Information Security Policy

Purpose and scope

This Information Security Policy has been established by top management in order to sustain and protect confidentiality, availability and integrity of Statkraft Turkey’s and stakeholder’s corporate information, information systems and business processes.

This policy is in line with the group information security guidelines and it provides a framework for the management of information security throughout Statkraft Enerji A.Ş., Kargı Kızılırmak Enerji A.Ş., Çakıt Enerji A.Ş. organisations (hereafter referred to as “Statkraft Turkey”). It applies to:

  • All those with access to Statkraft Turkey information systems, including employees, visitors, contractors and consultants.
  • All information (data) processed by Statkraft Turkey information systems regardless of whether it is processed electronically or in paper (hard copy) form.

Information security policy

Statkraft Turkey acknowledges that the corporate information owned by Statkraft Turkey or its stakeholders is a valuable asset. The corporate information and its location are crucially important to our business activities and need to be protected. The Information Security Management System (ISMS) is to be implemented throughout the Statkraft Turkey organisation and aligned with regulations, physical security practices, IT security practices and business continuity planning.

Statkraft aims to protect the 3 common information asset characteristics:

  • Confidentiality: Protecting information from unauthorized parties.
  • Integrity: Protecting information from being modified by unauthorized users.
  • Availability: Making the information only available to authorized users.

Violation of any of these characteristics may cause disruption of business activities and irreversible impact on corporate reputation. In addition, the loss or unauthorised disclosure of information may result in financial loss. Information security risk assessments should be performed for all information systems on a regular basis in order to identify key information risks and determine the controls required to keep those risks within acceptable limits.

In order to meet these goals and conform to best practice, Statkraft is committed to implement an information security management system and the security controls as set out in the ISO/IEC 27001. Top management is also committed to provide the required resources for establishing, implementing, maintaining and continually improving an information security management system.

The Information Security Council is responsible for governing information security in Statkraft Turkey. Country Manager chairs the Information Security Council. Information Security Manager is responsible for the organisation of activities and resources ensuring that the requirements for confidentiality, integrity and availability are supported throughout the organisation. Department heads are responsible for information security within their departments. They must ensure that the department has a local information security policy to meet its own particular needs, consistent with the requirements of this overarching policy. All the employees, suppliers and consultants regardless of their mission and position should conform to this Information Security Policy and related security policy and procedures. Any unconformity to corporate security standards will be accepted as policy violation and processed according to disciplinary procedure.

This policy and all other supporting policy documents shall be communicated as necessary throughout the organization to meet the objectives and requirements.

Statkraft Turkey Country Manager