Our client
The business
- Major player in energy transition and digital transformation
- 85700 employees
- 1800 companies
Challenges
- Getting the ISO 27001 certification
- Completing the project in 12 months
- Getting the team and management on board
VINCI Energies Information Systems (VESI) is the IT department of the VINCI Energies group, which therefore delivers IT services to the 1,700 companies in the VINCI group. Authentication services, messaging, collaborative tools, ERP and core business applications are thus deployed throughout the group, with business specificities for each company.
Cybersecurity is obviously fundamental to all these activities, which is why VESI has chosen to obtain ISO 27001 certification. A major project, carried out hand in hand with the Advens team.
“Cybersecurity is mentioned more and more frequently in the calls for tenders to which our 1,700 companies respond. They look to us to meet the demands of their clients. Getting ISO 27001 certification adds another dimension to their proposals.”
Bertrand Leclerc • CISO at VINCI Energies Information Systems
ISO 27001 certification for a dual objective: increased competitiveness and increased skills
There were no regulatory constraints pushing VINCI Energies Information Systems to certify its security management. The idea was rather to allow:
- the group’s companies to differentiate themselves from their competitors
- the security team to continue its ramp-up
“It was an opportunity to find out where we were, by self-assessing against a recognised standard. Our security team was only formed in 2017, when we put together a cybersecurity roadmap.”
Bertrand Leclerc • CISO at VINCI Energies Information Systems
The cybersecurity roadmap was already based on a self-assessment of security activities with respect to the ISO 27001 standard. Initiating the certification process made it possible to look at its application objectively.
A project team rich in expertise
Certification means organisation. A ‘compliance’ project manager is hired to carry out this certification and act as guarantor of the Information Security Management System (ISMS). In addition to this recruit, the operational director of information systems (DOSI) chooses to approach a specialist in security audits and ISO 27001 support. The Advens teams are thus mobilised to guide VESI in its approach.
“We had already supported many customers in their ISO 27001 procedures. Some do so for regulatory reasons, others to build skills in cybersecurity or seek a real competitive differentiator, such as VINCI Energies. But it is also a framework, a solid structure for the future!”
Nicolas Pierre • Security Consultant at Advens, member of the VINCI Energies project team
The challenge: 12 months to obtain ISO 27001 certification!
The project has been launched. Bertrand Leclerc and Dominique Tessaro, CIO of VINCI Energies, establish a roadmap with a deadline: VESI has 12 months to obtain its certification! A tight schedule, in which Adven’s role is decisive.
“We needed support: the ISO 27001 standard represents a rich body of documentation and requires a good understanding of the requirements, as well as preparation for an audit, which was not in our DNA. We needed an expert outside perspective. The Advens team had extensive experience in this process, and we immediately had confidence in them.”
Bertrand Leclerc • CISO at VINCI Energies Information Systems
A strong need for project support
The team, made up of four Advens consultants, the VESI project manager and Bertrand Leclerc, was able to rely on the expertise of two confirmed ISO 27001 specialists. They conducted the internal audit, prior to the certification audit.
The most critical point, besides working on security procedures? It was undoubtedly to getting all VESI employees to join the project.
“It was a business project, made up of a group of 550 people! We had to explain the reasons for the approach and get everyone on board, knowing that, as in any business, there is turnover. So we had to integrate the newcomers. To do this, we organised ten or so events, with the help of our collaborative tools.”
Bertrand Leclerc • CISO at VINCI Energies Information Systems
The importance of management support
Bertrand Leclerc and the project team worked to explain the project and encourage commitment. But they had a strong ally: the active sponsorship of their CIO. And the result was more than satisfactory: VESI was awarded certification with flying colours, with no discrepancies reported by the auditor.
An extremely rare verdict.
“Of all the projects I have been involved in, this had the most active management participation, with a CIO who really got involved and who was able to get the right messages across to employees. He was present throughout the construction of the management system. The result reflected this level of dedication!”
Nicolas Pierre • Security consultant at Advens, member of the VINCI Energies project team
What’s next: beyond certification, a long-term innovation project
ISO 27001 certification is not just a straightjacket to which you have to submit. There was nothing tedious about the process, as there were thousands of ways to meet the requirements of the standard, which is broad and generic enough in its wording for cyber teams to be able to innovate, without necessarily questioning what could have been implemented so far within the VINCI group.
ISO 27001 certification: a unifying project to pursue
ISO 27001 certification is the culmination of the skill improvement of all the teams and professions involved, which is not always apparent to companies at the beginning of the process.
This type of certification process must be seen as a long-term project, which will allow the company to enter a cycle of continuous improvement of its security. The CIO of VINCI Energies Information Systems intends to maintain this momentum.
“The challenge now is not slowing down. In the short term, we must keep up the pace by planning the next committees, preparing for the next internal audit and updating the documentation. While the audit did not reveal any areas of non-compliance, even minor ones, it did highlight a few sensitive points. We must integrate these areas for improvement into our action plan to continue strengthening the group’s cybersecurity.”
Bertrand Leclerc • CISO at VINCI Energies Information Systems
