BEDAŞ and Quality

Home / CORPORATE / BEDAŞ and Quality
BEDAŞ and Quality

As Boğaziçi Elektrik Dağıtım A.Ş., we undertake to

  • Continue to work in line with all the requirements of Quality Management within the framework of principles of sustainability, continuous improvement and contribution to all shareholders,
  • Comply with the customer’s conditions and the compulsory laws and regulations in realization of electricity distribution service unconditionally,
  • Use innovative methods to ensure high service quality in electrical power distribution and lead and set an example for the sector in this regard,
  • Supply electricity ceaselessly and under suitable conditions with our Customer Satisfaction Policy in provisions of our electrical distribution services.

As Boğaziçi Elektrik Dağıtım A.Ş, all the customer complaints and dissatisfactions are evaluated and followed up until it is solved and customer satisfaction is re-instituted in order to ensure that our customers become satisfied with all of our business operations. In this regard, your feedback is evaluated in terms of the following principles;

  • TRANSPARENCY: BEDAŞ has established and has been effectively managing the necessary channels of communication so that the customers can communicate their complaints, recommendations, requests and questions easily, whenever and wherever they want. The relevant persons can get detailed information from our institution whenever they want.
  • ACCESSIBILITY: BEDAŞ customers can communicate their complaints, recommendations, requests and questions for 24 hours a day and 7 days a week through our Call Center Alo 186 and our Social Media accounts besides our customer services units that are available in our establishments.
  • RESPONSIVENESS: BEDAŞ customers can get information about how the complaints, recommendations, requests and questions that they have communicated are being handled and the evaluation status of their requests for 24 hours a day and 7 days a week through our Call Center Alo 186 and our Social Media accounts.
  • OBJECTIVITY: BEDAŞ evaluates all types of complaints, recommendations, requests and questions of its customers in an honest, fair and unbiased way.
  • FREE SOLUTION: BEDAŞ evaluates and works to address all types of complaints, recommendations, requests and questions of its customers free of charge.
  • CONFIDENTIALITY: BEDAŞ evaluates all types of complaints, recommendations, requests and questions of its customers based on the principle of confidentiality and does not share and disclose them to third persons.
  • CUSTOMER-ORIENTED APPROACH: BEDAŞ addresses all types of complaints, recommendations, requests and questions of its customers by focusing on customer satisfaction and solutions are developed in line with requests and needs of our customers.
  • ACCOUNTABILITY: BEDAŞ takes all types of complaints, recommendations, requests and questions of its customers under record and is able to provide our customers and authorized persons with the records of evaluations, solutions and procedures together with their reasons and justifications upon their request.
  • CONTINUOUS IMPROVEMENT: The customer satisfaction improvement process of BEDAŞ is reviewed by our top management in terms of its performance and compliance with the objectives and it is constantly improved with the contributions of BEDAŞ staff.


A. Objective

This document has been drawn up for the purpose of defining the policy with regard to the topics of determining the works and processes that are related to objective, information and information assets of the Information Security Management System (ISMS), ensuring business continuity, preventing risk factors from damaging business processes and assets by evaluating security gaps, threats and establishing an information security management system that constantly develops and is updated.


B. Scope

This policy encompasses all the BEDAŞ employees, 3rd parties and their employees.


C. Policy Text


1. Responsibilities and Authorities have been defined as follows;

ISMS Management Representative is responsible for ensuring actuality and continuity of the Information Security Main Policy and all the other policies, procedures, instructions and relevant forms. The updates that shall be made on the Information Security Main Policy are determined in the Management Review meetings and documented by the ISMS Management Representative. The document is approved by the Top Management for each update.


2. Information Security Main Policy is the document which defines the top principles that shall be used in implementation of the controls that have been established to be able to ensure information security.


3. The Objectives and Purposes of Information Security; Information Security Main Policy is intended to protect physical and electronic information assets that affect the entire operation of the company for the purpose of guiding employees of BEDAŞ through acting in line with company’s security requirements, increasing their awareness and sense of responsibility and by doing so, minimizing the risks which may be encountered by the company, protecting the reliability and image of the company, ensuring the compliance that is bound by agreements with third parties, implementing technical safety controls and ensuring that the company’s main and supportive business operations are carried out without any interruption. The Objectives and Purposes of the ISMS is discussed in the Management Review Meeting, recorded in EYS.FORM.021 Meeting Minutes and also indicated and monitored in project programs.


