Contact
  • Home
  • Squad certified by ANSSI as a provider of information system security audits (PASSI)
Back

Squad certified by ANSSI as a provider of information system security audits (PASSI)

Image Slider

April 2, 2020

Since the first quarter of 2020, Squad has been PASSI-certified across all ranges:

  • Architecture audit
  • Configuration audit
  • Source code audit
  • Penetration testing
  • Organizational and physical audit

This certification validates Squad's legitimacy in addressing cybersecurity issues for OIVs (Organizations of Vital Importance) and recognizes the high technical level of its teams.

For Bruno Billaud, DSSI & OCS Squad, "this PASSI certification is the result of the hard work of our experts and demonstrates our teams' mastery of audit methodologies. For several months, we have been working hard to meet these very high standards, which reflect our daily commitment to cybersecurity in the service of our customers."

https://vimeo.com/403322306

The PASSI qualification

With the growing exposure of the attack surface of all types of information systems (increased dependence on information technology, enhanced connectivity, IoT, etc.), the implementation of cybersecurity strategies has become essential to the smooth running of businesses, regardless of their size or function. While approaches, methodologies, and governance frameworks may vary (ISO 27001 ISMS, NIST framework, compliance with IT hygiene rules, security certification, etc.), they all have one thing in common: the performance of security audits.

In France, a qualification has been implemented to recommend cybersecurity services that have been tested and approved by ANSSI (the French National Cybersecurity Agency) for audits. This qualification is known as PASSI. But what is it, and what does this qualification offer companies and auditors? More generally, how does it meet companies' security needs? But first of all, what is a security audit?

1. What is a Security Audit?

As the term has become widely used over the past two decades, it is worth recalling the formal definition of an audit, as set out in ISO 19011 (Guidelines for auditing management systems):

An audit is a systematic, independent, and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.

In other words, a Security Audit Activity aims to collect information and evidence in relation to predefined control points (or a set of requirements), and to evaluate this information in order to formalize findings and identify vulnerabilities in the information system. As conclusions, Recommendations may be proposed (in the form of corrective or improvement measures), as well as an overall Assessment of the Security Level. All of this must be done in a rigorous, methodical, documented, and traceable manner.

How do you conduct a security audit?

The diagram below provides an overview of the subject through a brief example:

Of course, aspects inherent to the Audit Service must also be taken into account (scoping, initiation, desired methodology, scope of the audit, format of conclusions, communication channels, etc.).

Conducting a security audit is therefore a process that, although simple at first glance, is actually very complex if expectations are high.

What is it for?

The objectives of a Security Audit can vary:

  • Improved safety level
    • Risk reduction
    • Identification and mitigation of vulnerabilities
    • Implementation of additional security measures
  • Periodically evaluate a company's security level in order to highlight the work accomplished.
  • Certify compliance with a standard in order to obtain certification or qualification (ISO27001, II901, GDPR, etc.).

As you can see, a Security Audit can meet several needs at once.

2. The necessity of security audits

Why conduct audits?

Regardless of the cybersecurity strategy implemented, the framework remains relatively similar:

  • Say what you are going to do, and why you are going to do it.
  • Do what we said
  • Verify/Check that what has been done is consistent with what has been said.
  • Correct the discrepancies, then start again.

It is precisely thethird point that interests us here, the CHECK part of the famous PDCA (Plan – Do – Check – Act) cycle: assessing the security level of an information system at a given moment in time. Ensuring that reality is in line with expectations. This step, as complex as it is crucial, makes security audits an essential and unavoidable activity for anyone working in cybersecurity, and even mandatory for some companies.

RGS, NIS, LPM, and Safety Certification

While it is strongly recommended to carry out security audits on a regular basis, these may be mandatory depending on the context of the company. The obligation may be legal, regulatory, or contractual. For example, obtaining ISO 27001 or HDS (Health Data Host) certification for business or contextual needs requires a compliance audit to ensure that the requirements are being met.

In France, there are three main types of organizations that are (virtually) required to conduct security audits:

  • Administrative Authorities (AA), bound by the General Security Reference Framework (RGS)
  • Operators of Essential Services (OES), bound by the European Network and Information Security (NIS) Directive
  • Operators of Vital Importance (OIV), bound by the Military Programming Law (LPM)

These organizations are required to carry out a Security Certification of their Information Systems, a process that involves audits (among other things) being carried out during the initial certification and then during operational monitoring. The aim is to ensure over time that the level of security and the measures in place meet the needs and objectives of the IS security, and that there are no risks that have not been addressed or accepted by the designated Certification Authority.

