The Information Security Management System (ISMS) was established to protect the confidentiality, integrity and accessibility of information within ENKA by applying asset and risk management processes and to assure the interested parties of managing the risks properly. ISMS is a part of ENKA’s corporate processes and general management structure. Information security processes were taken into consideration in the design and controls of information systems and scaled in accordance with ENKA’s needs.

ENKA has implemented a comprehensive Information Security Management System (ISMS) based on the ISO/IEC 27001 ISMS standard to achieve its information security objectives.

The  processes,  information  and  employees  pertaining  to  the  activities  carried  out in  the headquarters of ENKA İnşaat ve Sanayi A.Ş. within the scope of; design and engineering, procurement and supply chain management, occupational health -safety and environmental management, quality management, machinery and equipment management, sustainability, corporate  communication,  human  resources  and  administration,  information  technologies, finance, accounting, export operations, financial control, investor relations, and legal affairs, operate  an  Information  Security  Management  System  in  accordance  with  ISO/IEC  27001 information security management system standard.

ENKA complies and was certified with ISO/IEC 27001 standards in the year 2020.

  • To increase security capabilities
  • To implement an information security awareness program
  • To have an ISO 27001 certificate
  • To implement an ISMS for sustainable security culture
  • To determine information security purposes
  • To inform employees about current information security threats and issues with security awareness trainings
  • To develop and maintain information security purposes
  • To establish an audit systems for information security
  • To implement early and accurate threat detection systems
  • To extend cybersecurity focus

ENKA is maintaining a robust information security program with the following key elements.


Information Security Policy and Principles have been established by the Senior Management.

Information security objectives determined in line with the ENKA corporate strategies,   the objectives are monitored, assessed and at least once a year, reviewed in Information Security Management Review activities conducted by the Senior Management.

Security governance structure that enables the effective management of potential risks and incorporates information security and privacy controls into our information systems and services has been established.

Information Security Procedures and Instructions have been developed and communicated to all employees.

The evaluation of  information  security  performance  and  the  effectiveness  of  the information  security  management  system  is  carried  out  under  the  monitoring  and measurement program.



The Corporate Information Security Policy refers to the requirements, definitions, rules, practices, responsibilities and workflows that are prepared according to the related laws and standards based on the business requirements compatible with and supports ENKA corporate business objectives.

In this regard, ENKA Senior Management, in all of its company operations that are carried out in the light of its vision to be one of the best and innovative companies among the engineering and construction companies serving worldwide, and in line with its mission to design, build and deliver safe, high-quality and cost-effective construction projects, has made a commitment to ensure the security of the information of ENKA and its stakeholders, to protect information assets, to meet information security requirements and expectations within the scope of applicable requirements and international standards, to improve information security performance by systematically managing risks, to ensure infrastructure and operational security, and to assure that all employees will operate within the framework of the company information security policies and procedures.


Protecting against attacks on the company network,
To ensure that critical information is available in case of outsourced software providers terminating service or having service interruption,
Providing secure access to the Company’s common network by the employees via VPN,
Ensuring that software development requests contain sufficient detail and evaluating the applicability of the requests,
Assessment of weaknesses that may arise from the access of non-company personnel to the company network and taking precautions,
To review the effects of the improvements in the software used on the existing business processes before the change,
To prevent security weaknesses that may be caused by remote access programs,
Ensuring the security of corporate information shared with third parties,
Investigating vulnerabilities that may arise in order to ensure critical and / or institutional information security on servers,
To limit access to offices to authorized persons to ensure information security,
Information security trainings and awareness programs are applied to employees in order to prevent leakage of information,
Protecting critical documents kept in physical archives against fire,
To prevent the exposure of confidential information by reducing the number of copies in order to prevent the disclosure of personal information,
Protecting critical documents kept in physical archives against the effects of floods, fires, etc.
Implementing a staff training program to assign competent staff in relevant positions,
In case of a possible disaster, to ensure the normalization of the systems that do not serve able to serve at the time accepted,
To ensure business continuity and prevent possible service interruptions.


  • To learn and comply with ENKA ISMS policy and procedure requirements
  • To ensure information is protected in line with its classification level
  • To report  information  security  incidents,  gaps  and  violations  to the Information Security Management System Administrator or ENKA Ethics Hotline (+90 212 376 1010)
  • To participate in information security awareness training programs
  • To make suggestions for improvements to the information security management system
  • To work in accordance with ENKA corporate policy and procedures.


  • Precautions are taken to secure the personal data of its employees and customers.
  • Information technologies environment, security measures, policies and cyber security awareness program support compliance with the privacy and data protection requirements.
  • Organizational measures in place and technical controls (including access controls and firewalls to providing security controls, spam, malware and antivirus software) are essential such as incident monitoring.


The suitability, adequacy, effectiveness of the Information Security Management System and ENKA’s Information Security activities are periodically reviewed, at least once a year, through the management review activity.

Risk analysis are repeated periodically. At least once every six months, and after significant changes to business processes, risks or assets, a risk analysis is held for processes affected by the change.

The risk levels identified during risk analysis work are compared to previous risk analysis to monitor changes to risk.

The status of the risk processing plan is taken up as an agenda item at periodic ISMS committee meetings and the risk processing status is updated.


Managing cyber risks to sensitive information assets and systems is a top priority for ENKA.

By taking into account the increasing trend in the scope, severity, and costs of cyber-attacks, where most of the attacks seek to damage data and systems or steal sensitive information such as trade secrets or personal data, we pay utmost attention to protect our information and assets.

Cyber risk is one of the major and rising risks around the globe. To address this challenge and mitigate risks, ENKA owns a robust information security program with the following key elements to secure its information assets:

  • To ensure that information security risks related to their affiliated unit(s) are identified, to evaluate risk processing results
  • In order to achieve information security management system objectives, to ensure that necessary monitoring and assessment activities within the company and affiliated units are conducted and to encourage their implementation
  • Every employee understands the Information Security Policy and is aware of their roles in preventing and mitigating cyber threats
  • Mandatory ISMS and Cybersecurity awareness programs for all employees.


ENKA’s Information Security Management Sytem is certified for compliance with the ISO/IEC 27001:2013.

ISO/IEC 27001:2013

Information Security Management System