""

PACS Qualification – ANSSI Cybersecurity Consulting framework

Risk management assistance, information systems accreditation, crisis management, and security architecture analysis missions require rigorous guarantees of competence, ethics, and organization. The PACS (Prestataires d’Accompagnement et de Conseil en Sécurité des systèmes d’information) qualification precisely meets these requirements for all players in the cybersecurity consulting sector.

As an evaluation center accredited and authorized by ANSSI (Agence Nationale de la Sécurité des Systèmes d'information), the French supervisory body for cybersecurity, LSTI conducts organizational audits, examines the individual skills of consultants, and evaluates the infrastructure security of providers applying for this qualification. The final qualification is officially issued by ANSSI based on the submitted evaluation report.

What is the ANSSI PACS Standard?

The PACS (Prestataires d’Accompagnement et de Conseil en Sécurité des systèmes d’information) standard is a framework recognized in France, created by ANSSI. It establishes a structured set of organizational, security, and competence requirements. This scheme attests to the competence, ethics, and reliability of structures advising organizations on their cyberdefense strategy, while ensuring that the client always retains autonomy and responsibility for their security approach.

The PACS standard (version 2.0) introduces two distinct levels of requirements tailored to the security stakes of the clients:

  • The Substantial Level: This level validates a baseline of geographical, methodological, and organizational maturity for supporting standard or intermediate structures and information systems.
  • The High Level: Intended for the protection of the most critical information systems, this level requires the verification of reinforced logical security measures on the provider's own information system (such as encryption, segregation, or infrastructure hardening) to handle highly sensitive or restricted information.

 

The qualification can be obtained for all or part of the four domains (scopes):

  • IS security risk management consulting (risk assessment and treatment plans).
  • IS security accreditation consulting (file compilation and decision support; this scope cannot be applied for alone).
  • IS architecture security consulting (structuring technical and organizational choices).
  • Cyber-sourced crisis management preparation consulting (governance, reflex sheets, exercises, and PCA/PRA/PCI business continuity plans).

The challenges of PACS Qualification

This qualification is a guarantee of trust for clients—particularly OIVs (Operators of Vital Importance) and OSEs (Operators of Essential Services)—but also for any company concerned with protecting its sensitive information.

Engaging a PACS-qualified provider brings fundamental guarantees to their cybersecurity projects:

  • Trusted Expertise: Assurance of working with consultants whose skills are officially recognized and validated by ANSSI.
  • Security and Quality of Services: Guarantee of a high level of quality in deliverables and methods, framed by the PACS requirements standard.
  • Risk Reduction: Better control over cyber risks thanks to expert guidance in IS security risk management.
  • Regulatory Compliance: Valuable assistance for information systems security accreditation, simplifying compliance achievements.
  • Architectural Reinforcement: Obtaining relevant advice to secure IS architectures against current threats.
  • Crisis Preparedness: Improving the organization's ability to anticipate and effectively manage a cyber incident or crisis.

Ask for a quote

Who is the PACS Qualification For?

This evaluation pathway is intended for all professional structures—from independent consulting firms to large Digital Service Companies (ESNs)—that operate IS security consulting and support activities on behalf of third-party clients or public entities.

 

The qualification certifies that the provider complies with:

  • Contractual, legislative, and information protection requirements.
  • Minimum levels of theoretical knowledge and methodological skills of the consulting teams.
  • IT security rules applicable to the consulting firm's own work and administration tools.

How Does the PACS Evaluation Work?

The provider initiates their request with LSTI (either before or after submitting their milestone J0 file to ANSSI). LSTI's auditors and technical experts are seasoned cybersecurity professionals. They possess an in-depth mastery of ANSSI standards, information security management practices, and digital trust frameworks.

In accordance with ANSSI's official evaluation framework, the compliance verification process is divided into several key phases, conducted by LSTI auditors bound by the strictest professional secrecy:

Provider Evaluation (Two Steps)

  • Documentary Review (DOC): An in-depth analysis of documented information, legal structure, and the reproducibility of the provider's processes (PSSI/ISSP, template reports, risk analysis methodologies). A documentary review report is issued to validate preparation for the next stage of the audit. The maximum timeframe between this review and the on-site audit is 6 months.
  • Process, Premises, and IS Audit (On-Site): Concrete field verification of compliance with internal policies, the applicability of measures, and the security of the firm's infrastructure (cryptographic tools, protection of mobile workstations). Conducted by an Evaluation Lead (RA) and an Architecture Technical Expert (ETA), this audit concludes with an oral presentation meeting of findings and any non-conformities (major or minor).

 

Consultant Skills Evaluation (High Level Only). In parallel, as soon as milestone J1 is passed, each candidate for whom an individual competence certificate is requested must pass rigorous examinations organized by LSTI:

  • Written Exam: Anonymous theoretical exams evaluating the Common Core of ISS Knowledge and, depending on profiles, specialty exams (Risk Management, Architecture, or Crisis).
  • Oral Exam: An interview before a jury of experts (RA/ETA) aimed at evaluating listening and communication skills [ISO 19011] and confirming the candidate's professional skills through the defense of a real, closed witness assignment.