4. Organization and Infrastructure Information Security; ISMS Management Representative is responsible for establishment and operation of Information Security Management System. Further details are available in the Letter of Assignment.


5. Risk Management Framework; The Company’s ISO 27001:2013 risk management framework encompasses definition, evaluation and processing of Information Security and Service Management risk. Risk Analysis and Risk Processing Plan defines how Information Security and Service Management risks are controlled. ISMS Team is responsible for the management and realization of Risk Processing Plan.


6. Risk Analysis and Management Strategy; Holder of each risk has been identified and risk holder has been notified. Risk holder is responsible for taking the necessary actions and following up the risk. Risk Management is carried out in line with BGYS.PRO.004 Risk Management Procedure.


7. General Principles

  • The details which are related to the information security requirements and rules the framework of which are established with this policy are regulated in line with ISMS procedures and policies. The employees of the institution and the 3rd parties are responsible for knowing these procedures and carrying out their works in line with such rules.
  • These policies and procedures constitute the basis for use of the entire information that is stored and processed as hard copy or soft copy in electronic environment and for use of all the information systems unless otherwise specified.
  • Information Security Management System is structured and operated based on ISO 27001:2013 Information Security Management System standards.
  • The works that are related to implementation, operation and improvement of ISMS are carried out respectively by ISMS Team, ISMS Management Representative, ISMS Project Manager and ISMS Manager through contribution of relevant parties. ISMS Representative and the entire ISMS Team is primarily responsible for updating ISMS documents as required. The relevant directors/managers are responsible for updating documents such as appendix, form and instructions.
  • The company/party is responsible for confidentiality, coherency and accessibility of information systems and infrastructure that are provided by BEDAŞ to employees or 3rd parties and all types of information that are produced by use of such systems.
  • Business continuity management is implemented in order to protect critical business processes from big disasters and operating mistakes.
  • Trainings that shall increase the awareness of employees with regard to information security and ensure that employees contribute to the operation of the system are regularly provided to current company employees and newly hired employees.
  • BGYS.PRO.007 Information Security Event Management Procedure and EYS.PRO.003 Procedure for Management of Corrective Activities are applicable in case of all the real or suspected violations of information security.


8. Fundamental ISMS Principles;

  • Agreements are entered into with employees and third parties as required in order to guarantee confidentiality requirements of the institution.
  • Security requirements which may arise in cases of outsourcing are analyzed and security terms and controls are expressed in specifications and agreements.
  • Inventory of information assets is created in line with information security management requirements and asset holders are assigned.
  • Corporate information is categorized and the security requirements and terms of use are determined for data in each category.
  • Information security controls that shall be implemented for recruitment, reassignment and leave of employment processes are determined and implemented.
  • Physical security controls are implemented in parallel with the requirements of assets that are kept in safe areas.
  • Controls and policies that are required to prevent and get protected from physical threats which may put information assets of BEDAŞ under risk inside and outside the company are developed and implemented.
  • Control record generation configurations are adjusted in line with security requirements of relevant systems for network equipments, operating systems, servers and applications. Control records are protected against unauthorized access.
  • Access rights are assigned as required. The most secure technology and techniques that are available today are used for access control.
  • The security requirements are determined for provision and development of the system or it is checked if security requirements are met or not in system acceptance or tests.
  • The necessary infrastructure is established for reporting of information security violation cases and weaknesses. Records of violation cases are kept, the necessary corrective and preventative actions are taken and trainings are provided to increase awareness so that learning takes place as a result of security cases.
  • Continuity plans are designed for critical infrastructure; they are maintained and practiced.
  • Necessary processes are designed for compliance with laws, domestic policy and procedures and technical security standards and compliance is ensured with periodical observation and control activities.


