Our company regards information as a valuable asset, and it is essential to protect the information, which is critical for the sustainability of our activities throughout its life cycle.

In SOCAR Türkiye, information security is defined as protecting information against dangers and threats to ensure business continuity and minimize the damages that may arise from financial losses and security breaches.

Information security provides the following for any corporate and personal data of value:

• Confidentiality to be known and accessed only by authorized personnel
• Integrity to ensure that the information is correct and complete and that the changes made are kept under control.
• Accessibility, so empowered people can use information whenever they need it.

In line with our company's vision and mission, information security is handled as a strategic issue and managed with a risk and process-oriented approach. The aims are as follows

1. Ensuring business continuity
2. Limiting and managing potential risks
3. Meeting legal obligations, compliance requirements, and other requirements
4. Ensuring data security in services offered to internal and external customers
5. Protecting our production facilities against cyber threats
6. Gaining competitive advantage
7. Protection of corporate prestige
8. Increasing information security awareness

Our company's information security is planned, implemented, monitored, and reviewed with a risk management approach in line with international standards and best practices. Information security risks are analyzed, and risk mitigation activities and periodic audits are carried out with independent auditors.

SOCAR Türkiye Senior Management commits to take the necessary security measures to protect the information stored, processed, or transmitted electronically or physically, to provide the required resources and support for continuous improvement within the Information Security Management System framework, and to comply with legal and other requirements.

Our company is obliged to ensure the security of information and information systems by the legal regulations in our country and especially the EMRA and KVKK regulations. All our employees, especially data and process owners, are responsible for ensuring information security. Therefore, anyone who uses, manages, and accesses company information systems and information assets must comply with the following responsibilities:

1. Protecting the confidentiality, integrity, and availability of information assets
2. Knowing and applying information security policies, standards, procedures, and instructions
3. Using IT resources under laws, policies, and business purposes
4. Adopting and enforcing a clean desk and screen policy
5. Ensuring the confidentiality and privacy of personal information
6. Sharing information only with authorized persons
7. Using hard-to-guess passwords and ensuring their privacy
8. Ensuring that information is adequately backed up and business continuity
9. Classifying information for owned data and taking necessary precautions
10. Reporting information security breach incidents and potential vulnerabilities