PASSI certified audit Carry out a PASSI certified audit by our experts

Ziwit Consultancy Service for your manual audits and pentests
nav.services.auditpassi.item
PASSI

A PASSI audit is an information systems security audit carried out by a service provider qualified by the National Information Systems Security Agency (ANSSI). This qualification attests to the competence and reliability of the service provider, as well as the quality of the audits it carries out.

Choose Ziwit to carry out your PASSI Audit

Ziwit is a French group specializing in cybersecurity. It has a team of qualified and experienced experts who carry out PASSI audits.

Ziwit’s expertise

Ziwit has recognized expertise in many areas of cybersecurity, including:

Security architecture

Security architecture is the set of elements that contribute to the security of information systems.

Ziwit can assess the consistency of an organization's security architecture, ensure it meets security requirements, and identify potential vulnerabilities.

For example, Ziwit can identify flaws in an organization's security architecture, such as insufficient network segmentation, inappropriate use of privileges, or lack of vulnerability management.

Security policies and procedures

Security policies and procedures are documents that define the security rules and good practices to be respected.

Ziwit can assess the effectiveness of an organization's security policies and procedures, ensure they are implemented consistently, and identify any gaps.

For example, Ziwit can identify gaps in an organization's security policies and procedures, such as a lack of a password policy, an inadequate backup policy, or a lack of a business continuity plan.

Security checks

Security controls are technical or organizational measures put in place to protect information systems.

Ziwit can assess the effectiveness of an organization's security controls, ensure they are implemented correctly, and identify any weaknesses.

For example, Ziwit can identify weaknesses in an organization's security controls, such as a lack of firewalls, inappropriate use of antivirus, or lack of access management.

Vulnerabilities of systems and applications

Vulnerabilities are flaws in systems or applications that can be exploited by attackers to compromise security.

Ziwit can identify potential vulnerabilities in an organization's systems and applications, and assess their severity.

For example, Ziwit can identify vulnerabilities in an organization's systems and applications, such as a software flaw, an operating system flaw, or a database flaw.

Compliance with PASSI qualification

Ziwit is PASSI qualified by ANSSI, which attests to its competence and reliability. The group is committed to:

  • Comply with ANSSI requirements when carrying out its audits.
  • Use an audit methodology that complies with ANSSI requirements.
  • Have a team of qualified and experienced experts.
  • Provide a complete and objective audit report.
PASSI

Adaptation to the needs of organizations

The Ziwit group offers PASSI audits adapted to the needs of organizations, whatever their size or activity. It is committed to providing a quality audit, in accordance with the organization's requirements.

Ziwit can tailor the scope of the audit to the needs of the organization, and can provide organization-specific recommendations.

Commitment to providing a quality audit

Ziwit is committed to providing a quality audit, compliant with ANSSI requirements, relying on a proven methodology and a team of qualified and experienced experts.

The French group can provide a guarantee of the quality of its audit, and can offer monitoring of the audit after its completion.

The advantages of a PASSI Audit

An objective assessment of information systems security

PASSI audits are carried out by qualified and experienced professionals, who use proven methodologies. They allow organizations to have an objective assessment of their level of security, and to take the necessary corrective measures to improve it.

Identifying vulnerabilities and risks

PASSI audits make it possible to identify vulnerabilities and security risks in information systems. This information is valuable to organizations, which can then take steps to mitigate or eliminate them.

Implementation of corrective measures

PASSI audits result in an audit report which contains recommendations for corrective measures. These measures can be implemented by organizations to improve their information systems security.

Improved risk management

PASSI audits make it possible to identify the security risks to which organizations are exposed. By analyzing them, organizations can better manage them and implement effective mitigation measures.

Compliance with regulatory requirements

PASSI audits are mandatory for organizations covered by the ANSSI General Safety Regulations (RGS). This regulation applies to public bodies, private companies and associations whose activities are likely to harm national security.

By carrying out this type of audit, organizations can demonstrate that they comply with the requirements of the RGS.

Reduced risk of cyberattacks

PASSI audits help identify vulnerabilities and security risks. By correcting or mitigating them, organizations can reduce the risk of cyberattacks.

A cyberattack can result in serious consequences for an organization, such as loss of data, business disruption, or cost of damage.

Reduced security costs

By avoiding cyberattacks and their consequences, organizations can reduce security costs. A cyber attack can result in significant costs, such as damage repair costs, data loss costs, and communication costs of the cyber attack.

Improved customer and partner trust

PASSI audits can help improve customer and partner confidence, by demonstrating that the organization takes security seriously. Customers and partners may be more inclined to do business with an organization that has effective security measures in place.

How does a PASSI audit take place?

The conduct of a PASSI audit is defined by the ANSSI requirements framework. It consists of four main phases:

Phase 1: Initialization

Phase 1 of a PASSI audit is a crucial step that helps define the foundations of the audit and guarantee its success. It consists of four main activities:

Initialization meeting

This meeting allows representatives of the organization and the service provider to meet and discuss the objectives, scope and expectations of the audit.

During this meeting, the stakeholders:

  • Ensure that everyone has a common understanding of the audit objectives.
  • Discuss the scope of the audit, i.e. the information systems that will be audited.
  • Agree on the organization's audit expectations, such as schedule, budget and recommendations.

Gathering preliminary information

The audit provider collects preliminary information about the organization, such as its activities, structures, information systems and security policies.

This collection of information allows the audit service provider to:

  • Become familiar with the organization.
  • Better understand its context.
  • Identify potential risks and vulnerabilities that will be examined during the assessment phase.

