ADJUSTER
TR / EN
13.07.2026 Blog Post

Information and Communication Security Audit Guide

Information and Communication Security Audit Guide
Achieving and maintaining the benefits targeted in the Information and Communication Security Guide is only possible through effectively conducted auditing and monitoring activities.

Public institutions and organizations, as well as businesses providing critical infrastructure services, are expected to complete their compliance activities within the timeframe specified in the Information and Communication Security Guide, and to conduct audits at least once a year to determine the suitability of the activities carried out and the measures taken.

In this context, the Turkish Republic's Digital Transformation Office has prepared an Information and Communication Security Audit Guide to provide guidance to our institutions and organizations in conducting audit activities. During the preparation process, over 700 opinions and suggestions submitted by more than 90 institutions and organizations were evaluated, and the Audit Guide was finalized.

The Audit Guide provides institutions and organizations with the methodology to be followed in auditing information and communication security compliance activities; this includes planning the audit, implementing audit procedures, and reporting audit results.

In all institutions and organizations covered by this guide, it is essential that audit activities are primarily carried out by internal auditors assigned to internal audit units and tasked with conducting audits in the field of information technology. In cases where internal audit units do not exist, or where, despite the existence of an internal audit unit, there are no auditors with sufficient qualifications and competence to conduct the audit, audit activities must be carried out independently by other internal personnel or personnel assigned from other public institutions and organizations. If institutions and organizations cannot carry out audit activities using internal resources, they may conduct audits through outsourcing.

The " Information and Communication Security Guide Compliance Audit Service Provider Personnel and Company Certification Program ," which includes the criteria that companies and personnel receiving audit services must meet, as well as their training and certification requirements, has been implemented in cooperation with TSE and TÜBİTAK BİLGEM under the coordination of the Turkish Republic Digital Transformation Office.

Institutions, organizations, and especially managers, have significant responsibilities in conducting these audits. Ensuring that audits are carried out at the specified intervals and that the audit results are submitted to the Turkish Republic's Digital Transformation Office will greatly contribute to establishing an effective audit and oversight mechanism and bringing the national information and communication security maturity level to the targeted point.
← Back to Blog