Product identity card
Basic information to identify the product
Method or tool name : EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité)
Vendor name : DCSSI (Direction Centrale de la Sécurité des Systémes d'Information, Premier Ministre)
Country of origin : France
Level of reference of the product
Details about the type of initiator of the product
Private sector organisation / association & Public / government organisation : Club EBIOS, gathering about 60 enterprises, French ministries, and independent experts
Specify the phases this method supports and a short description
R.A. Method phases supported
Risk identification : Section 3, Step 3: study of threat sources, study of vulnerabilities, formalisation of threats, and justification for discarding threats. Section 3, Step 4, Activity 4.1: risk opportunity, and its consequences (security needs, and impacts)
Risk analysis : Section 3, Step 3, Activity 3.1: security criteria affected by attack methods, type of threat agent, cause of threat agent, assessment of attack potential. Section 3, Step 3, Activity 3.2: identification of vulnerabilities according to attack methods, assessment of vulnerability levels. Section 3, Step 3, Activity 3.3: explicit formulation of threat, assessment of threat opportunity.
Risk evaluation : Section 3, Step 3, Activity 3.3: threat opportunity Section 4, Step 4, Activity 4.1: risk formulation
R.M. Method phases supported
Risk assessment: Section 3, Step 1, Section 3, Step 2, Section 3, Step 3, Section 3, Step 4, Activity 4.1
Risk treatment : Section 3 Section 4, Steps 4.2, Section 4, Step 4.3, Section 5: The security objectives statement expresses the will to cover identified risks by security requirements. These requirements specify how to reach those objectives by security measures, e.g. by means of internal knowledge bases as well as of external ones such as IT-Grundschutz, or catalogues of best practices (ISO-17799, ISO-15408, etc..)
Risk acceptance : Section 2, Section 3 Step 4: Retained / non-retained risks, Security objectives statement, proof of retained risks coverage by objectives, highlighting of residual risks Section 3, Step 5: security requirements statement, proof of objectives coverage by requirements, highlighting of residual risks.
Risk communication : Section 1, Software that produces wide variety of deliverables in a standardized format Training
Brief description of the product
EBIOS is a comprehensive set of guides (plus a free open source software tool) dedicated to Information System risk managers. Originally developed by the French government, it is now supported by a club of experts of diverse origin. This club is a forum on Risk Management, active in maintaining EBIOS guides. It produces best practices as well as application documents targeted to end-users in various contexts. EBIOS is widely used in the public as well as in the private sector, both in France and abroad. It is compliant with major IT security standards.
EBIOS gives risk managers a consistent and high-level approach to risks. It helps them acquire a global and coherent vision, useful for support decision-making by top managers on global projects (business continuity plan, security master plan, security policy), as well as on more specific systems (electronic messaging, nomadic networks or web sites for instance). EBIOS clarifies the dialogue between the project owner and project manager on security issues. In this way, it contributes to relevant communication with security stakeholders and spreads security awareness.
EBIOS approach consists of a cycle of 5 phases:
- Phase 1 deals with context analysis in terms of global business process dependency on the information system (contribution to global stakes, accurate perimeter definition, relevant decomposition into information flows and functions).
- Both the security needs analysis and threat analysis are conducted in phases 2 and 3 in a strong dichotomy, yielding an objective vision of their conflicting nature.
- In phases 4 and 5, this conflict, once arbitrated through a traceable reasoning, yields an objective diagnostic on risks. The necessary and sufficient security objectives (and further security requirements) are then stated, proof of coverage is furnished, and residual risks made explicit.
Date of the first edition, date and number of actual version
Date of first release : Release 1 in 1995
Date and identification of the last version : Release 2 in June 2004
Link for further information
List the available languages that the tool supports
Availability in European languages : French, English, German, Spanish
Specify the price for the method
Defines the most appropriate type of organisations the product aims at
Non commercial CIEs
Specific sector : N/A
Information concerning the spread of this tool
Used in EU member states : Many
Used in non-EU member states : Many
Level of detail
Specify the target kind of users
License and certification scheme
Specify the licensing and certification schemes available for this method
Recognized licensing scheme : Yes
Existing certification scheme : No
Specify the level of skills needed to use and maintain the solution
To introduce : Standard
To use : Standard
To maintain : Standard
Specify the kind of support available
Consultancy : If support is needed, a wide variety of private consultants is available (Open market)
There is a given compliance of the product with international regulations
Compliance to IT standards
There is a compliance with a national or international standard
Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.
Availability : Product is free
Maturity level of the Information system
The product gives a means of measurement for the maturity of the information system security
It is possible to measure the I.S.S. maturity level : Yes, with compliance to ISO/IEC 21827. The document is available at this location.
Tools supporting the method
List of tools that support the product
Non commercial tools
Technical integration of available tools
Particular supporting tools (see C-7) can be integrated with other tools
Tools can be integrated with other tools : No
Organisation processes integration
The method provides interfaces to existing processes within the organisation
Method provides interfaces to other organisational processes : Procurement
Flexible knowledge databases
It is possible to adapt a knowledge database specific to the activity domain of the company.
Method allows use of sector adapted databases : Yes, domain specific vulnerabilities bases