SMSI Guide: What It Is and How to Implement It in 2026
SMSI (Système de Management de la Sécurité de l'Information) explained: the French term for ISMS, ISO 27001 requirements, step-by-step implementation, costs, and French market context.
SMSI Guide: What It Is and How to Implement It in 2026
SMSI — Système de Management de la Sécurité de l'Information — is the French abbreviation for ISMS (Information Security Management System). Whether you encounter this term in a French procurement questionnaire, an ANSSI recommendation, or a NIS2 compliance framework, it refers to the same internationally recognized structure: the systematic framework certified by ISO/IEC 27001.
This guide covers the SMSI from first principles: what it is, how it works, the 8 core components auditors check, how to implement it step by step, what it costs in the French market in 2026, and the hard truths that most SMSI guides omit.
In 2025, ANSSI processed 1,366 cybersecurity incidents — historically high, with 128 ransomware compromises and 196 data exfiltration incidents [¹]. Organizations that manage information security systematically through an SMSI recover faster, spend less on incidents, and win more enterprise deals.
Key Takeaways
- SMSI is the French acronym for ISMS — the systematic framework for managing information security, built on three pillars: Confidentiality, Integrity, Availability (CIA triad).
- ISO/IEC 27001:2022 is the international standard: 93 controls across 4 categories (reduced from 114 controls in the 2013 version).
- ANSSI explicitly recommends ISO 27001 as the reference framework for demonstrating NIS2 compliance in France [²].
- Costs in France: €50,000–€100,000 Year 1 for an SME with 50–200 employees, including COFRAC-accredited certification [³].
- Timeline: 6–12 months for a well-scoped implementation.
- NIS2, DORA, and RGPD all align to SMSI components — one certification satisfies multiple regulatory requirements simultaneously.
What Is an SMSI?
An SMSI (Système de Management de la Sécurité de l'Information) is a systematic framework of policies, processes, and controls that allows an organization to manage information security risks in a structured, measurable, and continuously improving way.
It is not software you install or a document you write once. It is a management system — the same kind of systematic approach as a quality management system (ISO 9001) or an environmental management system (ISO 14001). It is designed to operate continuously and improve over time.
The Three Pillars: CIA Triad
Every SMSI is built on three fundamental properties of information:
| Pillar | Definition | Example threat |
|---|---|---|
| Confidentiality | Only authorized persons access information | Data exfiltration by an external attacker |
| Integrity | Data cannot be altered or deleted without authorization | Fraudulent modification of financial records |
| Availability | Information is accessible when the organization needs it | Ransomware rendering systems inaccessible |
SMSI vs. ISO 27001: The Key Distinction
The most frequent source of confusion: treating SMSI and ISO 27001 as the same thing.
The SMSI is the system — the framework of policies, processes, risk assessments, and controls your organization implements.
ISO 27001 is the standard that certifies that system — it defines the minimum requirements an SMSI must meet to be certifiable.
You can have an SMSI without ISO 27001 certification. But you cannot be ISO 27001 certified without an SMSI. The certificate is external proof that your SMSI meets internationally recognized requirements.
How an SMSI Works: The PDCA Cycle
Every SMSI operates on the PDCA cycle (Plan-Do-Check-Act), the same continuous improvement principle used in ISO 9001 and ISO 14001.
Plan
- Define the SMSI scope — which systems, processes, locations, and data types are included
- Establish the information security policy approved by top management
- Conduct a risk assessment — identify information assets, threats, vulnerabilities, and impacts
- Select controls to treat identified risks
- Create the Statement of Applicability (SoA / Déclaration d'Applicabilité in French) — the central SMSI document
Do
- Implement selected controls — technical and organizational
- Deploy policies and procedures
- Train and raise awareness among staff
- Establish incident management and business continuity processes
- Begin systematic evidence collection
Check
- Monitor control effectiveness against defined metrics and KPIs
- Conduct internal audits
- Hold management reviews
- Track incidents, near-misses, and security metrics
Act
- Address audit findings and non-conformities through corrective actions
- Update risk assessments when the environment changes
- Optimize underperforming controls
- Feed lessons learned back into the Plan phase
This cycle never stops — the SMSI is never "finished." Each iteration produces a higher level of security maturity.
The 8 Core SMSI Components
1. Information Security Policy
The top-level governance document formalizing the organization's commitment to information security. It must:
- Define security objectives aligned with business strategy
- Assign roles and responsibilities for security
- Specify the risk appetite and tolerance thresholds
- Commit to continual improvement
- Be approved by top management and communicated to all staff
Without a management-approved policy, auditors have no foundation on which to anchor control verification.
