Mehari Expert (2010) RM tool

Published under Risk Management

Tool Identity Card

General information
Basic information to identify the product

Tool name : MEHARI Expert (2010) – RA and RM tool
Originator name: CLUSIF and CLUSIQ
Country of origin : France - Canada

Level of reference of the tool
Details about the coverage or the « originators » of the solution

Coverage : Information Risk Management with ISO 27005:2011 and ISO 27001:2013 compliance
Supported by organization, club,... (e.g. as sponsor) : CLUSIQ and CLUSIF

Brief description of the product
Give a brief description of the product containing general information, overview of functions:

  • The tool is an excel based knowledge base already prepared by the originators, allowing a full vision of the required elements even for a small or medium size organization
  • Previously named only 2010 from the year of initial release, now prefixed « Expert » is the high end of the capabilities built on the principles of Mehari methodology (3 other tools, suffixed: Standard, Pro and Manager, are available but in French only)
  • The workpages of the method contain multiple preprocessed elements allowing to select and display, step by step, the results of the RA and RM activities and to select or propose risk reduction policy, plans & projects with additional controls where needed.

Supported functionality
Specify the functionality this tool provides.

R.A. Method phases supported

  • Risk preparation: Complete study about the use by the business and internal activities of the various ITC and supporting services and of the information itself including the business impact analysis (BIA) of dysfunctions and threats.
  • Risk identification : Based on assets, threats and vulnerabilities
  • Risk analysis : Through scenarios
  • Risk evaluation : Quantification of the risk elements: stakes level and likelihood of threats

Other phases

  • Asset inventory & evaluation :  The list of assets proposed includes services, information itself and regulations.

R.M. Method processes supported

  • Risk assessment : The seriousness level of risk scenarios is given based on impact and likelihood of multiple scenarios, either initial (intrinsic), current or planned at selected dates.
  • Risk treatment : The method proposes options (accept, reduce, share, avoid) and security measures for reducing risk seriousness level.
  • Influence of security measures: for likelihood (prevention, deterrence) and impact (confining, palliation) reduction over risk situations (scenarios) is easily visible.
  • Planning of risk: integrated formulas allow foreseeing future levels based on the achievement of security plans.
  • Risk communication: The workbook can be completed by communication elements,
    showing that risk management is a collective effort over time.

Other phases

  • ISMS per ISO 27001:2013: Assessment and control of the effectiveness of the possibly ISMS process in place

Other functionality

  • ISO 27002:2013 controls : may be selected within Mehari security measures to provide applicability of risk management into an ISMS.

Information processed

  • Business objectives and stakes, lists of contributive assets: Base for impact assessment
  • List of threats (accident, error, voluntary actions): Likelihood is estimated and variations may be easily anticipated
  • List of security controls and services: For risk reduction, current and future

Date of the first edition, date and number of actual version

Date of first release : 1998 (formulas were used but not available to public)
Date and identification of the last version : 2016 – Mehari Expert (ISO 27001:2013 links)

Useful links
Link for further information

Official web site: French and English
User group web site:
Useful information: ,éthode_harmonisée_d’analyse_des_risques

List the available languages that the tool supports

Languages available : English, French, Farsi + translations of documents in 13 languages

Pricing and licensing models
Specify the price for the product (as provided by the company on December 2005)

  • Open Source (Creative Commons license) and 100 % Free

Sectors with free availability or discounted price : N/A

Trial before purchase
Details regarding the evaluation period of the tool

CD or download available : Download from
Identification required : Not needed, only welcome for future exchanges
Trial period (days) : N/A

Tool architecture
Specify the technologies used in this tool

Page top


Target organizations
Defines the most appropriate type of communities for this tool

  • Government agencies
  • Large scale companies
  • Commercial CIEs
  • Non commercial CIEs

Specific sector : Applicable to all types of organizations and businesses

Information concerning the spread of this tool

General information : World-wide in many different organizations
Used inside EU countries : France, Germany, UK, Swiss, Belgium, Poland, Spain, Luxemburg
Used outside EU countries : Above 45 000 downloads to 175 countries

Level of detail
Specify the target kind of people for this tool based on its functionality

Management : Stakes (BIA) analysis with board members - Documented
Operational : Threat and questionnaires - Documented and available
Technical : The questionnaires are a superset of ISO 27002 lists of controls

Compliance to IT Standards
List the national or international standard this tool is compliant with

  • ISO 27005:2011 - Requirements and guidelines
  • ISO 27001:2013 Annex A
  • ISO 27002:2013 list of controls

Tool helps towards a certification
Specify whether the tool helps the company toward a certification according to a standard

Mehari Expert (2010) has been used for:

  • ISO 27001 ISMS certification  
  • Entry point for ISO 22301 certification

Information about possible training courses for this tool

Course: 3 to 5 days with personal Risk manager certification from PECB Inc.

Page top

Users viewpoint

Skills needed
Specify the skills needed to use and maintain the solution

  • To install : very easy - Install the worksheet and run Excel or Oo
  • To use : easy to expert level - Depending on the boundaries and scope
  • To maintain : simple

Tool Support
Specify the kind of support the company provides for this product

Support : Excel or Open Office file - Standard software. Support is also provided through (linkedin forum) and emails

Organization processes integration
Describe user roles this tool supports

Supported Roles

  • The use of the tool requires the mutual involvement of the management, the process owners, the risk owners, the Risk management, the CIO and CISO functions.
    Assistance by an external audit team is welcome
  • Awareness of the various parties is facilitated

Intergration in Organization activities

  • The tool allows all the related activities to contribute to the risk assessment (risk owners) and treatment decisions.

Interoperability with other tools
Specify available interfaces or other ways of integration with other tools

  • Open to input from BPM, Cobit, Itil and output to project management tools
  • Same types of assets, threats, vulnerabilities than other risk management tools plus scenarios, formulas
  • Applicable to multiple objectives like ISO 22301, ITIL, PCI/DSS, GDPR

Sector adapted knowledge databases supported
e-Security knowledge base : Specifically constructed to cover modern network based systems

  • Mehari Expert is also available in French and in Farsi
  • Other instances of the mehod are proposed, like
    Mehari Standard for medium to large organizations (French)
    Mehari Pro for SMEs (French)
  • Mehari Manager for a first handling of the method by a manager or for a new business activity (French)

Flexibility of tool's database
Can the database be customized and adapted to client requirements?

  • The data base is generic and applicable for any type of environment
  • Customization results from the flexibility in defining the scope and boundaries, e.g. at the beginning of the study.
Browse the Topics

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies