IT services outsourced: ISO certification as a vector of trust

Philippe Dann, Head of Risk and Business Advisory, EBRC
By A. Keilmann 02/03/2020
Banking, Insurance & Fintech
Health & Life Sciences
Public Sector & European Institutions
Defense & Space
Technology & Software Providers
Energy, Logistics & Industry

An interview with Philippe Dann and Jean-François Hugon, respectively Head of Risk and Business Advisory and Head of Marketing at EBRC. They discuss the importance of the certifications held by the company specialised in the management of sensitive information, as well as the advantages that the company derives from those certifications and from which customers benefit, including standardisation and a relationship of trust.

Certification striving for excellence

"EBRC’s ambition is to position itself as a centre of excellence in Europe in the management and protection of sensitive data area", explained Philippe Dann before going on to say: "To do this, we have set in motion several mechanisms, including a certification strategy in particular. From the creation of new services to integration, including the management of sensitive information, each of EBRC business lines are now covered by very specific certifications".

This increased certification process is also part of the strategy of constant and continuous improvement promoted by EBRC and its experts, based on the Deming Wheel principle, or the PDCA cycle – Plan, Do, Check, Act.

Regular audit of IT services: a guarantee of ISO certification and compliance to regulation

As these various standards and certifications are regularly audited, they represent a convincing guarantee for EBRC’s customers and prospects, formally demonstrating the quality and expertise of the services offered by the Luxembourg-based company. In addition, external audits carried out by certifying bodies represent a significant time saving for customers: this advanced certification approach reinforces trust in an increasingly digital and regulated environment, particularly with the GDPR. " The upcoming arrival of the NIS Directive will also have an impact: it will force companies to implement effective checks. With the current certifications, EBRC is already in a position to carry out such checks and to prove that it meets regulators’ expectations", said the Head of Risk and Business Advisory. These are therefore key aspects in EBRCs international development and in its positioning as a "European centre of excellence".

The certifications, which act as a "business card" for the company, demonstrate its ability to meet these very specific standards. "We operate in fields such as finance or health with specific statutes, respectively PFS (Professional of the Financial Sector) in Luxembourg and HDS (Hébergeur de Données de Santé – Health Data Hosting) in France, requiring us to opt for certifications and standards inherent to the regulation of the sector.

ISO certification enabling access to a regulated market: eIDAS use case

The certification process has the added benefit of enabling us to access a regulated market and improves the quality of responses and services. The eIDAS Regulation, for example, mainly concerns public sector bodies and trusted service providers established in the European Union. It establishes a European framework for electronic identification and trusted services to facilitate the emergence of the digital single market. Its scope covers the subject of electronic signatures and repeals Directive 1999/93/EC. The ANSSI is one of the national bodies responsible for the implementation of this regulation –(Source ANSSI).

In short, they help to break down the barriers to entry that we may encounter and assure the customers and stakeholders of a given ecosystem that we speak the same language. These cascading certifications provide an additional guarantee insofar as they are regularly audited. Finally, they demonstrate the maturity of a know-how that we have built through a process. The audit phases facilitate the continuous improvement of our services, which is perfectly in line with our approach to delivering Trusted Services and actively contributes to cyber-resilience", added Jean-François Hugon. The Head of Marketing also emphasised the benefit of certifications for service providers such as EBRC, which are imposed both by future customers seeking a solution and by regulators at the international level.


ISO certification a continuous quality improvement process

Finally, as the two experts point out, this certification strategy makes it possible, above all, to control the quality of services internally, each of them providing a very precise framework with obligations to be respected and ultimately improving the structure of services by optimising the working environment, thus enabling the various stakeholders to save time. "Standards require structure and improve internal communication. Each stakeholder’s role must be defined, and KPIs - Key Performance Indicators - but also KRIs - Key Risk Indicators - must be implemented. This can be tricky, but it remains crucial", added Philippe Dann. Moreover, the ISO 20000 certification, which EBRC has achieved, stresses this point. It specifies the requirements for the service provider to plan, establish, implement, execute, monitor, review, maintain and improve a Service Management System across the board, from its design to service improvement. "Today, knowing your processes better also means predicting and anticipating. Two key elements in a world in which uncertainty is almost constant", added the Head of Risk and Business Advisory.