It is within this framework, and in order to ensure that the audits carried out are rigorous, methodical, and meet the security needs of the organizations being audited, thatANSSI (the French National Cybersecurity Agency) has gradually implemented the PASSI (Information Systems Security Audit Provider) qualification since 2013.

Backed by the LPM and the NIS Directive, the use of PASSI-qualified service providers has become mandatory for conducting security audits on Information Systems of Vital Importance (SIIV – OIV) or Essential Information Systems (SIE – OSE). Although the list of these operators remains confidential, we know that France has more than 200 OIVs and over a hundred OSEs. These requirements have therefore contributed significantly to the growth of the security audit market, at least for service providers capable of obtaining PASSI certification.

3. What is PASSI certification?

What is it about?

Through the PASSI qualification process, ANSSI ensures that security audits are carried out with complete confidence by companies and professionals who are competent in their field. This process is long and rigorous, and certifies a high level of know-how and expertise in auditing and cybersecurity. Obtaining PASSI qualification is therefore not within the reach of just any company or candidate. Currently, there are around fifty qualified companies, including SQUAD.

In addition to companies, auditors must also be qualified by passing oral and written exams (advanced skills and methodical organization are expected of them). Auditors must also demonstrate that they are constantly monitoring technological developments so that they are always up to date with the latest techniques and standards in cybersecurity. PASSI auditors are therefore experts, but also enthusiasts.

It should be noted, however, that since the spectrum of cybersecurity expertise is very broad, auditors must choose to specialize in specific areas, modules in which they will be qualified:

  • Organizational and physical audit
  • Architecture audit
  • Configuration audit
  • Code audit
  • Penetration testing
  • Audit Manager

This competency-based approach implemented by PASSI certification means that an auditor qualified (for example) in Architecture & Configuration will not be authorized to perform an Organizational & Physical Audit. This approach greatly helps audited companies obtain the right resources for the right issues.

What is the benefit for audited companies?

For audited companies, a service provider's PASSI certification guarantees a trustworthy audit that meets the highest possible standards of quality and security. Using a PASSI provider means you can expect the most comprehensive results possible, as well as the assurance that the data collected will not be used for malicious purposes (either intentionally or through negligence). In addition to rigorous methodology and cutting-edge skills, PASSI service providers must implement internal protection measures for the information system processing the data of audited companies (restricted distribution level). This is an undeniable additional security guarantee: if an ordinary service provider (non-PASSI) collects and stores particularly sensitive information about the audited company, and this information is not processed or stored properly after the audit, the service provider can easily become a vector for attack. It should be noted that ANSSI is particularly concerned about attacks targeting service providers.

What is the benefit for service providers (companies and auditors)?

Finally, for Audit Providers applying for PASSI certification, although this certification "only" attests to existing expertise rather than skills currently being acquired, the certification process contributes to (significantly) raising their level of maturity in terms of auditing. Structuring their methodology, predefining generic control points, using common tools and methodology, improving processes over time... Gone are the days of audits with results that vary from one auditor to another: the methodology is formal, rigorous, and requires a thorough mastery of the subject matter. This work to harmonize expertise is therefore extremely beneficial and structuring, both for companies and for auditors.

Last but not least, for companies, there is also a booming market. More than 300 sensitive companies are required to use qualified services, while there are around 50 qualified service providers. And that's not to mention all the other organizations that rely on the qualification to select a trusted partner to whom they can entrust audit assignments... or not! This is perhaps one of the greatest strengths of the qualification, which has become a true benchmark in the field. It is increasingly in demand for any company operating in cybersecurity, beyond simple audit assignments. It is therefore an incredible business driver, in addition to contributing significantly to raising the overall level of cybersecurity in the French-speaking world.

External links

ANSSI requirements for IS security audit providers (PASSI) on SSI.gouv.fr

https://www.ssi.gouv.fr/administration/qualifications/prestataires-de-services-de-confiance-qualifies/referentiels-exigences/#referentiel-passi

https://www.ssi.gouv.fr/uploads/2014/12/PASSI_referentiel-exigences_v2.1.pdf

List of qualified information system security audit providers (PASSI) on SSI.gouv.fr

https://www.ssi.gouv.fr/administration/qualifications/prestataires-de-services-de-confiance-qualifies/prestataires-daudit-de-la-securite-des-systemes-dinformation-passi-qualifies/

https://www.ssi.gouv.fr/liste-produits-et-services-qualifies