2. Risk Assessment and Treatment
The systematic process of identifying, analyzing, and treating information security risks. ISO 27001 does not mandate a specific methodology — the organization chooses its approach — but it must be consistent, repeatable, and documented.
The four risk treatment options:
| Treatment | Definition | When to apply |
|---|---|---|
| Reduce | Implement controls to lower likelihood or impact | High-risk items where residual risk becomes acceptable |
| Accept | Formally accept the residual risk | Low-risk items where treatment cost exceeds benefit |
| Transfer | Insurance, outsourcing, contractual liability | Risks better managed by a third party |
| Avoid | Eliminate the risk source entirely | Risks where the activity itself is not worth the exposure |
3. Statement of Applicability (SoA / Déclaration d'Applicabilité)
One of the most important SMSI documents. The SoA lists all 93 ISO 27001:2022 Annex A controls and states for each:
- Whether it is implemented or excluded
- The justification linking each included control to identified risks
- The implementation status
The SoA is the document auditors use to verify that control coverage is logically connected to the risk assessment — not just a generic checklist.
4. Security Controls
ISO 27001:2022 organizes 93 controls into four categories:
| Category | Controls | Examples |
|---|---|---|
| Organizational | 37 controls | Policies, roles, asset management, supplier security, incident management, threat intelligence |
| People | 8 controls | Background screening, security awareness training, disciplinary process, remote working |
| Physical | 14 controls | Physical security perimeters, equipment protection, clean desk policy, storage media |
| Technological | 34 controls | Access control, encryption, logging, network security, secure development, data leakage prevention, cloud security |
The 2022 revision added 11 new controls covering modern threats: threat intelligence, cloud services security, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, web filtering, secure coding, and monitoring activities.
5. Documentation and Records
An SMSI requires documented evidence of its operation:
Mandatory documents (decisions made):
- SMSI scope document
- Information security policy
- Risk assessment methodology
- Risk register
- Statement of Applicability
- Risk treatment plan
Mandatory records (evidence of what was done):
- Security training records
- Monitoring results and measurements
- Internal audit programs and results
- Management review minutes
- Corrective action records
- Evidence of control operation
Poor documentation is the #1 reason organizations fail their Stage 1 audit.
6. Internal Audit
Regular assessment of SMSI conformance and effectiveness. Internal audits must cover all SMSI processes and controls over a defined cycle (typically annual), be conducted independently, produce documented findings, and feed into the management review.
7. Management Review
Periodic review by top management — minimum annually — to ensure the SMSI remains fit for purpose. Reviews must address: audit results, security KPIs, corrective action status, feedback from interested parties, and organizational changes.
8. Continual Improvement
The SMSI must demonstrate ongoing improvement through corrective actions, preventive measures, process optimization based on monitoring data, and updates reflecting changing threats, regulatory requirements, and business context.
SMSI vs. Other Frameworks
| Framework | Nature | Certification | Best for | Relationship to SMSI |
|---|---|---|---|---|
| ISO 27001 | International SMSI standard | Yes — COFRAC-accredited body (France) | B2B companies, international sales | IS the SMSI standard |
| SOC 2 | US audit report | Yes — CPA firm | SaaS companies targeting US market | Maps to SMSI components |
| RGPD | EU data protection regulation | No — CNIL enforcement | Any EU data processor | SMSI controls satisfy Art. 32 RGPD |
| NIS2 | EU network security directive | No — ANSSI enforcement | Essential/important entities EU | Art. 21 NIS2 aligns with SMSI measures |
| DORA | EU financial resilience regulation | No — financial regulator | EU financial sector | ICT risk management maps to SMSI |
The key insight: a well-designed ISO 27001 SMSI simultaneously satisfies most requirements across NIS2 Article 21, DORA ICT risk management, and RGPD Article 32. The same access control policy satisfies ISO 27001 A.5.15, NIS2 Article 21(2)(i), and RGPD Article 32. Multi-framework compliance is one SMSI with multiple regulatory outputs.
Who Needs an SMSI?
Highest urgency
NIS2 essential and important entities: The NIS2 directive — France's transposition bill (loi relative à la résilience des infrastructures critiques) was adopted by the Senate in March 2025 and is expected to be promulgated in 2026 [²] — imposes risk management measures on thousands of French companies across 18 sectors. ANSSI explicitly recommends ISO 27001 as the demonstration framework. Without a structured SMSI, demonstrating NIS2 compliance is practically impossible.
B2B SaaS and cloud providers: Enterprise buyers — French CAC 40 companies, ETIs, public administrations — now require ISO 27001 as a standard pre-condition for procurement and contract renewal.