 

At the end of these operations, LSTI produces the final evaluation report for ANSSI's decision-making. Maintaining the qualification requires a mandatory surveillance inspection or audit at 18 months.

 
Ask for a quote

Your Questions About the PACS Qualification

  • What are the differences in services between a Substantial PACS and a High PACS for the end client?

    The choice between the Substantial and High levels depends on the sensitivity of the data and the criticality of the end client's information system.

    • The Substantial level guarantees that consultants apply a rigorous consulting methodology and master the security of their own work tools, which is suitable for standard private companies and local authorities.
    • The High level is required for critical or state structures (OIVs, ministries) because it guarantees that the consulting firm has a hardened and accredited information system, capable of securely exchanging and storing classified or restricted distribution data.

  • What is the concrete difference between the Substantial level and the High level during a consulting firm's PACS evaluation?

    The major distinction between the Substantial and High levels lies in the technical and organizational relaxations defined by the ANSSI evaluation framework. By applying only for the Substantial level, a firm's evaluation path benefits from three key simplifications:

    • The absence of individual theoretical exams for consultant competence certification.
    • The absence of an obligation to possess a "Restricted Distribution" accredited infrastructure (SI DR).

    An evaluation of methodological expertise based exclusively on a "post-mortem" (retrospective) analysis of already archived consulting missions, without verifying an active project in the field.

  • As a consulting firm, is it possible to be evaluated and qualified solely on the "Cyber Crisis Management Preparation" scope?

    It is entirely possible for a consulting firm to be evaluated and qualified under PACS solely for the "Preparation for cyber-sourced crisis management" scope. Crisis management thus constitutes an independent technical perimeter. A structure can therefore choose to have its organization, simulation methodologies, and team skills audited exclusively on this specialty to obtain a targeted PACS qualification.

  • What are the technical prerequisites regarding the information system of an applicant consulting firm?

    The firm's information system is an integral part of the evaluation scope conducted by the Architecture Technical Expert (ETA).

    For the Substantial level, the IS must comply with the best practices and requirements of the ANSSI IT Hygiene Guide (notably the reinforced GHY 13 rule introduced in framework v2.1 regarding the exclusive use of qualified trusted products and services).

    For the High level, the infrastructure must be officially accredited for processing "Restricted Distribution" level information (SI DR), in strict compliance with the Interministerial Instruction II 901.

    Regardless of the level, LSTI technical experts verify regulatory compliance related to rights and authorization management, data encryption mechanisms (at rest and in transit), the security of consultants' mobile workstations, as well as the application of infrastructure security rules.

  • What is the difference between a PACS provider and a cybersecurity consulting firm?

    The major difference lies in the ANSSI Security Visa: a PACS-qualified provider has had its skills, methodologies, and logical security rigorously audited by an independent conformity assessment body (CAB). In contrast, a standard cybersecurity consulting firm's approach often relies on self-declarative assessments.

    Furthermore, the PACS 2.0 framework imposes strict operational and sovereignty guarantees for handling highly strategic data. Choosing a PACS-qualified provider guarantees clients the highest assurance level (Substantial or High), which is essential for supporting and securing critical infrastructures.

Find out more about our
other certifications

""
PASSI
LSTI is the 1st historical certification body to assess companies for PASSI qualification. PASSI qualification is part of ANSSI's General Security Regulations (RGS). It is aimed at all types of companies carrying out technical audits on their own behalf or on behalf of their customers.
See more
""
PRIS qualification

LSTI is authorized by ANSSI to carry out assessments of Security Incident Resolution Service Providers (PRIS).

Qualification is issued by ANSSI on the basis of an assessment carried out by LSTI as an Assessment Center.


See more
""
ISO 27001 certification: Certify your Information Security Management System (ISMS)
In the face of ever-increasing cyber threats and regulatory requirements, information security has become a strategic priority for organisations. The ISO/IEC 27001 standard has established itself as the leading international framework for structuring information security governance and managing the risks associated with information systems.
ISO 27001 certification is based on the implementation of an Information Security Management System (ISMS) that guarantees the confidentiality, integrity and availability of data. As an independent third-party body, LSTI validates the compliance of your approach, transforming this security requirement into a genuine factor of trust and a competitive advantage for your digital, cloud or healthcare services.
See more

Why choose LSTI?

1

Recognized expertise

With over twenty years' experience, LSTI supports more than 300 organizations in France and Europe as a leading certification body and assessment center, operating in the fields of cybersecurity, digital trust and information security.

2

Specialized auditors

Our teams of auditors are made up of experienced professionals who are fully conversant with ANSSI cybersecurity guidelines, information security management practices and European digital trust frameworks. Their approach guarantees assessments that are demanding, balanced and adapted to the operational contexts of each organization.

3

Independent third party and dedicated support

LSTI guarantees impartiality, transparency and consistency throughout the entire cycle: preparation, audits, surveillance and renewals. A dedicated contact ensures continuity and clarity throughout the certification process.


Discover our news