Published under Risk Management

Product identity card

General information
This attribute holds basic information to identify the product. The information provided here contains the name of the product, the company or cross-frontier organization that provides the product and the country of origin (in case the product originated from a company or national organization).

Method or tool name : MEHARI (MEthod for Harmonized Analysis of RIsk)
Originator name : CLUSIF (France) relayed by CLUSIQ (Canada)
Country of origin : France

Level of reference of the product

Details about the type of initiator of the product

Private sector organisation / association : CLUSIQ & CLUSIF
Initially (1998) developed for Clusif members, Open Source, free and public since 2007


Specify the phases this method supports and a short description

MEHARI is an RA and RM method that also includes, directly in its knowledge bases, many formulas for the direct assessment of risk and selection of the ways to reduce them.
Mehari is not a pdf only method, it comes also as user friendly tool. The knowledge bases are available as a workbook (for Excel or Open Office) capable to conduct the qualification and quantification of all the elements of risk. Associated user guides and documents are available in English plus multiple translations from:

in French from

R.A. Method phases supported

  • Context establishment : MEHARI allows covering either an entire organization or to select and zoom on particular parts (affiliate, business activity, type of asset or threat, …) using specific scope and boundaries
  • Stakes analysis and assets classification : based on business consideration of consequences of dysfunctions and allowing to give a “value” to information attached assets (primary and secondary, according to ISO/IEC 27005) The types of assets considered are: services, information data and effective compliance to regulations.
  • Risk identification : MEHARI gives indications for the business stakes identification and valuation, the resulting classification of assets (according to ISO 27005) for the Availability, Integrity and Confidentiality security criteria is performed. Also the likelihood of the various threats is identified and the evaluation of the security measures to reduce the risk may be collected from audit questionnaires. All the elements for risk evaluation are available for the next phases
  • Risk analysis : MEHARI knowledge bases provide comprehensive lists of risk scenarios associated with the assets and the various threats. The combination of stakes, threats and vulnerabilities included in the method allows analyzing the risks situations and preparing for the risk assessment.
  • Risk assessment : This is based on the quantification of these elements, and the seriousness for the organization is established on a scale with 4 levels. The most serious scenarios (level 4 and 3) will have to be managed

R.M. Method phases supported

  • Risk assessment: the critical risks may be displayed and analyzed under various other forms: by asset criterion, type of threat, actor, etc
  • Risk treatment : The Risk managers or auditors have the capacity to select the treatment option (reduce, accept, transfer/share, avoid) and, in the case of a decision of reduction, MEHARI provides the capability to select the additional security measures for the reduction of likelihood and/or impact and to integrate them in additional projects depending on the level of the resources and types of organization
  • Risk acceptance : the capacity to indicate individually the acceptance of scenarios is provided. Further indications in the case of risk sharing (e.g. with insurance) is collectable
  • Risk communication : All the stakeholders are associated since the beginning (stakes analysis) and the operational staff (either IT, communications, etc.) contributes to the analysis. Inputs to the building or revision of the Information security policies are provided as well as directions for security projects. Once filled during the risk management cycle, the knowledge base file constitutes a folder for further work and communication.

Compliance to standard : MEHARI Expert (2010) answers to ISO/IEC 27005:2011 guidelines, MEHARI assists and can be used to check the compliance of organizations for their ISMS process (e.g. ISO 27001 2013 revision).

Brief description of the product

  • MEHARI Expert (2010):
    - provides a complete risk management model compliant to ISO 27005 requirements,  * description of modular components and processes.
    - includes the classification of assets, the likelihood of the threats, measures the vulnerabilities through audit.
    - analyzes a list of generic risk situations and provides seriousness levels for each scenario
    - bases its analysis on built in assistance and parameters,
    - allows an optimal selection of corrective actions,
    - gives additional compliance scoring of the organization to ISO 27002:2013 controls and the ISMS process as well,
    - is considered as an RA/RM tool by the automatic use of formulas.

Date of the first edition, date and number of actual version

Date of first release : 1998
Date and identification of the last version : MEHARI Expert (2010) 2Q 2016 providing actualized links with ISO 27002:2013 control objectives and controls  (French and English)
The following variants based on the method are currently only available in French:
- Mehari Pro (since 2014) for small and medium size organizations
- Mehari Manager (since 2013) for new projects or activities out of the scope of a previous execution of the method.
- Mehari Standard (since 2017) for medium to large size organizations

Useful links
Link for further information

Official web site : (English) or (French)
Related user group web site : mehari .info
Main relevant web site (English) (French)

List the available languages that the tool supports

Availability in European languages : French and English (full set of documents and knowledge bases) "Overview" and other documents: Spanish, Italian, German, Polish, Romanian, Dutch, Portuguese (Brasil) Other languages: Chinese, Arabic, Farsi

Specify the price for the method

  • Free: the solution is delivered as Open Source (Creative Commons) and free of charge.

