Computers and Society 9 JAN, 2014

Obstructions of Turkish Public Organizations Getting ISO/IEC 27001 Certified

Obstructions of Turkish Public Organizations Getting ISO/IEC 27001 Certified

In this paper; a comparison has been made among the Articles contained in the ISO/IEC 27001 Standard and the Articles of the Civil Servants Law No 657, which should essentially be complied with by the personnel employed within the bodies of public institutions in Turkey; and efforts have been made in order to emphasize the consistent Articles; and in addition, the matters, which should be paid attention by the public institutions indenting to obtain the ISO/IEC 27001 certificate for the Articles of the Civil Servants Law No 657 which are not consistent with the ISO/IEC 27001 certification process, have been mentioned. Furthermore, solution offers have been presented in order to ensure that the mentioned Articles become consistent with the ISO/IEC 27001 certification process.

💡 Research Summary

The paper investigates the structural and procedural obstacles that Turkish public sector entities encounter when attempting to obtain ISO/IEC 27001 certification, the internationally recognized standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The authors begin by outlining the principal requirements of ISO/IEC 27001—scope definition, risk assessment and treatment, selection and operation of security controls, internal audit, management review, and continual improvement—and then systematically compare these requirements with the provisions of Turkey’s Civil Servants Law No. 657, which governs the conduct, confidentiality obligations, and disciplinary procedures of public employees.

Through a detailed clause‑by‑clause mapping, the study finds that roughly 70 % of the ISO/IEC 27001 controls have direct or complementary equivalents in Law 657, especially in areas concerning confidentiality, integrity, and the duty to protect state secrets. However, about 30 % of the standard’s clauses are in conflict with the civil‑servant legislation, creating tangible barriers to certification. The most significant points of divergence are:

  1. Risk Management vs. Pre‑Approval Requirement – ISO/IEC 27001 mandates rapid identification and treatment of information security risks, whereas Law 657 requires that any remedial action affecting official duties receive prior approval from a higher authority. This creates a procedural bottleneck that can delay critical security responses.

  2. Internal Audit vs. Disciplinary Authority Overlap – The standard calls for independent internal audits to verify control effectiveness, but the law simultaneously empowers disciplinary bodies to act on audit findings. The overlap blurs accountability, making it difficult to separate audit observations from punitive measures.

  3. Document Retention and Disposal Policies – ISO/IEC 27001 recommends that retention periods be risk‑based and that disposal be documented in a way that supports audit evidence. Law 657, by contrast, imposes fixed statutory retention periods for certain categories of documents, limiting flexibility and potentially obstructing the provision of required evidence during certification audits.

  4. Information Sharing with External Stakeholders – While the ISO standard allows controlled sharing of information with partners and suppliers under defined agreements, Law 657 imposes a blanket prohibition on disclosing any official information to non‑civil‑servants unless expressly authorized, complicating the implementation of collaborative security controls.

To address these conflicts, the authors propose a three‑tiered remediation strategy:

  • Legal Alignment – Amend Law 657 to incorporate a specific clause that acknowledges the existence of an ISMS and provides an exemption or streamlined approval process for urgent risk‑treatment actions. This would harmonize statutory requirements with the agile response mechanisms demanded by ISO/IEC 27001.

  • Operational Integration – Redesign standard operating procedures (SOPs) to clearly delineate responsibilities between the internal audit function and disciplinary committees. Establish a separate, independent audit team that reports directly to senior management, while disciplinary decisions are made by a distinct board to preserve audit independence.

  • Cultural and Educational Initiatives – Implement comprehensive training programs for civil servants that link ISO/IEC 27001 principles with the ethical and legal obligations of Law 657. By fostering a shared understanding, organizations can reduce inadvertent non‑compliance and encourage proactive security behavior.

The paper concludes that without legislative adjustments and coordinated organizational reforms, Turkish public institutions will continue to face significant hurdles in achieving ISO/IEC 27001 certification. Aligning the civil‑servant law with international information‑security standards not only facilitates certification but also strengthens the overall cyber‑resilience of the public sector, improves transparency, and enhances Turkey’s standing in the global digital economy.