9. ISMS Rules That Have to Be Abided by

  • Acceptable Rules of Use That Have to Be Abided by define the rules that have to be abided by employees and 3rd parties with regard to storage, transmission and use of information in business processes and relevant works of BEDAŞ.
  • The below-mentioned behaviors are accepted as violation of information security unless otherwise is specified in form of a clear and absolute job description, instruction or procedure.

√  Information technologies systems and applications that are provided by BEDAŞ are used for business-related purposes. Personal use that does not interfere with business processes and does not violate ISMS policy and ISMS procedures are considered as acceptable.

√  Precautions must be taken in working areas in line with the principles of  “Clean Desk and Clean Screen” so that the information cannot be seen by others according to their category of confidentiality.

√  Documents must be removed from desks and stored in safe drawers and cabinets when they are not used in order to prevent other people from seeing them according to their category of confidentiality.

√  The documents which belong to BEDAŞ and which cannot be delivered to the person who is directly related to the documents, apart from general documents, should not be reviewed, modified, stored, copied, delete and shared.

√  Corporate information should not be shared with, sold to, transferred to, broadcast for and shared on internet with 3rd parties apart from the cases and methods that are explicitly stated by BEDAŞ.

√  Employees in a department should keep the desk and cabinet drawers in their workplace locked and should not share their keys with anyone other than authorized persons.

√  When computers are not used actively, screen savers that are protected with password must be activated.

√  Personal computers must be turned off outside the working hours.

√  Employees should not let unauthorized persons access to the user name and password that have been assigned to them by uttering, writing, recording and recording in electronic environment.

√  BEDAŞ’s information and communication systems and hardware (Internet, e-mail, telephone, pagers, fax, computers, mobile devices and cell phones etc.) must be used to carry out the works of the company. These systems should not be used for illegal purposes, in violation of company’s other policies, standard and guidelines or in a way to damage the company.

√  All the computers which will access to the sources on the information systems that belong to BEDAŞ must be used within the domain.

√  Computer sources should not be open to sharing unless it is absolutely necessary. Only the relevant persons must be authorized if sources are open to sharing.

√ Confidential and sensitive information must be secured with password before they are sent to receivers inside and especially outside the company in electronic environment.

√  Necessary physical precautions must be taken in order to protect documents, electronic mediums and information technology systems that contain confidential information.

√  Information technology systems, databases, files, network topologies, device configurations and similar sources should not be shared with 3rd persons unless it is explicitly authorized by the company.

√  BEDAŞ employees are responsible for protecting the information about the company in line with the principle of confidentiality as long as they work at BEDAŞ or when they leave BEDAŞ (retirement, resignation etc.)

√  Users of tangible systems are obliged to abide by the rules that are broadcast to ensure security of such systems.

√  All the possible systems, primarily users’ computers and servers must be protected against harmful software.

√It is a must to abide by the rules that are broadcast with regard to destruction of confidential information and mediums that contain confidential information.

√  Access to all the information systems must be secured with password except for systems which are open to everyone (e.g. general internet pages). Passwords must be used in line with defined rules.

√  The rules that are established to regulate the transmission of confidential information via mail, fax, telephone, e-mail and similar electronic methods must be abided by.

√  Information, other than the information that is open to everyone, should not be shared over internet, in news groups, e-mail lists and forums.

√  New information systems must be engaged in use and developed in line with the defined rules.

√ E-mail accounts that are assigned to employees and 3rd parties as required must be used in line with the rules.

√ Information technology systems which belong to BEDAŞ should not be deactivated, displaced and taken outside the company without authorization to do so.

√ The security software (e.g. antivirus, personal firewall etc.) that are indicated by the company in written format that are required to be used should not be removed or deactivated.

√ Programs for sharing file from client to client (P2P, torrent, FTP) should not be downloaded to company’s computers and should not be used on company’s computers.

√ The software that is forbidden by the company should not be downloaded to and operated on computers of BEDAŞ.

√ Software that is licensed by BEDAŞ should not be reproduced, opened to sharing and taken outside the company.

√ Data should not be transferred between systems which are not included in the domain and systems which are included in the domain.