Establishment of an audit agreement

The audit agreement is a legal document that specifies the terms of the audit, such as the objectives, scope, timetable, budget and responsibilities of the parties.

The agreement is important to ensure that both parties agree on the terms of the audit. It also helps prevent conflicts or misunderstandings.

Audit planning

The service provider develops an audit plan detailing the specific activities to be carried out, the methods and tools to be used.

The plan is an important document that allows the audit service provider to prepare effectively for the audit. It also helps ensure that the audit is conducted effectively and efficiently.

Phase 2: Evaluation

Phase 2 of a PASSI audit is a crucial step which makes it possible to identify risks and security vulnerabilities in information systems. It consists of three main activities:

Document analysis

The audit provider analyzes the organization's documents, such as security policies, business continuity plans and contracts with service providers.

During this analysis, the service provider is interested in several aspects of security policies, in particular:

  • Compliance with current standards and regulations.
  • Adequacy with the needs of the body.
  • Consistency between the different policies.
  • Effective implementation of policies.

The provider may also identify potential vulnerabilities in security policies, for example policies that:

  • Do not comply with current standards and regulations.
  • Do not meet the needs of the body.
  • Are contradictory or inconsistent.
  • Are not effectively implemented.

Interviews with employees

The audit service provider carries out interviews with the organization's employees to gather their perception of security.

During these interviews, the audit service provider focuses on several aspects of security, including:

  • Raising employee safety awareness.
  • Employee behaviors regarding safety.
  • The difficulties encountered by employees in terms of security.

The audit service provider can identify risks linked to employee behavior, for example:

  • Insufficient security awareness among employees.
  • Risky employee behaviors, such as connecting to unsecured public Wi-Fi networks or keeping sensitive data on personal devices.
  • Difficulties encountered by employees in applying security policies, for example due to a lack of training or tools.

Technical tests

The service provider may perform technical tests, such as penetration tests or vulnerability tests, to identify security vulnerabilities.

During these tests, the service provider attempts to simulate a computer attack to test the resistance of information systems to attacks. It can identify security vulnerabilities in information systems, for example:

  • Information system configuration flaws.
  • Software vulnerabilities.
  • Hardware vulnerabilities.

Phase 2 of a PASSI audit is an essential step which makes it possible to identify risks and security vulnerabilities in information systems.

Phase 3: Report

Phase 3 of a PASSI audit involves writing an audit report that presents the results of the assessment. This report contains recommendations to improve the safety of the organization.

The audit report must be clear, concise and objective. It must contain the following information:

Introduction

The introduction presents the audit and its objectives. In particular, it must include the following information:

  • The audited organization.
  • The scope of the audit.
  • The objectives of the audit.
  • The methods and tools used.

Presentation of the results

This section presents the risks and security vulnerabilities identified during the assessment. In particular, it must include the following information:

  • The nature of risks and vulnerabilities.
  • The potential impacts of risks and vulnerabilities.
  • Evidence supporting risks and vulnerabilities.

Recommendations

This section presents recommendations to improve the safety of the organization. In particular, it must include the following information:

  • Actions to take to correct risks and flaws.
  • The priorities of the actions to be carried out.
  • The resources necessary to carry out the actions.

Recommendations must be realistic and achievable. They must be adapted to the needs and priorities of the organization.

Recommendations may cover different aspects of security, including:

  • Security policies and procedures: Recommendations may relate to updating or creating new security policies and procedures. For example, a PASSI audit may recommend that an organization update its password policy to require longer and more complex passwords.
  • Raising employee security awareness: Recommendations may relate to the implementation of security training or awareness raising. For example, a PASSI audit may recommend that an organization implement training on phishing risks.
  • Configuration of information systems: Recommendations may relate to the implementation of security controls on information systems. For example, a PASSI audit may recommend that an organization disable unnecessary ports on its servers.
  • Software updating: Recommendations may relate to updating software to correct known vulnerabilities. For example, a PASSI audit may recommend that an organization update its firewall software to correct a known vulnerability.
PASSI

Conclusion

The conclusion summarizes the main findings of the audit. In particular, it must include the following information:

  • The main risks and vulnerabilities identified.
  • The most important recommendations.

Phase 4: Monitoring

Phase 4 of an audit consists of:

  • Follow audit recommendations.
  • Evaluate their implementation.
  • Provide assistance to the organization to improve its security..

Follow-up on recommendations

Monitoring recommendations is an essential activity in phase 4. It ensures that recommendations are implemented correctly and on time.

The provider can follow the recommendations in different ways, including:

  • Meet those responsible for the actions to ensure that they are being implemented.
  • Request progress reports on the implementation of actions.
  • Perform compliance testing to verify that recommendations have been implemented.

Implementation evaluation

Evaluating the implementation of recommendations ensures that they have a positive impact on the safety of the organization.

The audit provider can assess the implementation of the recommendations in different ways, including:

  • Measure the effectiveness of the security measures implemented.
  • Evaluate the level of residual risk.

Assistance to the organization

The audit service provider can provide assistance to the organization to improve its security, in particular by implementing security training for employees or helping to update information systems.

Additional tracking

Here are some additional examples of activities that the audit service provider can carry out during phase 4 of a PASSI audit:

  • Carry out follow-up audits to verify that recommendations are still implemented.
  • Provide advice to the organization to continuously improve its security.

Request a PASSI Audit

Carry out a PASSI Audit adapted to your problem and your needs thanks to our team of IT security experts.

Your satisfaction and security are our priorities. Contact us

Contact us!

+33 1 85 09 15 09