Audit under PASSI qualification
Your audit services carried out by a PASSI ÉLEVÉ-qualified service provider for all scopes!
Secure your information systems in line with government and ANSSI requirements
A PASSI (Prestataire d’Audit de la Sécurité des Systèmes d’Information) qualified audit is an information system security assessment carried out by a cybersecurity service provider qualified by the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information).
It’s important to note thata PASSI audit is not an audit type, but an option available for five security audit scopes. It is therefore possible to perform these audits with or without PASSI qualification.
Since 2021, we have been a PASSI-qualified service provider covering all the scopes defined by ANSSI, and PASSI-qualified to the LPM high level since October 2025.
Types of audits covered by PASSI qualification
The audits that can be carried out under PASSI qualification are :
- Architecture audit
- Configuration audit
- Source code audit
- Intrusion testing (pentesting)
- Organizational and physical audit
These audits are carried out according to a precise and strict set of standards published by the ANSSI (Agence nationale de la sécurité des systèmes d’information), and are designed to verify an information system’s compliance with various security requirements.
The current version is 2.2.
Meet your industry's safety requirementswith a PASSI audit
An audit methodology certified at the highest State level
A high level of quality
Make sure that the audit methodology complies with ANSSI standards, as well as ISO 19011, both in terms of the work performed and the deliverables supplied.
A compliant organization
Different levels of audit under PASSI qualification
There are three levels of audit under PASSI qualification.
Substantial qualification is the first level of guarantee of a service provider’s competence. It testifies to the trust that can be placed in the service provider, as well as his ability to protect the information and media relating to the service.
A substantial level of service is recommended if the risks to your Information System are :
- An isolated threat;
- An activist threat;
- A systemic threat.
This type of threat is often directed against a single organization, individual or system, with no immediate risk of propagation or cascading effect.
Example of a threat:
- Hacker or opportunist group;
- Script kiddies ;
- Internal threat.
The high qualification level is the second guarantee level. Compared with the substantial level, it offers a strong guarantee of competence, confidence and information protection.
A high-level service is recommended if the risk to your Information System is a strategic threat.
This type of threat aims to compromise or weaken the security, sovereignty or long-term interests of an organization, state or critical sector.
Example of a threat:
- State-funded APT group / State threat.
The PASSI-LPM qualification is the highest level of guarantee. It guarantees cutting-edge expertise and processes adapted to Operators of Vital Importance (OIV).
If your organization is designated as an OIV (opérateur d’importance vitale – operator of vital importance), you should consider a service at the high LPM level, in particular to carry out controls of systems of vital importance (SIIV) and audits of information systems concerning FR, EU and NATO classified information and media.
The threats concerned are the same as for the high level, the LPM level is compulsory if your organization is designated as an OIV.
Identify threats specific to your ecosystem
There are three main types of threat that can target your organization.
Hacktivist or isolated threat
The hacktivist or isolated threat is characterized by attacks such as denial of service or data leaks. The isolated threat often comes from individuals with unsophisticated tools or privileged access to an Information System. This type of threat is carried out by a lone individual or a hacktivist group.
Systemic threat
The systemic threat is a type of threat that can affect a large number of organizations. It includes the cybercriminal threat, which is often characterized by attacks for profit. Attackers use ransomware or fraud to achieve this.
This type of attack is used by organizations or states with relatively limited resources.
Strategic threat
The strategic threat is characterized by targeted, long-term attacks. It is orchestrated by a state and is characterized by the scale of the technical and organizational resources deployed, as well as by a strategy of discretion.
Motivations for these attacks include espionage and destabilization.
The PASSI audit process
service
cadrage
d'audit
d'ouverture
(optionnelle)
journalier
(en PASSI élevé)
avec rapport(s)
unitaire(s)
(en PASSI élevé)
à chaud
d'audit
de clôture
(optionnelle)
It’s important to note that the opening meeting, although optional, is recommended by our experts.
Hot debriefings with unitary reports are carried out in the event of the discovery of a critical vulnerability, whatever the audit level.
Who can carry out PASSI audits?
To carry out audits under PASSI qualification, the service provider performing the audit must have obtained PASSI qualification issued by ANSSI.
PASSI-certified organizations are audited every 18 months by a qualification body appointed by ANSSI.
For high and high-LPM levels, auditors must pass a written and oral examination every 36 months on each of the 5 scopes, to confirm their skills.
Our tips for preparing a PASSI audit
To prepare for a PASSI audit, it’s important to anticipate your needs and choose between the three types of PASSI qualification.
In fact, depending on the type of qualification and audit chosen, the time required to launch the assignment may vary, depending in particular on the number of meetings and obligations.