What is ANSSI's PASSI framework?
PASSI (Prestataire d'Audit de la Sécurité des Systèmes d'Information) is a qualification established under ANSSI's General Security Framework (RGS). It aims to guarantee the competence, impartiality, and reliability of companies performing technical security audits. In this context, LSTI is authorized to assess provider compliance, after verifying that the provider meets strict requirements, and to proceed with the qualification based on version 2.0.
The framework's requirements are structured around 5 audit scopes:
- Organizational and physical,
- Architecture,
- Configuration,
- Penetration testing,
- Code.
They also cover auditor competence (validated by exams), security of audit processes, and the protection of sensitive information (up to the "Diffusion Restreinte" / Restricted classification level).
The PASSI qualification is an essential trust indicator for public and private organizations, especially those subject to strict regulatory requirements.
From PASSI 2.0 to PASSI 2.2: Evolution of audit scopes
The framework's evolution has profoundly changed how technical domains (called "scopes") and requirement levels are assessed:
- Scope management under the PASSI 2.0 framework: In this historical version, the framework standardized access to qualification around 5 immutable audit scopes (organizational and physical, architecture, configuration, penetration testing, and source code). Security requirements for the provider's information system and the validation of auditor competencies (via mandatory written and oral exams) were identical for everyone, regardless of the end-client type or the sensitivity of the targeted systems.
- The evolution of scopes under the PASSI 2.2 framework: Entering into force on August 1, 2024, version 2.2 introduces major flexibility by segmenting each audit scope according to two assurance levels: Substantial (Substantiel) or High (Élevé). A provider can now choose, for a given scope (e.g., penetration testing), the requirement level suited to their market. The Substantial level streamlines the process by validating competencies through a portfolio review of past assignments. Conversely, the High level maintains mandatory exams for auditors, requires direct on-site observation (in situ audit), and mandates an information system officially approved for Diffusion Restreinte [II_901] (Restricted level) to process all audit data.
Evolution of PASSI framework governance
The governance and delivery methods of this qualification vary depending on the applied framework version:
- Under the PASSI 2.0 framework (Historical): ANSSI formally delegated the final qualification decision to LSTI under the regulations in force. LSTI was thus directly authorized to issue the qualification after verifying the provider's compliance.
- Under the PASSI 2.2 framework (Current): Governance has changed. LSTI is authorized by ANSSI to conduct the assessment and issue a certificate of conformity. Subsequently, ANSSI alone makes the final qualification decision based on the conformity report submitted by LSTI.
What is at stake with the PASSI qualification?
Using a PASSI-qualified provider offers decisive advantages for the security of an organization's Information System (IS):
- Impartiality and trust: Assurance of an audit conducted with full impartiality and independence, meeting ANSSI's highest requirements.
- Veteran expertise: Guarantee that auditors possess technical and methodological skills validated by rigorous exams.
- Audit data security: The provider's commitment to apply information protection measures (Diffusion Restreinte level) for collected sensitive data.
- Quality of deliverables: Obtaining clear, actionable audit reports based on rigorous audit processes and recognized methods.
- Comprehensive technical coverage: The ability to choose qualified providers for various required audit types (penetration testing, code audit, etc.).
- RGS Compliance: Demonstration of due diligence in security, essential for organizations subject to the RGS or seeking a high level of cybersecurity.
A legal obligation for Operators of Vital Importance (OIV)
For Operators of Vital Importance (OIVs), using a PASSI-qualified provider is not just a good practice, but a major regulatory obligation dictated by the French Military Programming Law (LPM) and the Defense Code:
- Mandatory SIIV audits: Sectoral decrees of the LPM require OIVs to periodically audit their Vital Importance Information Systems (SIIV).
- Exclusivity of qualified providers: These compliance and security audits can only be commissioned from structures qualified as PASSI by ANSSI.
- Guarantee of sovereignty: This obligation guarantees the State and the OIV that vulnerabilities affecting the Nation's critical infrastructures are handled by trusted professionals and stored on highly protected information systems.
The pledge of state-level security for organizations
For structures that are not OIVs (private companies, SMEs, mid-caps, or local authorities), calling upon a PASSI-qualified provider constitutes the market's highest pledge of quality, rigor, and security. It is the assurance of benefiting from the same level of requirement, data protection, and technical excellence as that required for the State's critical infrastructures.
Who is the PASSI qualification for?
The PASSI qualification is aimed at all companies, consulting firms, IT services companies (ESNs), or public administrations that carry out security audit services.
It is structured around 5 distinct audit activities. The candidate provider can choose to be assessed on one, several, or all of these scopes:
- Organizational and physical audit: Analysis of security policies, governance, and physical premises security.
- Architecture audit: Analysis of network configuration, partitioning, and the IS's conceptual robustness.
- Configuration audit: Detailed verification of systems, servers, workstations, and security equipment.
- Source code audit: In-depth analysis of applications to detect development flaws.
- Penetration testing (Pentest): Simulation of real attacks to identify and exploit vulnerabilities within a given perimeter.
How does the LSTI assessment audit work?
The initial assessment audit conducted by LSTI is organized according to a regulated process comprising four main steps:
1. The assessment plan: Before operations, LSTI formalizes and sends a document to the provider and ANSSI (at least two weeks in advance) detailing the strategy and planned conduct of the audit (DT208).
2. The Headquarters Assessment: Structured in two phases:
-
Remote documentary study: In-depth analysis of documentation to understand the provider's organization and validate its preparation. The on-site audit must occur within a maximum of 6 months after this study.
