SecNumCloud qualification: what is it?

But what exactly is it, and who is it aimed at?

The SecNumCloud qualification is issued by the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) on the basis of a documentary assessment followed by an on-site audit carried out by auditors authorized by the ANSSI and approved by LSTI.

The requirements repository used is an evolution of the Secure Cloud label published in 2016. It was modified in 2018 to comply with the RGPD.

So what are the differences with ISO/CEI 27001 certification?

This qualification is awarded by ANSSI after a documentary assessment and then an on-site audit. It is aimed at all types of companies providing cloud computing services on their own behalf or on behalf of their customers. It can be issued for IaaS (Infrastructure as a Service), SaaS (Service as a Service) and PaaS (Platform as a Service) services.

The assessment criteria, which are of a high level in terms of security requirements, include best security practices, personnel authorization rules, and security requirements for premises, processes and networks.

Qualification is granted for a maximum of three years, with annual surveillance audits. Last autumn, version 3.2.a of the standard was published on their website, for September 2021. These changes are seen as major, with the addition of CaaS (Container as a Service) companies, and the question of immunity to extra-EU laws.
The final version 3.2 was published on March 9, 2022 on the ANSSI website.

Find out more on our dedicated page and on the ANSSI website, or contact us with the subject "information certification d'entreprise", specifying SecNumCloud qualification in your message.