PASSI qualification: Become a security audit provider

LSTI is the 1st historical certification body to assess companies for PASSI qualification. PASSI qualification is part of ANSSI's General Security Regulations (RGS). It is aimed at all types of companies carrying out technical audits on their own behalf or on behalf of their customers.

What is it?

PASSI (Prestataire d'Audit de la Sécurité des Systèmes d'Information) is a qualification established within the framework of ANSSI's Référentiel Général de Sécurité (RGS). Its aim is to guarantee the competence, impartiality and reliability of companies carrying out technical security audits. LSTI Certification is authorized to issue this qualification, after verifying that the service provider complies with strict requirements. These cover five audit areas (organization and physical, architecture, configuration, penetration testing, and code), auditor competence (validated by examinations), audit process security, and protection of sensitive information (up to Restricted Diffusion level). PASSI qualification is an essential indicator of confidence for public and private organizations, particularly those subject to stringent regulatory requirements.

What are the challenges of PASSI certification?

Using a PASSI-qualified service provider from LSTI Certification offers decisive advantages for the security of your IS:

Impartiality and confidence : The assurance of an audit conducted impartially and independently, meeting the highest ANSSI requirements.
Veteran expertise: Guarantee that auditors have the technical and methodological skills validated by rigorous examinations.
Audit Data Security: Commitment by the service provider to apply information protection measures (Restricted Diffusion level) for the sensitive data collected.
Quality of deliverables : Clear, usable audit reports, based on rigorous audit processes and recognized methods.
Full technical coverage: Choice of qualified service providers for the various types of audit required (penetration tests, code audits, etc.).
RGS compliance: Demonstration of security due diligence, essential for organizations subject to RGS or seeking a high level of cybersecurity.

How does PASSI certification work?

It is aimed at all types of companies carrying out technical audits on their own behalf or on behalf of their customers.

There are 5 types of technical audit:

Organization and physical audit
Architecture audit
Configuration audit
Intrusion testing
Code audit

The service provider can choose which activities to qualify.

Qualification attests to the service provider's compliance with :

contractual aspects, legislation and regulations, and impartiality
Protection of information (at the Restricted Distribution level)
Quality and security requirements for its audit processes
The competence of its auditors for qualified activities.

The first two requirements are verified during on-site audits, the third by passing written and oral exams.

Qualification is issued by LSTI for three years, subject to the completion of surveillance audits 18 months after initial qualification or renewal. Auditors must also pass written and oral examinations every 3 years.

Qualified service providers are listed on our search engine, as well as on theANSSI list.

Request a quote

Why choose LSTI?

Recognized expertise

With over twenty years' experience, LSTI supports more than 300 organizations in France and Europe as a leading certification body and assessment center, operating in the fields of cybersecurity, digital trust and information security.

Specialized auditors

Our teams of auditors are made up of experienced professionals who are fully conversant with ANSSI cybersecurity guidelines, information security management practices and European digital trust frameworks. Their approach guarantees assessments that are demanding, balanced and adapted to the operational contexts of each organization.

Independent third party and dedicated support

LSTI guarantees impartiality, transparency and consistency throughout the entire cycle: preparation, audits, surveillance and renewals. A dedicated contact ensures continuity and clarity throughout the certification process.