Penetration Testing Contract and Legal Authorization: TCK 243-245, Scope and Rules of Engagement

Quick answer: The only thing that makes a penetration test lawful is written authorization obtained from the owner of the target system. A test done without it can fall under the Turkish Penal Code Article 243 (unlawful access to an information system), 244 (obstructing or damaging a system, destroying or altering data) and 245 (bank/credit cards), that is, it is a crime. What removes the phrase "unlawfully" in TCK 243 is precisely the written permission. So every penetration test must begin with a contract, a clear scope, a signed Permission to Test document and Rules of Engagement (rules, time windows, emergency contacts, data handling). Tests touching personal data also require KVKK Article 12 obligations and a data-processing/confidentiality agreement.

As important as the technical side of a penetration test, but often neglected, is its legal face. A penetration test, by definition, mimics attempts at unauthorized access to someone else's system. The only thing that makes these attempts not a crime is the explicit, written authorization granted by the system owner. Without authorization, even with good intent, the act can be a crime. This article addresses the legal basis and contract of a penetration test in Turkey, practically. For the process and pricing see the penetration testing process and when it is needed, and for choosing a firm see how to choose a penetration testing firm.

Legal basis: TCK 243, 244, 245

In Turkey, cyber crimes are regulated in the Turkish Penal Code No. 5237.

  • Article 243 (Accessing an information system): Whoever unlawfully enters, or remains in, all or part of an information system is punished with imprisonment up to one year or a judicial fine. So unauthorized access itself is a crime. If data is destroyed or altered as a result, the penalty increases; unauthorized monitoring of data traffic between systems is punished under a separate paragraph.
  • Article 244 (Obstructing, damaging a system, destroying or altering data): Obstructing or damaging the operation of an information system requires imprisonment, as does corrupting, destroying, altering or rendering data inaccessible. If committed against a bank or public-agency system, the penalty increases by half.
  • Article 245 (Misuse of bank or credit cards): Punishes acts against card systems.

The key point is this: the phrase "unlawfully" in Article 243 is what makes the act a crime. Written authorization makes the access lawful and removes it from being a crime. So the authorization document is the legal shield of a penetration test. (For the full article texts, see the official source on the Legislation Information System, given in the sources.)

Is there a single "pentest permission law" in Turkey?

No. There is no single special legal provision in Turkey that directly orders "written permission must be obtained before a penetration test." The written-authorization requirement arises from the negative of TCK 243-245: unauthorized access is the crime, so authorization is the ground of lawfulness that removes that crime. In addition, KVKK obligations and contract law come into play. USOM has published an official document with criteria for personnel and firms providing penetration testing services; sectoral expectations are shaped in this frame.

CMK 134 and the forensic context

In the context of a criminal investigation, search, copying and seizure on computers is regulated by Code of Criminal Procedure Article 134: with concrete strong suspicion and where evidence cannot be obtained otherwise, by a judge's decision (or a prosecutor's where delay is harmful). This is not a penetration testing authorization; it applies to forensic processes and is separate from the authorization logic of a penetration test. For the forensic process see the digital forensics process, KVKK and chain of custody.

KVKK Article 12: tests touching personal data

If a penetration test touches production systems and thus personal data, KVKK Article 12 applies: the data controller must take all technical and administrative measures to prevent unlawful processing of and access to personal data and to ensure its safekeeping; where data is processed by another on the controller's behalf, responsibility continues jointly. In practice this means the testing firm is positioned like a data processor, so a lawful basis and a data-processing/confidentiality agreement are needed. KVKK's Personal Data Security Guide (Technical and Administrative Measures) lists regular security testing among these measures.

The indispensables of the contract and Rules of Engagement

PTES's Pre-engagement Interactions section defines what must be put in writing before a test begins and calls scope "arguably the most important yet most overlooked component of a penetration test." A solid penetration testing contract and Rules of Engagement should include:

  1. Clear scope. Which IP ranges, domains, applications and physical locations will be tested; the targets must be verified to actually belong to the customer. Everything out of scope must be written explicitly.
  2. Permission to Test document. Per PTES the most important document to obtain: it states scope, acknowledges awareness that system instability may occur and carries the customer's signature before testing begins. Third-party systems (for example a cloud provider) require separate permission.
  3. The authorizing authority. The person granting permission must be confirmed to have the authority to grant it (for example an information security manager or signatory).
  4. Time windows. Business hours, after hours or weekend; with clear start and end dates.
  5. Emergency contacts. Full name, title, two 24/7 contact methods and a secure data-transfer method.
  6. Sensitive data and social-engineering rules. How sensitive data is handled, approved social-engineering scenarios (in writing) and service-disruption/stress-test parameters.
  7. Data processing and confidentiality. A KVKK-compliant data-processing agreement, and storage, sharing and destruction of findings.

The get-out-of-jail letter

Especially in physical and social-engineering tests, the team is expected to carry a document proving they are authorized to be on-site or perform an action; in the industry this is called a get-out-of-jail letter. It contains who you are working with, what you are doing, which addresses and buildings it covers and the client point of contact. The underlying legal principle is universal: whether the access was authorized. If authorized, the act is lawful; if not, it is a crime.

How we work at DSET

At DSET we never begin a test without written authorization, a clear scope and a signed Permission to Test document. Every test runs with a contract and Rules of Engagement; for tests touching personal data a KVKK-compliant data-processing agreement is signed. Findings are reported with verified evidence; see verified vulnerabilities and false-positive-free testing. This legal discipline protects our company and our customer and ensures the test is defensible in court as well.

Frequently Asked Questions

Can I test my own system without permission? If the system is entirely yours and no third party (cloud provider, shared infrastructure) is affected, risk is low; however most cloud and hosting providers require their own permission process. In all cases written scope is recommended.

Is verbal permission enough? No. Verbal permission cannot be proven and will not protect you in a dispute. Signed written authorization is essential.

Who is responsible if the system crashes during the pentest? This is why Rules of Engagement put in writing that the risk of instability is accepted, plus time windows and emergency contacts; responsibility and limits are set by the contract.

Sources

To run your penetration test legally, authorized and under contract, contact DSET.