PAMS (Prestataires d'Administration et de Maintenance Sécurisées - Secure Administration and Maintenance Service Providers) is a standard developed by ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information - French National Agency for Information Systems Security) to govern the activities of companies offering outsourcing services. This standard applies specifically to the outsourced administration and maintenance of critical information systems. It establishes a set of rigorous requirements designed to guarantee the security of these services, particularly for sensitive customers such as Operators of Vital Importance (OIV).
Why was the PAMS repository created?
The PAMS repository was created in response to a growing need to secure outsourcing services. In an environment where the outsourcing of IT administration and maintenance has become commonplace, the associated risks (cyber attacks, data leaks, system compromises) have increased considerably.
PAMS enables sponsoring organisations (companies, public authorities, OIVs) to comply with the regulatory requirements arising from several standards frameworks:
- The European NIS (Network and Information Security) Directive
- The French Defence Code
- State Information Systems Security Policy (PSSIE)
Using a PAMS-qualified service provider is therefore not only a guarantee of regulatory compliance, but also an assurance that best practice in IT security will be applied, even for organisations that are not strictly subject to these legal obligations.
The different stages in the qualification process
D0: Preparatory phase
This initial stage marks the service provider's commitment to the qualification process. It includes familiarisation with the standards and formal acceptance of the requirements contained therein.
Day 1: Initial assessment
An independent certification body (such as the Laboratoire National de Métrologie et d'Essais - LNE) carries out an in-depth assessment to check that the service provider complies with the requirements of the PAMS standard.
Day 1: Initial assessment
An independent certification body (such as the Laboratoire National de Métrologie et d'Essais - LNE) carries out an in-depth assessment to check that the service provider complies with the requirements of the PAMS standard.
D2: Validation by ANSSI
ANSSI examines and accepts the evaluation work carried out by the certifying body. This stage constitutes a technical validation of the evaluation file.
J3: Qualification decision
On the basis of the validated assessment report, ANSSI takes the final decision on whether or not to grant PAMS qualification. If the decision is favourable, the qualification certificate is issued for a period of three years and published on the official ANSSI website.
Follow-up assessments are then carried out annually to ensure that the required level of safety is maintained throughout the period of validity of the qualification.
The requirements and scope of the standards
The PAMS standard imposes strict requirements in three main areas:
Organisational requirements
- Implementation of formalised processes for administration and maintenance
- Clear definition of roles and responsibilities
- Rigorous management of security incidents
Technical requirements
- Strict separation between the service provider's information system (tools, workstations, administration networks) and the customer's managed resources
- Implementation of mechanisms to track administrative actions
- Protection of administration and maintenance workflows
- Securing privileged access
Human requirements
- Training staff and raising their awareness of safety issues
- Background checks on administrators with access to critical systems
- Application of the principle of least privilege
The scope covered by PAMS includes all the physical or virtual devices in the information system under management: servers, workstations, network equipment, applications, databases, etc.
The benefits of PAMS qualification
Enhanced safety
PAMS qualification significantly reduces the risks associated with outsourcing the administration and maintenance of information systems. It provides effective protection against increasingly sophisticated cyber threats.
Regulatory compliance
For customers subject to strict legal obligations, using a PAMS-qualified service provider makes it easier to comply with the regulatory requirements applicable to their sector of activity.
Confidence and market differentiation
For outsourcing providers, PAMS qualification represents a guarantee of reliability and competence, facilitating access to sensitive markets (OIV, public sector, critical industries). It represents a significant competitive advantage.
Continuous improvement
The annual assessment process ensures that safety levels are maintained over time and encourages continuous improvement in safety practices.
Prospects and challenges
The PAMS standard is now the benchmark for secure outsourcing in France. The standard helps to structure the relationship between service providers and customers around high, verifiable requirements, thereby contributing to the overall resilience of critical information systems.
Future challenges will include adapting the standard to technological developments (cloud computing, artificial intelligence, automation), as well as linking it with other international standards to facilitate interoperability and mutual recognition of security qualifications worldwide.