Support for the SecNumCloud qualification of the ANSSI
The SecNumCloud qualification aims to promote and enhance trusted service providers offering cloud services to public and private entities
It is part of the French strategy for a trusted cloud.
The associated SecNumCloud repository aims at a high level of security, to create trust above all on the Cloud service.
- guarantee your customers a high level of security and compliance with good security practices, both technical and organizational ;
- guarantee that the data will be hosted on servers located in Europe, thus protecting against the American Cloud Act;
- ensure compliance at the European level with the highest level of the Cybersecurity Act, adopted by the European Union in 2019;
- Access to tenders from strategic players that require SecNumCloud qualification;
- differentiate yourself from other unqualified cloud service providers and add value to your offering.
AlgoSecure offers to accompany companies towards SecNumCloud qualification.
The advantages of AlgoSecure's support for SecNumCloud qualification
A complete support with a proven methodology
Organizational and technical expertise
A mastery of the SecNumCloud repository
The SecNumCloud repository
The ANSSI has published a set of requirements for the SecNumCloud qualification SecNumCloud. This repository is structured with the same chapters as the ISO 27002:2013 standard included in Annex A of the ISO 27001:2013 standard.
Some prerequisites are required, they mainly concern the location of the data.
- The hosted service data and technical data must be hosted and processed within the European Union;
- Administration, supervision and support operations must be carried out from the European Union, and with a dedicated infrastructure
- The registered office of the cloud service provider must be established in the European Union, and requirements on the company's share capital are also mentioned.
The SecNumCloud repository includes recommendations and best practices for security management, identity and access management... It also includes recommendations for the use of cloud services, depending on the classification levels of the processed data.
It is broken down into several security levels, ranging from basic for public data to very high for sensitive data and defense systems. The recommendations for each security level are adapted to the specificities of cloud services.
As soon as a large part of the measures specified in the SecNumCloud requirements repository are met, a request for qualification from the ANSSI can be initiated.
Qualification process steps
- Step 1: filing the application to find out if the service is eligible for qualification.
- Step 2: Compliance with the SecNumCloud repository
- Step 3: Selection of the ANSSI-qualified "qualifying" organization and carrying out the audit (documentary and on-site audit).
- Step 4: Auditor's report sent to ANSSI for verification.
- Step 5: ANSSI gives its qualification agreement for a period of 3 years.
Assistance to obtain the SecNumCloud qualification
AlgoSecure offers to assist you in obtaining the SecNumCloud qualification for the following services:
- Performing a SecNumCloud maturity audit: this SecNumCloud compliance assessment allows you to evaluate the gaps in your security level in relation to the standard and establish a project plan until qualification;
- Security expertise for the remediation of the standard: implementation of security measures allowing you to comply with the requirements of the standard;
- Technical and organizational audits required by the standard, as a PASSI qualified provider.
Example of support by Algosecure
AlgoSecure assisted a customer who wanted to qualify one of its SaaS services as SecNumCloud . For this, an audit of compliance with the SecNumCloud repository and a roadmap to qualify its SecNumCloud service have been established, like the compliance audits that we conduct for ISO 27001 certification.
SecNumCloud compliance status :
SecNumCloud Qualification Project Plan :
The qualification is valid for a period of 3 years, with follow-up through annual surveillance audits. At the end of the 3 years, the provider can ask for the renewal of the qualification.
Are you interested in SecNumCloud qualification and would you like to be assisted in setting up the SecNumCloud repository? Let's talk together.
FAQ
We observe an average time of 12 to 18 months to comply with the standard and obtain the qualification. This estimate takes into account the time dedicated to the qualification project and the human resources allocated. The timeframe will also vary depending on your current level of cybersecurity maturity. For example, having a cloud service already qualified to the ISO 27001 standard will be a good step forward to start the SecNumCloud qualification process.
As part of the France 2030 plan, grants are offered in priority to SMEs wishing to market a qualified SecNumCloud PaaS or SaaS offer within the next two years.
These aids are presented in the form of four modules :
| Module | Description of the module | Amount of assistance |
| Module 1 : Initial audit | Evaluation of SecNumCloud qualification deviations, and measurement of the cyber level | 40 K€ |
| Module 2 Transformation Formula | Implementation of concrete actions based on the ANSSI's hygiene guide, and allowing to prepare the qualification process | 60 K€ |
| Module 3 : Compliance formula | For mature players or those exiting the "transformation" formula, to support compliance with the requirements of the standard | 40 K€ |
| Module 4 : Qualification Assistance | Qualification process, respect and application of the rules of reference | 40 K€ |
An application file must be submitted to ANSSI, presenting the project to qualify the offer. To obtain this aid, an application must be submitted via a one-stop shop accessible on the Bpifrance website before July 19, 2023.
This date corresponds to a second changeover and a budget of 3.5 M€ is allocated for this changeover. For the first changeover in February 2023, 21 projects were selected from about 40 applications.
Other pages that might interest you :
Security audits and pentests
We audit your information systems to reveal vulnerabilities: these are our penetration testing engagements.
Risk analysis
We help you evaluate the risks that are cast on your systems, and establish a plan in order to deal with these risks.
Organizational IT security audit
We perform organizational audits to ensure that security measures are in place.
Contact : 04 26 78 24 86 | Follow us on 
Specialists in information security and pentest in Lyon, Paris, Saint-Etienne and throughout France
You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.