Page top


Target organisations

Defines the most appropriate type of organisations the product aims at

  • Government, agencies
  • Small and Medium to Large companies or organisations
  • Commercial companies
  • Non-profit: NGOs, education, health sector, public services, etc.

Specific sector : Mehari applies to all sectors

Geographical spread
Information concerning the spread of this tool

Used in EU member states : downloaded to all EU states and to European Commission.
Used in non-EU countries : world wide (More than 175 countries), including USA, Canada, Switzerland, South America, China, India, Morocco, Tunisia, Algeria, African countries.

Level of detail
Specify the target kind of users

  • Management level : top management, business line managers, ...
  • Operational level: CISO, Risk managers, auditors, CIO, ...
  • Technical level: systems, networks, application managers, general services, development teams, end users

License and certification scheme
Specify the licensing and certification schemes available for this method

Recognized licensing scheme: Not needed
Existing certification scheme: there is a recognized training scheme for consultants/firms stating their mastering of the method (from PECB).

Page top

Users viewpoint

Skills needed
Specify the level of skills needed to use and maintain the solution

Risk Assessment and Management require in any case a good knowledge of the business internals and the handling of risk. The method exploits these skills and facilitates the processes for awareness, ISMS, RA and RM.

  • To introduce : Standard level, CIO, CISO, RM, top management, business line managers
  • To use : Standard level, auditors (internal or external), CISO, Risk Managers, simple use of Excel
  • To maintain : Standard level, the user guides, documentation and the integrated tools are complete, first level of Excel knowledge

Consultancy support
Specify the kind of support available

Training and consultancy support are provided by CLUSIF with relays in Poland, North America (Quebec) and Africa.

Consultancy : Training and consultancy are available in various countries in Europe, North America, Africa and other places.

Regulatory compliance
There is a given compliance of the product with international regulations

  • Compliance of the method with international regulations (e.g. Basel III, Sarbanes Oxley Act, PCI/DSS, GDPR) may be added when needed.

Compliance to IT standards
There is a compliance with a national or international standard

  • Originally built in accordance with ISO/IEC IS 13335-1, now complies with ISO/IEC 27005:2011 requirements
  • MEHARI is evolving to better deal with the evolutions of Information and Communication technologies, architectures and working changes (BYOD, BYOA, cloud, remote users, etc.)
  • MEHARI is applicable for ISO/IEC 27001 (revision 2013) ISMS processing and certification, including Annex A (security control objectives)
  • Integrates ISO 27002:2013 controls and allows to measure compliance for the organization analyzed.

Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.

Not needed, download and use are free (Creative Commons license)

Availability : world wide

Maturity level of the Information system
The product gives maturity indications on the capability of the organization to manage information security under all its forms including information system security (e.g. through a reasoned best practice document).

It is possible to measure the I.S.S. maturity level : Yes, through several indicators (e.g. Efficiency, Resiliency, Continuity and compliance aspects)

Tools supporting the method
List of tools that support the product

Non commercial tools

  • 4 Associated tools are currently available as knowledge bases of the method, using Excel and Open Office. Reference manuals explain their use, which is free.
    * Mehari Expert , for all types of medium to large organizations (linked to 27001:2013)
    * Mehari Pro for small entities (without links to 27001 ISMS)
    * Mehari Manager usable either for new projects, preparation for new activities, etc.
    * Mehari Standard, for medium to large entities (with links to 27001:2013 ISMS

Commercial tools

  • Several independent efforts to develop additional tools have been completed in several countries.

Technical integration of available tools
It is possible to integrate additional worksheets within the knowledge base.

Tools can be integrated with other tools : classical links between Excel and other types of programs may be used

Organisation processes integration
The method provides interfaces to existing processes within the organization (e.g. project management, procurement, etc.), e.g. through additional worksheets.

Method provides interfaces to other organisational processes : e.g. ISO 27001 ISMS

Flexible knowledge databases
It is easily possible to adapt the knowledge database to any specific activity domain, maturity level, scope and size of the company.

Browse the Topics

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies