Corporate
SUPREME COURT INFORMATION SECURITY CONTEXT
The Supreme Court has adopted the ISO 27001 Information Security Management System (ISMS) in order to ensure the reliability and continuity of the judicial services it carries out within the framework of the Constitution of the TRNC and the relevant legislation.
Our institution analyses the following in alignment with the strategic objectives of the ISMS:
External Context: Changes in TRNC legislation, regulations of the Information Technologies and Communications Authority, regional cyber threats, and technological developments.
Internal Context: The institutional structure, judicial information and data assets, personnel competence, and IT infrastructure.
Our primary objective is to protect the confidentiality, integrity, and availability of information, in accordance with legal requirements, while delivering justice services throughout the TRNC.
NEEDS AND EXPECTATIONS OF INTERESTED PARTIES
The relevant parties within the scope of the Supreme Court ISMS and their legal expectations are defined below:
Citizens and Individuals Involved in Judicial Proceedings: Protection of the confidentiality of personal information and data relating to judicial processes, and uninterrupted access to systems such as the Lawyer Portal.
Employees: Protection of personal data in accordance with the Personal Data Protection Law No. 89/2007 and the provision of a secure working environment.
Supervisory Authorities and the Information Technologies and Communications Authority: Compliance with the TRNC Cybercrime Law, the Personal Data Protection Law, and ISO 27001 standards.
Suppliers: Compliance with contractual confidentiality requirements and local information security standards.
SENIOR MANAGEMENT ISMS DECLARATION
As the Senior Management of the Supreme Court, we declare the following in order to protect our institution’s information assets and to enhance the effectiveness of the ISMS:
We will allocate all necessary resources required for the operation of the ISMS.
We will integrate information security objectives with the principles of judicial independence and confidentiality.
We will ensure compliance with TRNC legislation, including the Personal Data Protection Law No. 89/2007, the Cybercrime Law, and ISO 27001 standards.
We will periodically review the performance of the system through "Management Review" processes.
We will promote cyber security awareness at all levels of personnel and protect the institutional reputation and judicial independence of the Supreme Court in the digital environment in accordance with TRNC laws.
INFORMATION SECURITY POLICY
1. PURPOSE
Our Information Security Policy aims to ensure that the information assets owned by our organisation are protected against all types of threats, whether arising internally or externally, intentionally or unintentionally. It also ensures the effective operation and continuous improvement of the Information Security Management System (ISMS), and that all personnel comply with the principles of this policy.
2. SCOPE
This policy covers all employees, information systems, network infrastructures, digital applications, and platforms within our organisation. It aims to ensure the security of not only electronically stored data but also all data held in written, printed, verbal, and similar formats.
3. RESPONSIBLE PARTIES
Information Security Manager / Officer: Responsible for coordinating information security processes, implementing policies, and reporting breaches.
Senior Management: Approves information security objectives, provides resources, and determines risk acceptance criteria.
Department Managers: Ensure the implementation of information security controls within their processes and employee compliance.
All Employees: Are obliged to comply with ISMS policies and procedures and to report any information security breaches immediately.
4. POLICY
4.1. Management Commitment
Senior Management undertakes to provide all necessary resources for establishing, implementing, and continuously improving the Information Security Management System in alignment with organisational strategic objectives. Our organisation adopts full compliance with all legislation of the TRNC, primarily the Personal Data Protection Law No.89/2007, as well as contractual requirements. Management declares and commits, under the principles of leadership and accountability, to support the understanding of information security policies and objectives by all stakeholders, maintain effective communication with relevant authorities and professional bodies, and embed cyber security as an integral part of the Supreme Court's corporate culture.
4.2. Information Security Objectives and Principles
In all activities, it is essential to ensure the continuity of the three core components of the Information Security Management System.
- Confidentiality: Preventing unauthorized access to important information and protecting information assets from unauthorised access, disclosure, distraction, alteration, or damage.