√ Parties should not connect to and should not be allowed to work on the company’s information technology systems and hardware unless they are accompanied by an employee of the authorized company and unless confidentiality agreement is signed with the parties.

√ Personal computer applications (e.g. e-mail programs, office applications, software development tools, network test tools etc.) should not be downloaded to and used on server systems.

√ Server services which are not required for business processes and which are not permitted to be used (e.g. HTTP, Telnet, SSH, etc.) should not be operated on information technology systems.

√ Corporate network which is provided by BEDAŞ should not be used to connect to internet or other networks by use of methods other than those the use-related purposes and forms of which are notified in written format (e.g. ADSL modem, 3G modem, GPRS, etc.)

√  Employees should not try to enter information systems inside and outside BEDAŞ without authorization.

√  Programs and tools which aim to break encoding and password mechanisms should not be downloaded to and operated on information technology systems of BEDAŞ.

√ Information systems of BEDAŞ should not be modified, upgraded or expanded without notification to and permission of the company.

√  The files which are not related to the business or which are protected with copyright (e.g. music, film, book files etc.) should not be downloaded to or stored in company’s computers and information systems, should not be stored, reproduced and opened to sharing.

√ BEDAŞ information technology systems should not be used for entertainment purposes (playing game etc.), they should be used for business purposes only.

√  Spam e-mails should not be used over BEDAŞ e-mail account.

√ Use of cryptographic controls should comply with all the laws, agreements and regulations.

For example; chosen key length and method law and agreements.

√  The security weaknesses, bugs or attacks that are detected in information technology systems or processes of BEDAŞ should not be communicated or disclosed to persons other than relevant persons or they should not be broadcast or these weaknesses should not be used to access unauthorized systems and information or to extend one’s own authorities.

√  The user names and passwords that are assigned to employees should be only used by such employees themselves.


10. Participation in ISMS Applications

  • All the employees must comply with the terms and conditions that are indicated in this policy. They must help Information Security Team to fulfill their responsibilities. Each employee is responsible for complying with the risk management works that are carried out to achieve the aims that are indicated in this policy issued by the management and the rules that are indicated in the information security guideline. Action will be taken for those who don’t comply with instructions and controls in line with the below-mentioned discipline process.
  • Each employee is responsible for control and confidentiality of the information assets that they control and supervise themselves. Each employee plays a role in execution of necessary analyses within the framework of risk management methodology of our company with regard to these assets and in implementation of controls.
  • They have to monitor the sufficiency and efficiency of the controls that are implemented and report the cases of security violations and threats and defects which may lead to security violations in line with the established rules without any delay.
  • Hardware-related, software-related and physical changes should not be made with regard to information assets unbeknown to the information security managers. ISMS Team must be definitely informed about required changes, record must be kept in line with the below-mentioned change management procedure for any change and record must be definitely kept with regard to the modification of asset features that are indicated in the configuration management procedure.

11. ISMS Team Meetings

ISMS Team must regularly come together to hold the ISMS Team meeting. Cases of information security violations, developments in risk analyses and changes in risk processing plan are addressed; chosen controls are discussed and effectiveness of implemented controls, latest risk estimations of assets and residual risk statuses are evaluated in such meetings.


12. SOA – Statement of Applicability

Risk processing choices can be selected from the list that is defined as 114 different controls from A.5 to A.18 that is presented in APPENDIX-A. The aim of the each control that is chosen, the content of control, the way how the control is implemented and the reason why it is not implemented is indicated in Statement of Applicability document. SOA is considered in confidential information category and is accessible only by ISMS Team.

Information security objectives and applications are detailed in SOA. Risk Processing Plan and SOA are parallel documents. While the names of controls that are chosen or control number, if they have been chosen from APPENDIX-A, are referred to in form of A.X.X in risk processing plan, control is detailed in SOA.

All the controls that have been or will be applied are recorded in SOA. This document ensures that not a single control is skipped through cross-control with risk processing plan.


13. Information security, policy, procedure and guidelines

ISMS Main Policy, many different policies, procedures, instructions and guideline that are broadcast on BEDAŞ are addressed within the framework of control and risk management purposes.


