With the digital revolution, businesses are producing more data than ever before. This data is no more than a raw material, but an organization’s ability to transform it into useful information can unlock a world of opportunities. Thanks to cloud computing, organizations can have access to powerful IT capabilities – and with more flexibility than ever, they can externalize all or part of their information systems, workspaces, servers, applications and storage.
Although the cloud has been around for over a decade, the biggest objection still hindering its adoption is ongoing concern about data security and integrity. Systems integrators that can successfully offer cloud-hosted security and access control solutions will find themselves well-positioned for the future, with the ability to deliver a wide range of managed and remote services to customers while boosting the overall value of their company.
Orange Business Services is one such company. As the B2B branch of the Orange Group, which boasts 260 million customers across 28 countries and an annual sales revenue of EUR 41 billion, the global ICT provider aims to be a leading performer in the “data journey”. Supporting organizations through every step of their digital transformation, it offers customers expertise in the collection, transfer, security, storage, processing, analysis and sharing of data, and value creation. To deliver support on such a broad scale, Orange Business Services needs to operate seamless global processes managed under a corporate governance model that applies worldwide.
The implementation of ISO/IEC 20000-1, Information technology – Service management – Part 1: Service management system requirements, was thus a logical objective. Developed by ISO and the International Electrotechnical Commission (IEC), the flagship standard of the ISO/IEC 20000 family helps organizations embed a service life-cycle strategy, providing best practice on how to manage their portfolio of services so they remain current. The release in 2018 of a new and improved edition prompted us to ask Jean-Pierre Girardin, Customer Services & Operations at Orange Business Services, how this latest update will help the company in its commitment to maintain superior end-to-end services – wherever its customers do business.
ISOfocus: What are the reasons for the enthusiastic uptake of ISO/IEC 20000-1 by Orange Business Services?
Jean-Pierre Girardin: With over three thousand renowned multinational corporations at the international level and over two million professionals, companies and local communities in France, Orange Business Services relies strongly on information security standards and the company has been certified to ISO/IEC 20000-1 for ten years.
A conscious decision was made from the beginning to introduce the standard progressively and in an integrated manner. So we built on our initial corporate quality management systems based on ISO 9001 to enhance our service management processes in an integrated framework. This allowed us to align our service processes across our Orange Business Services operating sites all over the world.
As a B2B services-oriented company, getting certified to ISO/IEC 20000-1 was a golden opportunity. It enabled us to focus on improving our services and benefit from the virtuous combination of three management systems standards – ISO 9001 (quality), ISO/IEC 20000-1 (IT services) and ISO/IEC 270011) (information security) – and the continuous improvement loops inherent in all three standards.
What are the major benefits that ISO/IEC 20000-1 has brought Orange Business Services?
The implementation of ISO/IEC 20000-1 has provided a number of key benefits, both internal and external. Our triple certification, which is renewed each year with regular new extensions of scope, identifies Orange Business Services as a trustworthy and reliable partner and recognizes the quality of our management system globally. We have since also added ISO 14001 for environmental management in three of our sites. All our indicators show that customer satisfaction has significantly increased as a result of these efforts. What’s more, the certification programme has proved an excellent way of reinforcing team cohesion among our staff, which has enabled us to keep up the momentum over the years.
The increasing uptake of ISO/IEC 20000-1 isn’t particularly surprising when you consider today’s security concerns. Could you please elaborate on the standard’s additional security-related benefits?
ISO/IEC 27001 for information security covers a defined scope of our activities and entities (operational, cloud services…), so we have ISO/IEC 20000-1, Paragraph 6.6 on information security management, to thank for securing the breadth of our processes and activities on three levels: requirements in our services, security controls in our operations, and a portfolio of managed security services.
For instance, we proactively monitor and respond to security incidents that could conceivably affect assets entrusted to us. To this end, we ensure that all changes are assessed before implementation to prevent any potential impacts on security protection. We have also introduced robust security controls in our processes and working procedures that have proved very effective. The additional security features of ISO/IEC 20000-1 also contribute to raising awareness of security as a full part of operational practice and auditors have acknowledged the exemplary behaviour of our staff when it comes to protecting the integrity of data.
How is ISO/IEC 20000-1 integrated at the process, operational and strategic levels within Orange Business Services?
ISO/IEC 20000-1 was fully integrated from the very beginning of the project in 2008 into a global coherent security management system. This was especially important as it coincided with the beginning of the ISO/IEC 27001 certification of our Egypt Major Services Center in Cairo, which was later followed by the India Major Services Center in Gurgaon near Delhi and, finally, our operations in France, Brazil and Mauritius. As a result, the ISO/IEC 20000-1 requirements have become part and parcel of all our processes and activities, whether it be in our relationships with customers, our activities with suppliers or throughout the services life cycle, from order to delivery.
At the strategic level, Orange Business Services conducts regular management reviews on a local, regional and global scale, where our certification results are carefully monitored. We anticipate customer expectations and adjust the scope as dictated by the business.
Being so successful in implementing ISO/IEC 20000-1 mainly by internal resources, could you share some tips with ISOfocus readers?
It is important to take a step-by-step approach when seeking certification. We began by forming a skilled, knowledgeable and dedicated team to manage the project. In this regard, proficiency in the ITIL framework, which helps align IT services with business needs, was considered a plus. We felt it was important to run a methodical gap analysis and feasibility study before introducing any new service for certification and reinforced our pool of internal auditors to help validate our progress through annual audits of all our processes and entities.
To create momentum among the staff, we also organized awareness sessions on ISO/IEC 20000-1 and all aspects related to certification and standards. Remaining pragmatic at all times, we aimed to convey the benefits of a certification journey to make sure everyone properly understood the purpose of implementing the standard. The trick is not to talk about the standards’ requirements, but rather to concentrate on showing the importance of applying them for the benefit of our customers, our services and our processes. The whole enterprise was of course endorsed by senior management, which was crucial to its success.
A new version of ISO/IEC 20000-1 has been recently published – any thoughts on the way forward? Future projects/plans?
The new version of ISO/IEC 20000-1 opens exciting perspectives for Orange Business Services. The standard is aligned to the new High-Level Structure used across all ISO management systems standards, including ISO 9001:2015, ISO/IEC 27001:2013 and ISO 14001:2015, so this version will be even easier to understand.
We are already looking at how to accommodate the changes within Orange Business Services and aim to be one of the first companies to successfully implement the new edition of the standard. This will be our challenge for 2019!
1) ISO/IEC 27001:2013, Information technology – Security techniques – Information security management systems – Requirements, was developed jointly by ISO and the International Electrotechnical Commission (IEC).