Permission Granted for the Appointment of the Information Security Officer Through Outsourcing
Under the Capital Markets Board’s (“Board”) Principle Decision numbered 67/2412 dated 25.12.2025 (“Principle Decision”), published in the bulletin dated 25.12.2025 and numbered 2025/66, it has been permitted, within the scope of the Communiqué on the Procedures and Principles Regarding Information Systems Management numbered VII-128.10 (“Communiqué”), for the information security officer to be appointed through outsourced services or under service agreements to be executed among group companies.
A. Principles Regarding the Appointment of the Information Security Officer Through Outsourced Services
Pursuant to the Principle Decision, it has been permitted for the information security officer, whose appointment is mandatory under article 7, paragraph 5 of the Communiqué, to be appointed through outsourced services or under service agreements to be executed among group companies.
It has also been made possible for the duties relating to the information security officer to be performed under joint employment or part-time working models.
Within this scope, the obligation for the information security officer appointed to work “under the senior management,” as stipulated in the Communiqué, remains in force and the relevant institution, organization, or partnership is responsible for ensuring compliance with this obligation.
In appointing the information security officer through outsourced services, the provisions of article 19 of the Communiqué, which sets out the principles and procedures regarding outsourcing, apply.
Moreover, the Principle Decision provides that the performance of internal audit activities under the Communiqué through joint employment or part-time working models within the framework of service agreements executed among group companies, as well as, for companies that are subsidiaries of a bank, the conduct of such activities by the information technology inspectors or internal auditors of the relevant bank or the execution of such activities as a joint audit carried out at both the bank and the company, is not deemed to constitute a violation of Article 29(2) of the Communiqué, which stipulates that internal audit activities may not be performed through outsourced services.
B. Exemption Periods
Moreover, with the Principle Decision, the compliance period for the appointment of the information security officer, which had previously been set as 31.12.2025 under the Communiqué, has been postponed until 30 June 2026 for certain institutions and organizations.
Within this scope, the following entities are exempt from the obligation to appoint an Information Security Officer until 30 June 2026:
(i) In terms of the minimum equity requirement, portfolio management companies that are subject to subparagraphs (a), (b), and (c) of the first paragraph of Article 28 of the Communiqué on Principles Regarding Portfolio Management Companies and Their Activities numbered III-55.1,
(ii) Limited authorized intermediary institutions, asset leasing companies, mortgage finance institutions, and asset finance funds,
(iii) Publicly held companies whose shares are traded on Borsa İstanbul A.Ş.’s Star Market, Main Market, and Submarket,
(iv) Publicly held companies other than the publicly held companies in the first group, based on the calculation made by taking into account, according to their systemic importance, the market values and the market values of their shares in free float of companies that have been transferred to the Pre-Market Trading Platform due to the ratio of their shares in free float falling below 5%.
For further information and support, please contact us.
A. Principles Regarding the Appointment of the Information Security Officer Through Outsourced Services
Pursuant to the Principle Decision, it has been permitted for the information security officer, whose appointment is mandatory under article 7, paragraph 5 of the Communiqué, to be appointed through outsourced services or under service agreements to be executed among group companies.
It has also been made possible for the duties relating to the information security officer to be performed under joint employment or part-time working models.
Within this scope, the obligation for the information security officer appointed to work “under the senior management,” as stipulated in the Communiqué, remains in force and the relevant institution, organization, or partnership is responsible for ensuring compliance with this obligation.
In appointing the information security officer through outsourced services, the provisions of article 19 of the Communiqué, which sets out the principles and procedures regarding outsourcing, apply.
Moreover, the Principle Decision provides that the performance of internal audit activities under the Communiqué through joint employment or part-time working models within the framework of service agreements executed among group companies, as well as, for companies that are subsidiaries of a bank, the conduct of such activities by the information technology inspectors or internal auditors of the relevant bank or the execution of such activities as a joint audit carried out at both the bank and the company, is not deemed to constitute a violation of Article 29(2) of the Communiqué, which stipulates that internal audit activities may not be performed through outsourced services.
B. Exemption Periods
Moreover, with the Principle Decision, the compliance period for the appointment of the information security officer, which had previously been set as 31.12.2025 under the Communiqué, has been postponed until 30 June 2026 for certain institutions and organizations.
Within this scope, the following entities are exempt from the obligation to appoint an Information Security Officer until 30 June 2026:
(i) In terms of the minimum equity requirement, portfolio management companies that are subject to subparagraphs (a), (b), and (c) of the first paragraph of Article 28 of the Communiqué on Principles Regarding Portfolio Management Companies and Their Activities numbered III-55.1,
(ii) Limited authorized intermediary institutions, asset leasing companies, mortgage finance institutions, and asset finance funds,
(iii) Publicly held companies whose shares are traded on Borsa İstanbul A.Ş.’s Star Market, Main Market, and Submarket,
(iv) Publicly held companies other than the publicly held companies in the first group, based on the calculation made by taking into account, according to their systemic importance, the market values and the market values of their shares in free float of companies that have been transferred to the Pre-Market Trading Platform due to the ratio of their shares in free float falling below 5%.
For further information and support, please contact us.
Download PDF
e.copur@lbfpartners.com
