ISO 27001:2022 ISMS Programme Multi-Location Training & Awareness

Kolay Gelsin
Information Security Transformation

To secure its delivery infrastructure that touches millions, Kolay Gelsin established the ISO 27001:2022 system under the consultancy of Nesil Teknoloji; it moved to an enterprise level in information security and operational sustainability.

250+
Information Assets
40+
Policy/Procedure/Form
3.000
Training Participants
ISO 27001:2022 Certified

Project Team

  • Nesil Teknoloji: Murat Kaya (Project Lead), Uygar Yasin Aydın (Lead Auditor)
  • Kolay Gelsin: Özkan Yılmaz (Project Manager)
The scope was established to include the head office, distribution centres and field operations.

Project Team

Project Managers

Özkan Yılmaz

Özkan Yılmaz

Project Manager

Kolay Gelsin
Lead Auditor

Lead Auditor

ISO 27001 Lead Auditor

Nesil Teknoloji
Uygar Yasin Aydın

Uygar Yasin Aydın

Security Consultant

Nesil Teknoloji

Note: Photographs are taken from the organisations' open-source images; visual/name updates can be made on request.

Programme Scale

Programme Footprint and Scale

Multi-Location
Head office + DCs + field operations
Multi-Channel
Web · Mobile · Integration
Multi-System
ERP · WMS · TMS · MDM
360° GRC
Risk · Compliance · Audit

Implementation Process

Project Phases

1) Scoping

Head office, DCs, field operations and supplier interfaces were included.

2) Asset & Risk Analysis

250+ information assets were inventoried; assessed with an enterprise risk methodology.

3) Documentation

The ISMS was consolidated to enterprise standards with 40+ policies/procedures/forms.

4) Training & Awareness

3,000 employees were informed through a comprehensive training programme; measurement and reporting were carried out.

5) Internal Audit & MR

Internal audit and Management Review meetings were successfully completed.

6) Certification

The accredited audit was passed successfully; the ISO 27001:2022 certificate was obtained.

Technical Details

Programme Pillars

Governance & GRC

  • Enterprise risk management, RACI and committee structure
  • Compliance calendar, internal audit and finding closure management
  • GRC dashboards: trends, KPIs and risk appetite thresholds

Access & Identity

  • SSO/MFA, privileged access (PAM) and segregation of duties
  • Lifecycle: onboarding/offboarding/role change
  • Application/integration-based authorisation matrices

Infrastructure & Cloud

  • Network segmentation, WAF/CDN and secure internet egress
  • Backup, encryption (in transit/at rest), key management
  • MDM: field device management, mandatory policy sets

Application Security

  • Secure SDLC, SAST/DAST/SCA and secret key scanning
  • CI/CD protection, image security and SBOM
  • API security and rate limiting

Operations & Observability

  • Central logging, automated response with SOAR
  • Incident response (IR) and root cause analysis
  • Tabletop drills, communication/escalation plans

KVKK & Privacy

  • Data classification, retention/disposal plans
  • KVKK privacy notice & application processes
  • Cookie/preference management and auditable records

Results

Project Gains

Enterprise Obligations

  • Risk-Based Management & integrated decision-making
  • Information Asset Inventory & relationship maps
  • Process Documentation & traceable procedures
  • Business Continuity & Incident Response integrated management

Success Contribution Rate

Privacy
Operational Security
Regulatory Compliance
Business Continuity

The percentages are visualised to represent internal assessment findings.

Controls

ISO 27001:2022 Annex A Focus Areas

Area Example Control Status Note
Access Management MFA, least privilege, periodic review ✓ Implemented Integrated with SSO/PAM
Cryptography Encryption, key lifecycle ✓ Implemented KMS/HSM integration
Operations Security Patch, vulnerability and log management ✓ Implemented Central trail and SOAR
Supplier Security Contractual & audit clauses ✓ Implemented Third-party risk assessment
Business Continuity BIA, DR, tests & drills ✓ Implemented RTO/RPO targets verified
Privacy/KVKK DPIA, retention & masking ✓ Implemented Multi-channel privacy notices

Supply Chain

Supplier and Supply Chain Security

  • Reflecting risk-based assessment in contractual clauses
  • Version management of SLA/OLA and security requirements
  • Penetration tests and finding closure tracking
  • Integration security: API keys, rate limiting, record keeping
  • Third-party breach notification flows and communication protocols
  • Periodic updating of compliance evidence sets

Detailed Information

Programme Details

  • Secure coding standards; SAST/DAST/SCA pipeline integration
  • Secrets management, image security and SBOM generation
  • Pre-prod security gates and automated rollback policies
  • Central log collection, correlation and alarm hygiene targets
  • Incident response playbooks; tabletop drills and reporting
  • MTTR improvements and 24/7 monitoring processes
  • Data maps and retention/disposal schedules
  • Privacy notice, application and breach notification flows
  • Cookie/preference management and auditable records
  • BIA, critical process and dependency analyses
  • DR scenarios, test plans and failover/failback rehearsals
  • Periodic review and improvement decisions

Building Culture

Training and Awareness

  • 3,000 employees: general and role-based modules
  • Measurement: knowledge tests, phishing simulation
  • Detailed reporting of participation and success rates
  • Continuous awareness programme and up-to-date threat briefings
Training Coverage Rate
Success Rate
Phishing Resilience

The rates are visualised to represent the corporate reporting approach.

Project Success

Outcome and Impact

Certification
ISO 27001:2022 — the accredited audit was completed successfully
Sustainability
Governance, risk and operations integrated end to end
Scalability
Architecture ready for new locations and systems

Let's Work Together on Your Enterprise ISMS Transformation

Let's build a risk-based, auditable and sustainable information security management system together. We are by your side on your ISO 27001 certification journey.

Note: Limited information has been provided within the scope of Project Confidentiality.