- On-site audit: Organized at the provider's premises, it begins with an opening meeting (introductions, access modalities, validation of sample services), continues with hardware and logical investigations (processes, premises, IS security) with daily updates, and ends with a closing meeting to validate conclusions and non-conformity reports.
3. Witness Observation Assessments: LSTI checks the provider's field practice according to the targeted assurance level:
- Substantial Level: "Post-mortem" documentary assessment conducted during the headquarters audit (analysis of plans and reports from past client cases), without traveling to client sites.
- High Level: Deployment of assessors to directly observe a real service at a client site (minimum duration of one day). One activity is observed for 1 or 2 applied scopes, and two activities for 3 or more scopes.
4. Processing and decision: The lead auditor submits their reports and non-conformity sheets to LSTI within one month. After an independent review of the entire file (including auditor exam results), LSTI's general management makes the final decision to grant or refuse the certificate of conformity and notifies ANSSI.
For the High level, obtaining compliance requires that at least one auditor or team leader has successfully passed the written and oral exams for each applied technical scope.
What is the validity period of the PASSI qualification?
The qualification is issued by LSTI for three years, subject to a surveillance audit 18 months following the initial qualification or renewal. For the high level, auditors must also pass the written and oral exams every 3 years. Qualified providers are listed on both the LSTI and ANSSI’s website.
-
What's new in version 2.2 of the PASSI framework?
Entering into force on August 1, 2024, version 2.2 of the PASSI framework introduces a major overhaul to align with current threats. Key changes include the creation of two distinct assurance levels (Substantial and High), a tightening of security requirements applicable to the audit provider's own information system (IS), and an update of the exam syllabi incorporating new European regulations (such as the NIS 2 directive).
-
What are the operational differences when a client entrusts their data to a "Substantial" level PASSI provider compared to a "High" level one?
From the audit sponsor's (the client's) perspective, choosing between a Substantial or High level PASSI provider changes how their sensitive information will be handled and secured:
- With a Substantial level PASSI: The provider processes audit information on an information system that complies with standard good security practices (Standard level of the ANSSI IT Hygiene Guide).This level is suitable for auditing standard, unclassified information systems.
- With a High level PASSI: The security level is maximal and calibrated for critical infrastructures (such as OIVs or public administrations). The provider is legally obligated to use an information system officially approved for Diffusion Restreinte (DR - Restricted) to execute its mission, regardless of the initial classification marking of the documents provided by the client. All audit data (reports, screenshots, mappings, discovered vulnerabilities) are thus protected by strict physical and software measures, compliant with the national instruction [II_901], preventing any information leak to unprotected networks.
-
Can a freelance auditor or an intern be qualified under the banner of a PASSI provider?
No, this is not authorized by the framework. Requirement V.4.a of the PASSI framework explicitly states that all auditors and team leaders participating in qualified missions must be tied to the provider by a direct employment contract (permanent or fixed-term). Intern profiles are not accepted, and the use of independent subcontractors (freelancers) cannot be used to validate the provider's competence for the requested qualification scope. -
What is the cost of the PASSI qualification?
The price of a PASSI qualification assessment is not a fixed flat rate but depends directly on the estimated workload in man-days by the LSTI assessment center. This cost varies depending on the chosen assurance level (Substantial or High), the number of technical scopes to be qualified (among the 5 possible activities), the number of geographical sites of the provider, as well as the complexity of its information system (technologies used, architecture). Each project undergoes a personalized study of the application file to accurately adjust the quote.
-
What are the official regulations to master to pass the PASSI exam (High level)?
The framework requires future qualified auditors to have an in-depth knowledge of the national and European security regulatory framework. The official exam syllabus covers:
- Protection of national defense secrets (IGI 1300) and sensitive structures (II 901).
- The Military Programming Law (LPM) and the security of Operators of Vital Importance (OIV).
- European directives on network and information security (NIS 1 / NIS 2).
- The General Security Framework (RGS) and the General Data Protection Regulation (GDPR).
- Protection of classified information of NATO (II 2100) and the European Union (II 2102).
-
What are the modalities of the written and oral exams for High-level PASSI auditors?
Taking exams is a requirement reserved exclusively for candidates at the High qualification level.
- The written exam validates general cyber and regulatory culture.
- The oral exam lasts a minimum of 15 minutes per applied technical activity and dedicates 80% of its time to evaluating concrete skills derived from Annex 2 of the framework. In case of success, the assessment center issues an Individual Certificate of Competence (Attestation Individuelle de Compétence) valid for a maximum of 3 years.
Find out more
Why Choose LSTI?

Recognized expertise
With over twenty years of experience, LSTI supports more than 300 organisations in France and Europe as a benchmark certification body and evaluation centre, operating in the fields of cybersecurity, digital trust, and information security.

Specialized Auditors
Our auditing teams consist of seasoned professionals with deep expertise in ANSSI cybersecurity frameworks, information security management practices, and European digital trust frameworks. Their approach ensures rigorous, balanced evaluations adapted to each organisation's operational context.

Independent Third Party and Dedicated Support
Accredited by ANSSI, LSTI guarantees impartiality, transparency, and consistency throughout the entire cycle: preparation, audits, surveillance, and renewals. A dedicated point of contact ensures continuity and clarity throughout the certification journey.
Discover ou other
news




