
• IT Gathering, Maintenance and Improving    
• Information Security Incident Management    
• Business Continuity Plan    
• Legal Compliance    
• Internal Audit    
• Review of Top Management    
• Document Control Procedure    
• Registration Control Procedure
• Continious Improvement    
• Kontrol Etkinliği Ölçme    
• Düzeltici ve Önleyici Faaliyetler

User training (or training the trainer)Information Security User Awareness Training must be provided to employees within the scope of the ISO 27001 information security management system to be established within your business. For this purpose, depending on the scope of the business, classroom training can be organized or e-learning methods can be used.

Internal AuditAs part of the implementation of the ISO 27001 Information security management system, an independent internal audit activity should be carried out. In this context, the internal audit procedure, internal audit program and plan, and internal audit checklist are prepared. Nonconformities are detected by performing an internal audit. Root cause analysis and corrective action planning studies are carried out for all nonconformities detected during the audit.

Management Review of ISMSIn accordance with ISO27001, senior management must periodically review the established Information Security Management System. The review activity is carried out in a meeting where the management is present. The inputs and possible outputs of the meeting are specified in the ISO27001 standard. As a requirement of the ISO 27001 standard, YGG outputs must be documented.

Support for the Certification Process
Following the management review, ISO 27001 certification audit can be initiated. If a non-conformity arises during the ISO 27001 certification audit, the necessary work to eliminate the non-conformity is carried out without delay and the ISO 27001 certificate is obtained.