Fintech and financial sector: DORA makes ICT risk management (functionally an SMSI) mandatory for EU financial entities.
Health sector: RGPD Article 32 requires "appropriate technical and organisational measures" — an ISO 27001-certified SMSI is the most defensible demonstration to the CNIL.
Growing urgency
- Government contractors and public sector suppliers — EU procurement increasingly requires ISO 27001 as baseline
- Manufacturing with IT/OT convergence — connected industrial environments creating new systematic risk management requirements
- Law firms and consulting practices — enterprise clients increasingly reject suppliers without formal security frameworks
How to Implement an SMSI: 8-Step Guide
Step 1: Define Scope and Objectives (Weeks 1–2)
SMSI scope determines what is in and out of the certification boundary. Start with a focused scope — a specific product, service, or business unit. Define formally: which systems, processes, physical locations, and organizational units are included. Document the rationale — auditors will ask why you drew the boundaries where you did.
Step 2: Secure Management Commitment (Weeks 2–3)
Without executive sponsorship, SMSI projects stall. You need: a named executive sponsor (ideally CISO or CTO with board visibility), allocated budget, an approved information security policy, a defined risk appetite, and a security governance structure.
Step 3: Asset Inventory and Risk Assessment (Weeks 3–8)
Asset inventory: information assets, IT assets, people, physical assets.
Risk assessment: identify threats (ransomware, insider threat, accidental disclosure, supply chain attack), vulnerabilities, likelihood and impact.
Risk treatment: for each risk, decide to reduce, accept, transfer, or avoid. Document decisions and map mitigating controls to ISO 27001 Annex A.
Step 4: Create the Statement of Applicability (Weeks 8–10)
Review all 93 ISO 27001:2022 Annex A controls. Include controls justified by identified risks. Exclude controls genuinely not applicable (document the justification). The SoA is a living document.
Step 5: Implement Controls (Weeks 8–24)
Quick wins (within 4 weeks): MFA across all critical systems, password policy, access review and off-boarding process, security awareness training, asset inventory.
Medium-term controls (4–12 weeks): vulnerability management, incident response plan and testing, business continuity plan, supplier security assessments, encryption.
Longer-term controls (12–24 weeks): secure development lifecycle, penetration testing programme, advanced threat detection, third-party risk management.
Step 6: Build the Documentation Framework (Weeks 12–18)
Create mandatory documents and records infrastructure: policies and procedures, templates, evidence collection processes, and a documentation management system.
Step 7: Internal Audit and Management Review (Weeks 20–24)
Conduct a full internal audit cycle before the certification audit. Plan scope, execute, document findings, agree corrective actions, hold a management review. This is your dress rehearsal for the certification audit.
Step 8: Certification Audit (Months 6–12)
In France, the certification body must be accredited by COFRAC (Comité français d'accréditation). Main bodies: AFNOR Certification, Bureau Veritas, SGS, Lloyd's Register, DNV.
Stage 1 Audit (documentation review, 1–2 days): reviews SMSI documentation, confirms scope, verifies SoA.
Stage 2 Audit (implementation verification, 2–5 days): tests that controls are implemented and working, interviews staff, examines evidence.
The ISO 27001 certificate is valid for three years, with annual surveillance audits and a full recertification audit in year three.
SMSI Costs in France: 2026 Pricing
| Organization Size | Implementation | Certification Audit | Platform | Year 1 Total |
|---|---|---|---|---|
| Micro (1–10 employees) | €5,000–€15,000 | €6,000–€10,000 | €1,200–€4,000/yr | €12,000–€30,000 |
| SME (10–50 employees) | €10,000–€25,000 | €8,000–€12,000 | €3,000–€10,000/yr | €22,000–€50,000 |
| Mid-market (50–250 employees) | €20,000–€50,000 | €10,000–€20,000 | €10,000–€30,000/yr | €40,000–€100,000 |
| Large enterprise (250+) | €50,000–€150,000 | €15,000–€40,000 | €30,000+/yr | €95,000–€200,000+ |
Key cost drivers in France 2026:
- SMSI consultant day rates: €1,200–€1,800 HT/day for experienced ISO 27001 consultants [³]
- Recurring costs represent approximately 20% of the initial investment per year after the first certification [³]
- Compliance automation platforms reduce implementation effort by 40–60% vs. manual approaches [⁴]
- Staff training: €25–€50 per person for e-learning modules, up to €10,000–€15,000 for instructor-led sessions
Annual Ongoing Costs
After Year 1, SMSI maintenance costs drop significantly:
- Annual surveillance audit: €3,000–€8,000
- Compliance platform subscription: €3,000–€30,000/year
- Internal audit effort: 5–15 person-days
- Management review and updates: 3–5 person-days
- Recertification audit (year 3): similar to initial certification
What Most SMSI Guides Don't Tell You
Documentation gaps cause most Stage 1 failures
Missing documentation causes more Stage 1 audit failures than any technical control gap. The most commonly missing items: risk treatment plan not linked to the SoA, management review minutes not covering all required topics, and corrective action records with no root cause analysis [⁵].
