Kolay Gelsin
Information Security Transformation
To secure its delivery infrastructure that touches millions, Kolay Gelsin established the ISO 27001:2022 system under the consultancy of Nesil Teknoloji; it moved to an enterprise level in information security and operational sustainability.
Project Team
- Nesil Teknoloji: Murat Kaya (Project Lead), Uygar Yasin Aydın (Lead Auditor)
- Kolay Gelsin: Özkan Yılmaz (Project Manager)
Project Team
Project Managers
Özkan Yılmaz
Project Manager
Kolay Gelsin
Lead Auditor
ISO 27001 Lead Auditor
Nesil Teknoloji
Uygar Yasin Aydın
Security Consultant
Nesil TeknolojiNote: Photographs are taken from the organisations' open-source images; visual/name updates can be made on request.
Programme Scale
Programme Footprint and Scale
Implementation Process
Project Phases
1) Scoping
Head office, DCs, field operations and supplier interfaces were included.
2) Asset & Risk Analysis
250+ information assets were inventoried; assessed with an enterprise risk methodology.
3) Documentation
The ISMS was consolidated to enterprise standards with 40+ policies/procedures/forms.
4) Training & Awareness
3,000 employees were informed through a comprehensive training programme; measurement and reporting were carried out.
5) Internal Audit & MR
Internal audit and Management Review meetings were successfully completed.
6) Certification
The accredited audit was passed successfully; the ISO 27001:2022 certificate was obtained.
Technical Details
Programme Pillars
Governance & GRC
- Enterprise risk management, RACI and committee structure
- Compliance calendar, internal audit and finding closure management
- GRC dashboards: trends, KPIs and risk appetite thresholds
Access & Identity
- SSO/MFA, privileged access (PAM) and segregation of duties
- Lifecycle: onboarding/offboarding/role change
- Application/integration-based authorisation matrices
Infrastructure & Cloud
- Network segmentation, WAF/CDN and secure internet egress
- Backup, encryption (in transit/at rest), key management
- MDM: field device management, mandatory policy sets
Application Security
- Secure SDLC, SAST/DAST/SCA and secret key scanning
- CI/CD protection, image security and SBOM
- API security and rate limiting
Operations & Observability
- Central logging, automated response with SOAR
- Incident response (IR) and root cause analysis
- Tabletop drills, communication/escalation plans
KVKK & Privacy
- Data classification, retention/disposal plans
- KVKK privacy notice & application processes
- Cookie/preference management and auditable records
Results
Project Gains
Enterprise Obligations
- Risk-Based Management & integrated decision-making
- Information Asset Inventory & relationship maps
- Process Documentation & traceable procedures
- Business Continuity & Incident Response integrated management
Success Contribution Rate
The percentages are visualised to represent internal assessment findings.
Controls
ISO 27001:2022 Annex A Focus Areas
| Area | Example Control | Status | Note |
|---|---|---|---|
| Access Management | MFA, least privilege, periodic review | ✓ Implemented | Integrated with SSO/PAM |
| Cryptography | Encryption, key lifecycle | ✓ Implemented | KMS/HSM integration |
| Operations Security | Patch, vulnerability and log management | ✓ Implemented | Central trail and SOAR |
| Supplier Security | Contractual & audit clauses | ✓ Implemented | Third-party risk assessment |
| Business Continuity | BIA, DR, tests & drills | ✓ Implemented | RTO/RPO targets verified |
| Privacy/KVKK | DPIA, retention & masking | ✓ Implemented | Multi-channel privacy notices |
Supply Chain
Supplier and Supply Chain Security
- Reflecting risk-based assessment in contractual clauses
- Version management of SLA/OLA and security requirements
- Penetration tests and finding closure tracking
- Integration security: API keys, rate limiting, record keeping
- Third-party breach notification flows and communication protocols
- Periodic updating of compliance evidence sets
Detailed Information
Programme Details
- Secure coding standards; SAST/DAST/SCA pipeline integration
- Secrets management, image security and SBOM generation
- Pre-prod security gates and automated rollback policies
- Central log collection, correlation and alarm hygiene targets
- Incident response playbooks; tabletop drills and reporting
- MTTR improvements and 24/7 monitoring processes
- Data maps and retention/disposal schedules
- Privacy notice, application and breach notification flows
- Cookie/preference management and auditable records
- BIA, critical process and dependency analyses
- DR scenarios, test plans and failover/failback rehearsals
- Periodic review and improvement decisions
Building Culture
Training and Awareness
- 3,000 employees: general and role-based modules
- Measurement: knowledge tests, phishing simulation
- Detailed reporting of participation and success rates
- Continuous awareness programme and up-to-date threat briefings
The rates are visualised to represent the corporate reporting approach.
Project Success
Outcome and Impact
Let's Work Together on Your Enterprise ISMS Transformation
Let's build a risk-based, auditable and sustainable information security management system together. We are by your side on your ISO 27001 certification journey.
Note: Limited information has been provided within the scope of Project Confidentiality.