To print this article, all you need is to be registered or login on Mondaq.com.
- Introduction
The Regulation on the Authorization of
Participants within the Scope of Public IT Service Procurement
(“Regulation“) has been published on the
Official Gazette dated June 29, 2022 and numbered 31881. The
Regulation is prepared by the Turkish Ministry of Industry and
Technology (“Ministry“) and will enter
into force on September 29, 2022.
The Regulation covers the procurement of IT services to be made
by public administrations. These procurements correspond to the
procurement of consultancy services and services realized within
the scope of the Public Procurement Law and the procurement of
goods, services, consultancy, and construction works within the
scope of other legislation and public-private cooperation projects.
In this context, it is set forth that the subject of purchases is
all kinds of software development, software integration and
software maintenance services, IT system installation and
maintenance services, IT consultancy services and IT security
services.
- Authorization Certificates
There are three types of authorization certificates under the
Regulation: (i) Public IT Authorization
Certificate, (ii) Software Authorization
Certificate, (iii) Penetration Test Authorization
Certificate.
Accordingly, the parties that will provide IT services to public
administrations will be obliged to hold at least one of these
authorization certificates, depending on the nature and subject of
the procurement to be made.
A definite period is not stipulated for the duration of such
authorization certificates (the validity period of the submitted
documents will be taken into account) and the duration of the
authorization certificates can be extended by submitting the
renewed documents to the Ministry through a re-application no later
than one month before the expiration date of the document.
- Application Requirements
Within the scope of the Regulation, the application requirements
are expressed in a very limited way and internationally accepted
documents showing the necessary security and competence are
requested:
(i) For Public IT Authorization Certificate, TS EN
ISO/IEC 27001 certificate (Information Security Management
System Certificate issued by accredited organizations with ISO/IEC
17021-1 accreditation) for at least one of the IT service
procurements.
(ii) For Software Authorization Certificate, TS EN
ISO/IEC 27001 certificate covering software development, software
integration and software maintenance services and at least one of
the documents of TS ISO/IEC 15504 Level 2 (Information
Technology Process Assessment Certificate issued by accredited
organizations conducting audits in accordance with the Software
Process Improvement and Capability Determination (SPICE)
method) or CMMI (Capability Maturity Model
Integration) Level 3.
(iii) For Penetration Test Authorization Certificate, TS
EN ISO/IEC 27001 certificate covering penetration testing services
and Type A or B TSE Penetration Test Company Certificate (document
expressing the conditions for participants providing
penetration testing services within the scope of TS 13638
standard).
On the other hand, various additional information and documents
may be requested by the Ministry.
- Audit
The Ministry has the authority to audit the participants with
the authorization certificate on whether they act in accordance
with the authorization certificate or not.
In the event that a discrepancy is detected during these audits,
(i) a written warning shall be given, (ii) remedy period up to 6
months shall be granted, (iii) the authorization certificate shall
be suspended until the discrepancy is corrected. During the
suspension period, the participant in question will not be able to
obtain a new authorization certificate of the same type.
The authorization certificate will be canceled if the
discrepancy is not corrected within the given period. In case of
cancellation, the same type of authorization certificate will not
be issued for 1 year. In case of repetition of the cancellation of
the authorization certificate, the same type of authorization
certificate will not be issued for 3 years.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Government, Public Sector from Turkey