- Integrity: Ensuring the accuracy and integrity of information, and preventing unauthorised modification, damage, or alteration.
- Availability: Ensuring that authorised individuals can access information when required and that accessibility is maintained in line with business processes.
4.3. Information Security Policy Framework
To ensure information security, our organisation has developed and implemented detailed policies in the following areas:
|
Area |
Relevant Policies |
|
Risk Management |
Risk Management Policy |
|
Asset and Data Management |
Asset Management Policy, Information Classification and Labelling Policy, Data Retention Policy, Data Disposal Policy |
|
Access and Identity Security |
Access Control Policy, Password Management Policy |
|
Operational Security |
Backup Policy, Log Management Policy, Malware and Antivirus Policy, Network Security Policy Endpoint Security Policy |
|
Business Continuity |
Business Continuity and Disaster Recovery Policy |
|
Compliance |
Personal Data Protection Policy |
Additionally, other policies supporting the Information Security Management System include:
- Change Management Policy
- Clear Desk and Clear Screen Policy
- Secure Software Development Policy
- Physical and Environmental Security Policy
- Testing Policy
- Date Breach Policy
- Performance Evaluation Policy
4.4. Project Management and Development Security
In all projects conducted within the organisation, such as software development, infrastructure changes, or service procurement, information security requirements are integrated from the initial planning stage. Periodic risk assessments are carried out throughout the project lifecycle, and the criteria of confidentiality, integrity, and availability are defined as fundamental requirements for all project outputs. Security controls are reviewed at critical milestones, and progression to the next phase is not permitted without the necessary security approvals.
Within this framework, development processes are conducted in accordance with the "Secure Software Development Policy" and "Testing Policy". Software development and testing activities are carried out in secure environments isolated from the production environment. Before deployment to the live environment, security testing and user acceptance testing are performed to verify system resilience and compliance with business requirements. All test data used within the project are masked or anonymised in accordance with personal data protection legislation.
4.5. ISMS Performance Evaluation and Improvement
The effectiveness of the system should be measured through defined key performance indicators (KPIs), the success of risk treatment plans, and the analysis of violation incidents. In this context, resource usage of information processing systems, network components, and physical environments is regularly monitored. By analysing current and anticipated capacity requirements, necessary capacity adjustments and resource planning are carried out in advance to prevent service interruptions and optimise system performance. All identified non-conformities, capacity insufficiencies, and improvement opportunities must be recorded and permanently resolved through root cause analysis in accordance with the "Corrective Action and Improvement Procedure".
4.6. Audit and Review
The implementation level of the organisation’s information security controls and compliance with all ISMS policies and standards should be reviewed at planned intervals by independent auditors. Audit results, incident reports, and system performance data are evaluated by Senior Management within the framework of the "Management Review Procedure" to ensure system continuity and the allocation of necessary resources.
4.7. Data Breach Notification and Incident Management
In the event that personal data or confidential information is obtained by unauthorised parties (data breach), the incident response plan must be activated immediately. Depending on the nature of the breach, notifications must be made to the relevant authorities and affected individuals within the timeframes stipulated by the legislation. All incidents must be recorded, and necessary corrective actions must be initiated to prevent recurrence.
4.8. Risk Management Approach
Our organisation adopts a risk-based approach. It is essential to identify existing risks through periodic assessments in Information Security and, based on these assessments, review and monitor action plans. Within the scope of the Risk Management Policy, risks are regularly evaluated and measures are taken until they are reduced to an acceptable level.
4.9. Legal and Regulatory Compliance
Our organisation undertakes to comply with all legal requirements of the Turkish Republic of Northern Cyprus (TRNC) in all activities. In this context:
- Personal Data Protection Law No. 89/2007,
- Cybercrime Law No. 32/2020,
- Compliance with all legal obligations arising from sectoral regulations and contracts is mandatory.
4.10. Policy Review
This policy is reviewed at least once a year in line with technological changes, legal requirements, or security incidents, and updated when necessary.
EN 
TR