Mehari Expert (2010) RM tool
Tool Identity Card
General information
Basic information to identify the product
Tool name : MEHARI Expert (2010) – RA and RM tool
Originator name: CLUSIF and CLUSIQ
Country of origin : France - Canada
Level of reference of the tool
Details about the coverage or the « originators » of the solution
Coverage : Information Risk Management with ISO 27005:2011 and ISO 27001:2013 compliance
Supported by organization, club,... (e.g. as sponsor) : CLUSIQ and CLUSIF
Brief description of the product
Give a brief description of the product containing general information, overview of functions:
- The tool is an excel based knowledge base already prepared by the originators, allowing a full vision of the required elements even for a small or medium size organization
- Previously named only 2010 from the year of initial release, now prefixed « Expert » is the high end of the capabilities built on the principles of Mehari methodology (3 other tools, suffixed: Standard, Pro and Manager, are available but in French only)
- The workpages of the method contain multiple preprocessed elements allowing to select and display, step by step, the results of the RA and RM activities and to select or propose risk reduction policy, plans & projects with additional controls where needed.
Supported functionality
Specify the functionality this tool provides.
R.A. Method phases supported
- Risk preparation: Complete study about the use by the business and internal activities of the various ITC and supporting services and of the information itself including the business impact analysis (BIA) of dysfunctions and threats.
-
Risk identification : Based on assets, threats and vulnerabilities
-
Risk analysis : Through scenarios
-
Risk evaluation : Quantification of the risk elements: stakes level and likelihood of threats
Other phases
-
Asset inventory & evaluation : The list of assets proposed includes services, information itself and regulations.
R.M. Method processes supported
- Risk assessment : The seriousness level of risk scenarios is given based on impact and likelihood of multiple scenarios, either initial (intrinsic), current or planned at selected dates.
- Risk treatment : The method proposes options (accept, reduce, share, avoid) and security measures for reducing risk seriousness level.
- Influence of security measures: for likelihood (prevention, deterrence) and impact (confining, palliation) reduction over risk situations (scenarios) is easily visible.
- Planning of risk: integrated formulas allow foreseeing future levels based on the achievement of security plans.
- Risk communication: The workbook can be completed by communication elements,
showing that risk management is a collective effort over time.
Other phases
-
ISMS per ISO 27001:2013: Assessment and control of the effectiveness of the possibly ISMS process in place
Other functionality
- ISO 27002:2013 controls : may be selected within Mehari security measures to provide applicability of risk management into an ISMS.
Information processed
- Business objectives and stakes, lists of contributive assets: Base for impact assessment
- List of threats (accident, error, voluntary actions): Likelihood is estimated and variations may be easily anticipated
- List of security controls and services: For risk reduction, current and future
Lifecycle
Date of the first edition, date and number of actual version
Date of first release : 1998 (formulas were used but not available to public)
Date and identification of the last version : 2016 – Mehari Expert (ISO 27001:2013 links)
Useful links
Link for further information
Official web site: http://www.meharipedia.org French and English
User group web site: mehari.info
Useful information: https://en.wikipedia.org/wiki/Mehari ,
https://fr.wikipedia.org/wiki/Méthode_harmonisée_d’analyse_des_risques
Languages
List the available languages that the tool supports
Languages available : English, French, Farsi + translations of documents in 13 languages
Pricing and licensing models
Specify the price for the product (as provided by the company on December 2005)
-
Open Source (Creative Commons license) and 100 % Free
Sectors with free availability or discounted price : N/A
Trial before purchase
Details regarding the evaluation period of the tool
CD or download available : Download from meharipedia.org
Identification required : Not needed, only welcome for future exchanges
Trial period (days) : N/A
Tool architecture
Specify the technologies used in this tool
- Database: Worksheet – for Excel or Open Office
- User guides and documents : http://meharipedia.org/download-mehari-2010/
and on-line-guides and documents
Scope
Target organizations
Defines the most appropriate type of communities for this tool
-
Government agencies
-
Large scale companies
-
Commercial CIEs
-
Non commercial CIEs
Specific sector : Applicable to all types of organizations and businesses
Spread
Information concerning the spread of this tool
General information : World-wide in many different organizations
Used inside EU countries : France, Germany, UK, Swiss, Belgium, Poland, Spain, Luxemburg
Used outside EU countries : Above 45 000 downloads to 175 countries
Level of detail
Specify the target kind of people for this tool based on its functionality
Management : Stakes (BIA) analysis with board members - Documented
Operational : Threat and questionnaires - Documented and available
Technical : The questionnaires are a superset of ISO 27002 lists of controls
Compliance to IT Standards
List the national or international standard this tool is compliant with
- ISO 27005:2011 - Requirements and guidelines
- ISO 27001:2013 Annex A
- ISO 27002:2013 list of controls
Tool helps towards a certification
Specify whether the tool helps the company toward a certification according to a standard
Mehari Expert (2010) has been used for:
- ISO 27001 ISMS certification
- Entry point for ISO 22301 certification
Training
Information about possible training courses for this tool
Course: 3 to 5 days with personal Risk manager certification from PECB Inc.
Users viewpoint
Skills needed
Specify the skills needed to use and maintain the solution
-
To install : very easy - Install the worksheet and run Excel or Oo
-
To use : easy to expert level - Depending on the boundaries and scope
-
To maintain : simple
Tool Support
Specify the kind of support the company provides for this product
Support : Excel or Open Office file - Standard software. Support is also provided through mehari.info (linkedin forum) and emails
Organization processes integration
Describe user roles this tool supports
Supported Roles
- The use of the tool requires the mutual involvement of the management, the process owners, the risk owners, the Risk management, the CIO and CISO functions.
Assistance by an external audit team is welcome - Awareness of the various parties is facilitated
Intergration in Organization activities
- The tool allows all the related activities to contribute to the risk assessment (risk owners) and treatment decisions.
Interoperability with other tools
Specify available interfaces or other ways of integration with other tools
- Open to input from BPM, Cobit, Itil and output to project management tools
- Same types of assets, threats, vulnerabilities than other risk management tools plus scenarios, formulas
- Applicable to multiple objectives like ISO 22301, ITIL, PCI/DSS, GDPR
Sector adapted knowledge databases supported
e-Security knowledge base : Specifically constructed to cover modern network based systems
- Mehari Expert is also available in French and in Farsi
- Other instances of the mehod are proposed, like
Mehari Standard for medium to large organizations (French)
Mehari Pro for SMEs (French) - Mehari Manager for a first handling of the method by a manager or for a new business activity (French)
Flexibility of tool's database
Can the database be customized and adapted to client requirements?
- The data base is generic and applicable for any type of environment
- Customization results from the flexibility in defining the scope and boundaries, e.g. at the beginning of the study.