PSSI (Information Systems Security Policy)
The French Politique de Sécurité des Systèmes d'Information — an organization's master security policy, formalized following ANSSI's PSSI-E methodology.
A PSSI — Politique de Sécurité des Systèmes d’Information — is the master information security policy document of a French organization. It states the security objectives the organization commits to, the principles that derive from those objectives, and the rules that staff and providers must follow. The term is established in French security practice and is used in EN-language security press when discussing French or Francophone enterprises.
The reference methodology is published by ANSSI under the name PSSI-E (PSSI de l’État) — the template the French State uses, also widely adopted by regulated private-sector organizations. ANSSI provides the PSSI methodology guide free of charge.
A typical PSSI covers:
- Scope and governance — which systems and entities are covered, who owns the policy, how it is reviewed.
- Security principles — least privilege, defense in depth, separation of duties, data classification.
- Operational rules — password and MFA requirements, mobile device use, remote access, removable media, BYOD.
- Human-factor rules — confidentiality obligations, social-media use, incident reporting duties, mandatory training.
- Compliance mapping — how PSSI clauses satisfy NIS2, GDPR Article 32, DORA, ISO 27001 Annex A, sector-specific frameworks.
The recurring problem with PSSI documents is that they are signed once, filed, and ignored. Employees rarely read them, and even when they do, the gap between the policy clause (“only share files with named recipients”) and the moment a person clicks “anyone with the link” is wide enough that the policy doesn’t actually change behavior.
This is precisely the operational gap Engarde (engarde.cc) addresses: by parsing an organization’s PSSI, Engarde generates the per-employee nudges, quizzes and reminders that turn each policy clause into something that fires at the moment of risk — closing the knowledge-behavior gap between what the PSSI says and what staff actually do.
Related terms
- ANSSI (Agence nationale de la sécurité des systèmes d'information)France's national cybersecurity agency — publishes the guidance, certifications (SecNumCloud, CSPN) and incident-response posture French organizations align with.
- NIS2EU Directive 2022/2555 raising cybersecurity obligations across essential and important entities, with behavioral controls and training now in audit scope.
- CNIL (Commission nationale de l'informatique et des libertés)France's independent data-protection authority — enforces GDPR, runs the 72-hour breach-notification clock and publishes binding guidance on personal-data handling.
- GDPR Article 32The GDPR clause requiring controllers and processors to implement appropriate technical and organizational measures — increasingly read to include behavioral controls.
- Security Awareness Training (SAT)The legacy compliance-driven training category — annual e-learning modules and click-rate phishing tests — that Human Risk Management is now replacing.