Certificate to strengthen trust in telecommunications provider

TÜV NORD Polska is helping to strengthen confidence in Poland’s largest telecommunications provider, ORANGE. The company has now been successfully certified according to ISO 27018. This standard deals with the protection of personal data in data clouds. “What these certifications – ISO 27018 and ISO 27001 – show is that, with us, data are secure and are only used for the purpose for which they are intended,” says Slawomir Chmielewski, Head of Corporate Security at ORANGE Poland. He hopes that the successful certification will strengthen confidence in the company’s cloud services and that customers will make more use of them. This is one of the first ISO 27018 certificates ever awarded in Poland. But, according to Przemyslaw Szczurek, Product Manager for Information Security at TÜV NORD Polska, it will not be the last: “The market for certifications in the field of information security is growing faster in Poland than the global average. Awareness of data security, too, is growing.” More than ten years ago, ORANGE introduced an information security management system according to the ISO 27001 standard, initially for mobile services and later also for the fixed network. This was the cornerstone for the current certification. The special feature: Normally, an information security management system only affects a company’s own data; in the case of telecommunications providers however, it also includes customer data.

In ISO 27018 certification audit in ORANGE, Mariusz Koszeluk asked for documented information confirming compliance with the requirements of the standard. “But I also looked at the technical area”, explains the auditor, “I have checked the security in the data centre  physically and technically, i.e. the core where the personal data of ORANGE customers are processed.” Finally, the auditor also analysed the contracts with customers with regard to the concluded agreements on data protection. “Customers retain control of their data and they know what is happening to them,” explains Slawomir Chmielewski. “Customer data is only used for the purpose for which it was entrusted to us. This is now independently confirmed." ORANGE has already complied with the new General Data Protection Regulation, which will enter into force in the European Union in May. It harmonises the rules for the processing of personal data by companies and public institutions throughout Europe. This ordinance provides for a risk analysis for which a functioning information security management system is a good basis. “We have clear roles and responsibilities, rules, procedures and instructions,” explains Mr Chmielewski. Regular internal audits and training courses are designed to raise the awareness of the workforce and thus constantly improve the system. “Information security is a key element of our credibility, and customers trust it.”

TÜV NORD Polska won the contract to do the certification audit because the company was able to conduct an audit by local auditors.

Background

Orange is the largest French telecommunications company with over 170,000 employees worldwide and an annual turnover of over 43 billion euros. It emerged from the state postal and telecommunications authority, later France Télécom. Poland is a big market for the company in Europe, while outside Europe Orange is mainly active in Africa.

The ISO/IEC 27000 series of standards regulates standards for IT security. It comprises more than 20 individual standards, including ISO/IEC 27018 on the security of personal data in data clouds.

System certifications are a major pillar of TÜV NORD Polska. Approximately 30% of employees work in this area. Renowned customers include: Saint-Gobain, Winkelmann, Aflofarm, DB Cargo Polska, Laboratorium Kosmetyczne Dr Irena Eris, Oleofarm, AJINOMOTO Poland, Kimball Electronics, Kirchhoff Polska, Thyssenkrupp Materials Poland, LG Electronics Polska.