Scope definition is a strategic decision
Your scope boundary determines which risks you are committing to manage. Too broad and you face an unmanageable implementation burden. Too narrow and customers ask why certain products aren't covered. The right scope is the smallest scope that satisfies your customer and regulatory requirements — expand deliberately as the SMSI matures.
Post-certification drift is very common
The most dangerous period is the 18 months after initial certification. Organizations relax, internal audit cadence drops, staff training becomes sporadic, and documentation falls out of date. Build SMSI maintenance into regular operational rhythms — monthly control checks, quarterly management touchpoints, annual full audit cycles [⁶].
The SoA is audited harder than most expect
Auditors test whether control exclusions are genuinely justified. If you exclude "monitoring activities" (A.8.16), auditors will probe whether you have any logging or anomaly detection. If you do, the exclusion is unjustifiable. The default position should be to include and implement, not exclude.
Common SMSI Audit Failures
- Risk assessment treated as a checkbox — conducted once, never updated when the organization changes [⁶]
- Policies say one thing, practice shows another — documented access control policy but actual access rights not reviewed
- Internal audit doesn't cover all controls — annual audit plan doesn't achieve full SMSI coverage
- Root cause analysis is superficial — corrective actions fix symptoms, same non-conformities recur
- Supplier security is nominal — policy exists but no actual supplier assessments conducted
- Management review minutes are incomplete — don't address all required inputs
- Evidence of awareness training is missing — training conducted but records not kept
- Business continuity hasn't been tested — documented BCP but no test records
How Orbiq Supports Your SMSI
Orbiq's compliance automation platform is purpose-built for SMSI management:
- Continuous Monitoring — automated control checks run continuously, surfacing gaps before auditors find them
- Evidence Management — automated evidence collection mapped simultaneously to ISO 27001, NIS2, and SOC 2 criteria
- AI-Powered Questionnaires — when customers send security questionnaires, Orbiq answers from your SMSI evidence automatically
- Trust Center — publish your SMSI certifications and control status as a self-service hub for enterprise buyers
See how Orbiq's SMSI platform works →
Further Reading
- ISO 27001 Certification — Complete Guide — Step-by-step certification process, audit stages, and how to prepare
- What Is an ISMS? — The full conceptual guide: 8 components, PDCA cycle, common audit failures
- ISO 27001 Certification Cost — Full cost breakdown for mid-market and enterprise
- Best ISMS Software 2026 — Honest comparison of platforms for building and maintaining your SMSI
- ISO 27001 Is Not NIS2 Compliance — Understanding the gap and how to bridge it
Sources & References
- ANSSI — "Panorama de la cybermenace 2025", cyber.gouv.fr, March 2026. Data: 1,366 incidents processed, 128 ransomware compromises, 196 data exfiltrations.
- ANSSI — ISO 27001 recommendations for NIS2 compliance, cyber.gouv.fr. ANSSI explicitly recommends ISO 27001 as the reference framework for NIS2 Article 21 measures. France's NIS2 transposition: loi relative à la résilience des infrastructures critiques — adopted by Senate March 2025, promulgation expected 2026.
- Cost data France 2026: Fidens, "Combien coûte une certification ISO 27001?", fidens.fr; Donnees.net, "Certification ISO 27001: combien ça coûte pour une PME?", donnees.net.
- HightTable — "ISO 27001 Certification Cost: Full Breakdown (2026)", hightable.io/iso-27001-certification-cost/.
- GRC Solutions — "5 Reasons ISO 27001 Implementations Fail (and How to Avoid Them)", grcsolutions.io.
- Konfirmity — "ISO 27001 Common Audit Findings: A Practical Guide (2026)", konfirmity.com/blog/iso-27001-common-audit-findings.
- ISO.org — "ISO/IEC 27001:2022 — Information security management systems", iso.org/standard/27001.
- ShieldNet360 — "ISO 27001 audit guide: requirements & process for SMEs, 2026", shieldnet360.com.
This guide is maintained by the Orbiq team. Last updated: March 2026.