PASSI and PRIS qualifications are entitled to an upgrade, in order on the one hand to adapt them to changes in European regulations, and on the other to improve their flexibility in terms of the services provided and their context.
ANSSI has just published new versions of its requirements repositories for the qualifications of Information Systems Security Audit Service Providers (PASSI, which is moving to 2.3) and Security Incident Response Service Providers (PRIS, version 3.0). “ The new standards ensure consistency with the work currently carried out within the framework of the European regulation known as the “CyberSecurity Act”. », writes ANSSI in its press release.
The updated standards (PRIS and PASSI) are accompanied by transition notes intended for qualified providers (PRIS and PASSI). Note that “ if these new versions now become the reference, the evaluations currently underway according to version 2.0 of the PASSI framework and the PRIS framework can nevertheless be continued and completed », Warns the agency.
Article of the week
Better adaptability to customer needs
The main change is the creation of two distinct levels of qualification, “substantial” and “high”. The first provides “ a first level of guarantee in particular on the competence of the service provider, the trust that can be placed in them and their ability to protect the information and media relating to the service “. The “high” level, for its part, is aimed at entities for which cyber risks are “ particularly high » or imply a “ strategic threat ”, which require a “ reinforced guarantee » regarding the quality of the service provider.
Another development common to the two standards, we observe work by ANSSI on the requirements regarding the means to be used, on the one hand adapted to the two levels “substantial” and “high”, on the other to ” operational constraints of services “. Note that the regulator notably introduces the concept of “ framework note » in its repositories, defined as a “ document developed and kept up to date by the service provider in consultation with the sponsor and specifying the terms of the service », which removes certain cumbersome service agreements between qualified service providers and their clients.
Finally, the PRIS repository eliminates the notion of perimeter (restricted or broad) to now cover incident response activities: search for indicators of compromise (REC), digital investigation (INV), analysis of malicious code (CODE) and management and coordination of investigations (PCI).
Related News :