Information Security Management System (ISMS) Policy

The scope of the TS EN ISO 27001:2022 Information Security Management System is to ensure the management of information security in REM People’s IT services, including human resources, infrastructure, software, hardware, customer data, corporate information, third-party data, and financial resources. It also aims to guarantee risk management, transform risks into opportunities, measure the performance of information security management processes, and regulate relationships with third parties concerning information security.

To effectively manage all risks related to our information security and assets, we are committed to:

• Protecting the information assets of REM Research Services Information Technology Industry and Trade Inc.against any threats that may arise internally or externally, whether intentional or accidental; ensuring access to information in line with business processes; complying with legal and regulatory requirements; and continuously improving our security measures.

• Ensuring the continuity of the three fundamental principles of the Information Security Management System in all our operations:

• Confidentiality: Ensuring that information is accessible only to authorized individuals.

• Integrity: Guaranteeing the accuracy of information and processing methods while preventing unauthorized modifications.

• Availability: Ensuring that authorized users can quickly access information and related resources whenever necessary.

• Recognizing corporate information, employee records, and customer data (including financial and personal data) as valuable and critical assets and complying with legal obligations related to information security.

• Documenting our Information Security Management System in accordance with ISO/IEC 27001 standards and continuously improving it.

• Ensuring the security of all data, whether stored electronically, in printed format, or communicated verbally.

• Conducting training programs to enhance technical and behavioral competencies, increasing awareness of information security among all employees.

• Providing the necessary infrastructure and implementing security measures to ensure the uninterrupted operation of IT services and to restrict access to personal and confidential data only to authorized personnel.

• Conducting periodic evaluations to identify and manage existing risks related to information security.

• Reporting all actual or suspected security vulnerabilities to the ISMS Team and ensuring that they are investigated accordingly.

• Enforcing the principles of segregation of duties and need-to-know access, ensuring that individuals only have access to information within their authority.

• Reviewing and monitoring action plans based on security assessments.

• Complying with all relevant legal regulations and contractual obligations related to information security.

• Preventing any disputes or conflicts of interest that may arise from contracts.

• Ensuring that information accessibility and security systems meet all business requirements.

This Information Security Policy serves as the highest-level document outlining the principles to be followed in implementing the necessary security measures. It applies to all individuals within the scope of the policy and defines the fundamental rules they must adhere to.

BÜLENT PEKER

Chairman of the Board