Skip to content
PolicyForge
All posts
By Vyrhak SATH · Founder, NAGASHIELD SECURITY9 min

ISO 27001 certification in France: 2022 transition, COFRAC bodies and the ANSSI ecosystem

Getting ISO 27001-certified in France in 2026: why every certificate is now ISO 27001:2022 (the 2013 edition expired on 31 October 2025), how COFRAC-accredited certification works, and how the standard connects to ANSSI’s ReCyF, HDS and SecNumCloud.

Every valid certificate is now ISO 27001:2022

The three-year transition from ISO 27001:2013 ended on 31 October 2025: since that date, 2013-edition certificates are invalid. Any organisation certifying today does so against ISO/IEC 27001:2022 and its 93 Annex A controls — including the 2022 additions such as threat intelligence, cloud security and data leakage prevention. If a supplier shows you a 2013 certificate in 2026, it has lapsed.

How certification works in France

Certification is delivered by accredited certification bodies — in France, accreditation comes from COFRAC (or an equivalent European accreditor). The process itself is the same everywhere: a Stage 1 audit (documentation review), a Stage 2 audit (on-site verification that the ISMS actually runs), then a certificate valid three years with annual surveillance audits and a recertification cycle. What auditors want first is the documentary core: scope, information security policy, risk assessment and treatment, Statement of Applicability, and the topic-specific policies your SoA declares.

Where ISO 27001 sits in the French ecosystem

France layers its own schemes on top of, or alongside, ISO 27001:

SchemeRelationship to ISO 27001Who needs it
ISO 27001The base management-system certificationAny organisation selling to enterprises, or building trust
HDSBuilds on ISO 27001 (plus ISO 20000-1 and health-specific rules)Hosts of French personal health data
SecNumCloudSeparate ANSSI qualification with its own requirementsCloud providers targeting the French public sector and OIV/OSE
ReCyF (NIS2)ANSSI framework; an ISO 27001 ISMS covers most of its 20 objectivesEntities preparing for NIS2

Two practical consequences. First, ISO 27001 is the best common denominator: the same ISMS feeds HDS, NIS2/ReCyF preparation and enterprise due diligence. Second, ANSSI’s free publications (hygiene guide, ReCyF) make excellent French-language implementation references for Annex A controls.

A realistic path for a French SME

  1. Scope tightly — one product, one platform team; you can extend later.
  2. Run the risk assessment and derive your Statement of Applicability.
  3. Generate and tailor the documentary core — the compressible part of the project.
  4. Operate for a few weeks (access reviews, incident drill, internal audit, management review) to produce evidence.
  5. Pick a COFRAC-accredited body and schedule Stage 1/Stage 2.

Primary sources

How PolicyForge helps

PolicyForge generates the ISO 27001:2022-aligned documentary core — the top-level policy and the topic-specific policies your SoA declares — bilingual, versioned, with approval blocks. Start free → · See the ISO 27001 generator

Frequently asked questions

Is ISO 27001:2013 still valid in 2026?

No. The transition period ended on 31 October 2025; since then, certificates issued against the 2013 edition are invalid. All new and maintained certifications reference ISO/IEC 27001:2022 and its 93 Annex A controls.

Who delivers ISO 27001 certification in France?

Accredited certification bodies — in France, accredited by COFRAC or an equivalent European accreditor. The certificate follows a Stage 1 (documentation) and Stage 2 (on-site) audit, is valid three years, and is maintained through annual surveillance audits.

Does ISO 27001 cover NIS2 in France?

Largely. An ISO 27001 ISMS covers most of the measures expected by NIS2 Article 21 and by ANSSI’s ReCyF framework, which shares the same governance-risk-controls logic. Entities certified to ISO 27001 mainly need to add the NIS2-specific elements, such as the 24h/72h incident notification path and registration with ANSSI.

What is the difference between ISO 27001, HDS and SecNumCloud?

ISO 27001 is the international, certifiable ISMS standard. HDS is the French certification required to host personal health data, built on ISO 27001 plus ISO 20000-1 and health-specific requirements. SecNumCloud is ANSSI’s cloud qualification with its own, stricter requirements, aimed at providers serving the French public sector and critical operators.