ISO Certifications are at the heart of EBRC strategy

"EBRC has currently over 70 international certifications and awards, which, combined, enable customers to evaluate our performance and services, and even our best practices and strategy", said Jean-François Hugon.

ISO 9001 & 2000 certification: for quality management

ISO 9001 certification, which is linked to quality management systems, makes it possible to define standards that are part of the company's overall framework: it includes requirements for product design, development, production and after-sales service. "A certification that sets the milestones, that serves as a foundation", according to Philippe Dann. As for the ISO 20000 certification, as mentioned above, it focuses on the management and organisation of IT services, including processes, reports, customer relations, helpdesk and incidents.

ISO 22301 certification ensuring business continuity

Business continuity is ensured through ISO 22301 certification: it involves defining processes to ensure that the company will continue to be able to provide the services to its customers in the event of a technical or human disaster.

ISO 27001 certification: security & risk management

A strong focus on security and risk management is provided by the ISO 27001 standard: these aspects must be managed upstream, from the design or implementation of a new service or product.

ISO 27018: protection of personal data in the cloud

"It includes the “Trusted” concept, which is important to EBRC", added the experts. EBRC also has ISO 27018 certification, which relates to the protection of personal data in the cloud. Three sources must be checked in order to verify safety requirements: the legal, regulatory and contractual environments, risk assessment and internal references within the company.

Additional certifications for sensitive sectors

Active in the healthcare sector in France, EBRC is also HDS - Health Data Hosting – certified and can therefore offer its services to stakeholders in the management of sensitive and personal data. As the Head of Risk and Business Advisory explained, "this is a certification of our Data Centre services in our Tier IV data centres". In order to support its partners in the financial sector offering credit card payment services, EBRC also complies with the PCI DSS (Payment Card Industry - Data Security Standard) Level 2 standard.

Green it services ensured by iso standard

With its 5 Data Centres in Luxembourg, EBRC makes it a point of honour to work towards protecting the environment. This "Green IT" aspect is defined through the ISO 14001 standard, which includes the planning and implementation of actions aimed at complying with this environmental policy, as well as the ISO 50001 standard which concerns energy performance and promotes efficient energy management. These certified Tier IV Data Centres were designed to ensure the highest standards of continuity. "Certification provides an availability rate of 99.995%, corresponding to less than 26 minutes of cumulative downtime per year. The Data Centre must therefore be autonomous, both in terms of its management and its ability to respond to incidents" said Philippe Dann.

Why outsource IT activities – and how?

According to EBRC Head of Risk and Business Advisory, "it is crucial to investigate internal processes before outsourcing. Secondly, the choice of supplier is just as important: it involves a study and must result in a relationship of trust. This is where certifications come into play". The Business Advisory and IT Transformation teams first map out customer needs before setting up a strategy, with an action plan, which will then be implemented.

Philippe Dann and Jean-François Hugon then shared their recommendations as regards selecting an IT service provider: "First of all, we recommend starting with an internal audit to measure the company's level of maturity with regard to outsourcing. Afterwards, workshops can be led by EBRC experts". They hold that companies can also consider certification and describe their processes using a known framework, which will facilitate the transformation and migration to outsourcing. "Drawing up the specifications and identifying KPIs will follow. The latter, which are professional and business indicators, must be aligned with senior management. Some must be technical, while others are centred on employees’ satisfaction with a focus on usability", they explained. The service provider, for its part in a constant concern to improve customer relations, must ensure that it provides new and innovative solutions, anticipating and meeting future needs: once chosen, the service provider will be integrated into the customer's value chain.

Subsequently, companies must assess the possible financial, qualitative and business benefits of a potential migration to outsourcing. Obviously, this goes hand in hand with assessing the potential losses, especially as regards control. Thus, the notion of strategy takes on its full meaning: is it a strategic business or not? The answer will depend on the customers, their activity and their maturity” added the Head of Risk and Business Advisory.

EBRCs extensive certification process does not preclude it from having the agility required to navigate today's digital and changing environment. While certifications impose a framework, they provide real, flexible and pragmatic added value based on the customer’s needs. To be effective, they must also be understandable to the people who apply them. According to Jean-François Hugon and Philippe Dann, "it is the combination of these aspects that makes standards evolve with the company". While the implementation of such standards can be difficult at first, they will subsequently bring significant gains to companies, while benefiting their end users.