14. Information Security Procedures and Plans

All the employees must act in line with all the procedures and plans that are defined by the management and that are issued.


15. Information Security Agreements

Users undertake that they will comply with the policies of BEDAŞ by signing the confidentiality agreements that have been defined and issued by our company.


16. Information Security Trainings

All the BEDAŞ employees receive Information Security Awareness trainings over e-learning system. All the employees are responsible for receiving training and taking an examination.


17. Information Security Internal Audits

All the employees are obliged to attend the internal audits that will be carried out regularly to identify compliance of the established information security management system with standards and defined policies and procedures.


18. Responsibility of the Management

In order to realize the objectives and policies that have been determined by BEDAŞ;

  • BEDAŞ Management undertakes that it shall comply with the Information Security Management System that has been defined, enforced and is being implemented and shall institute the resources that are required for effective operation of the system, improve its efficacy constantly and ensure that it is understood by all the employees. As a result of this undertaking, the company organizes information security awareness programs and maintains its investments in infrastructure.
  • The top management appoints an ISMS Management Representative to establish ISMS. When the ISMS Management Representative is replaced or leaves employment, a document is revised by the top management and a new ISMS Management Representative is appointed.
  • The managers in management positions help the personnel in sub-positions in terms of security, assigning responsibility and act as role models. The understanding of security must be primarily initiated and implemented by senior positions and then implemented by all positions including the personnel at the lowest positions.
  • Therefore, BEDAŞ managers help the personnel who are involved in security-related works to comply with safety procedures in both written and verbal format and to take part in security-related works.
  • The top management of the company sets the budget that is required for works within the scope of information security.


Segregation of Duties Principle: ISMS Manager must carry out the necessary controls so that the duties and responsibilities do not conflict with each other within the scope of ISMS. For example; none of the ISMS Internal Auditors can audit their own department. The employee who performs the violation cannot be included in the committee for evaluation of ISMS Violations.


19. Management Review

Management Review meetings are held in line with EYS.TLM.750 Management Review Instruction.


20. Third Persons’ Access to Information

If the 3rd persons who are not employees of BEDAŞ need to use the information systems (e.g. outsourced maintenance and repair personnel), ISMS Manager is responsible for ensuring that these people are informed about the information security policies of the company. Therefore; security contracts that are agreed and approved before temporary or permanent employment agreements are entered into must be signed. Time can be allocated for third party personnel to comply with the policy if required.


21. Outsourcing

When the information network and/or user computer mediums are outsourced, the information security requirements and conditions must be explicitly stated in an agreement signed by both parties.


22. Updating and Reviewing Information Security Policies

ISMS Manager is responsible for ensuring and reviewing continuity of policies. Information Security Policies are evaluated in terms of compliance with current conditions due to factors including organizational changes, working conditions, legal and technical regulations. All the documents that are within the scope of ISMS must be reviewed once a year.


D. Sanction

If the Information Security Main Policy is violated, action is taken within the framework of “PL.06 Information Security Sanctions Policy” and based on the rules and relevant articles that are indicated in “EYS.YON.005 Discipline Regulation” upon approval of  “Information Security Council” and immediate supervisor.

Overall Quality Management works were initiated in 2009 at Boğaziçi Elektrik Dağıtım A.Ş. (BEDAŞ). 76 process analysis meetings (227 hours) were held and all the business processes were analyzed in this regard.

The purpose of 'ISO 9001 Quality Management System’ and 'ISO 10002 Customer Satisfaction Management System' approaches that is implemented at BEDAŞ is to realize continuous improvement activities in all business processes and to increase customer satisfaction.

BEDAŞ initiated Environmental and Occupational Health Safety works in 2014 within the scope of standards of 'OHSAS 18001 Occupational Health and Safety’ and ‘ISO 14001 Environmental Management System’ and it is expected to be documented in early 2016.

Bedaş Alo 186

Bedaş Facebook Sayfası Bedaş Twitter Sayfası Bedaş Linkedin Sayfası
2020 Boğaziçi Elektrik Dağıtım A.Ş. Terms and Conditions | Privacy Policy 
node01 26.07.2021 05:25:55