Published under Risk Management

Product identity card

General information
Basic information to identify the product

Method or tool name : EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité)
Vendor name : DCSSI (Direction Centrale de la Sécurité des Systémes d'Information, Premier Ministre)
Country of origin : France

Level of reference of the product
Details about the type of initiator of the product

Private sector organisation / association & Public / government organisation : Club EBIOS, gathering about 60 enterprises, French ministries, and independent experts

Specify the phases this method supports and a short description

R.A. Method phases supported

  • Risk identification : Section 3, Step 3: study of threat sources, study of vulnerabilities, formalisation of threats, and justification for discarding threats. Section 3, Step 4, Activity 4.1: risk opportunity, and its consequences (security needs, and impacts)
  • Risk analysis : Section 3, Step 3, Activity 3.1: security criteria affected by attack methods, type of threat agent, cause of threat agent, assessment of attack potential. Section 3, Step 3, Activity 3.2: identification of vulnerabilities according to attack methods, assessment of vulnerability levels. Section 3, Step 3, Activity 3.3: explicit formulation of threat, assessment of threat opportunity.
  • Risk evaluation : Section 3, Step 3, Activity 3.3: threat opportunity Section 4, Step 4, Activity 4.1: risk formulation

R.M. Method phases supported

  • Risk assessment: Section 3, Step 1, Section 3, Step 2, Section 3, Step 3, Section 3, Step 4, Activity 4.1
  • Risk treatment : Section 3 Section 4, Steps 4.2, Section 4, Step 4.3, Section 5: The security objectives statement expresses the will to cover identified risks by security requirements. These requirements specify how to reach those objectives by security measures, e.g. by means of internal knowledge bases as well as of external ones such as IT-Grundschutz, or catalogues of best practices (ISO-17799, ISO-15408, etc..)
  • Risk acceptance : Section 2, Section 3 Step 4: Retained / non-retained risks, Security objectives statement, proof of retained risks coverage by objectives, highlighting of residual risks Section 3, Step 5: security requirements statement, proof of objectives coverage by requirements, highlighting of residual risks.
  • Risk communication : Section 1, Software that produces wide variety of deliverables in a standardized format Training

Brief description of the product

  • EBIOS is a comprehensive set of guides (plus a free open source software tool) dedicated to Information System risk managers. Originally developed by the French government, it is now supported by a club of experts of diverse origin. This club is a forum on Risk Management, active in maintaining EBIOS guides. It produces best practices as well as application documents targeted to end-users in various contexts. EBIOS is widely used in the public as well as in the private sector, both in France and abroad. It is compliant with major IT security standards.
    EBIOS gives risk managers a consistent and high-level approach to risks. It helps them acquire a global and coherent vision, useful for support decision-making by top managers on global projects (business continuity plan, security master plan, security policy), as well as on more specific systems (electronic messaging, nomadic networks or web sites for instance). EBIOS clarifies the dialogue between the project owner and project manager on security issues. In this way, it contributes to relevant communication with security stakeholders and spreads security awareness.
    EBIOS approach consists of a cycle of 5 phases:
    • Phase 1 deals with context analysis in terms of global business process dependency on the information system (contribution to global stakes, accurate perimeter definition, relevant decomposition into information flows and functions).
    • Both the security needs analysis and threat analysis are conducted in phases 2 and 3 in a strong dichotomy, yielding an objective vision of their conflicting nature.
    • In phases 4 and 5, this conflict, once arbitrated through a traceable reasoning, yields an objective diagnostic on risks. The necessary and sufficient security objectives (and further security requirements) are then stated, proof of coverage is furnished, and residual risks made explicit.
    EBIOS turns out to be a flexible tool. It may produce a wide range of deliverables (SSRS, security target, protection profile, action plan, etc). Local standard bases (e.g.: German IT Grundschutz) are easily added on to its internal knowledge bases (attack methods, entities, vulnerabilities) and catalogues of best practices (EBIOS best practices, ISO/IEC IS 17799).


Date of the first edition, date and number of actual version

Date of first release : Release 1 in 1995
Date and identification of the last version : Release 2 in June 2004

Useful links
Link for further information

Official web site : http://www.ssi.gouv.fr
User group web site : N/A
Relevant web site : http://ebios.cases-cc.org

List the available languages that the tool supports

Availability in European languages : French, English, German, Spanish

Specify the price for the method

  • Free


Page top


Target organisations
Defines the most appropriate type of organisations the product aims at

  • Government, agencies
  • Large companies
  • SME
  • Commercial CIEs
  • Non commercial CIEs

Specific sector : N/A

Geographical spread
Information concerning the spread of this tool

Used in EU member states : Many
Used in non-EU member states : Many

Level of detail
Specify the target kind of users

  • Management
  • Operational


License and certification scheme
Specify the licensing and certification schemes available for this method

Recognized licensing scheme : Yes
Existing certification scheme : No

Page top

Users viewpoint

Skills needed
Specify the level of skills needed to use and maintain the solution

  • To introduce : Standard
  • To use : Standard
  • To maintain : Standard


Consultancy support
Specify the kind of support available

Consultancy : If support is needed, a wide variety of private consultants is available (Open market)

Regulatory compliance
There is a given compliance of the product with international regulations

  • N/A


Compliance to IT standards
There is a compliance with a national or international standard


Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.

Availability : Product is free

Maturity level of the Information system
The product gives a means of measurement for the maturity of the information system security

It is possible to measure the I.S.S. maturity level : Yes, with compliance to ISO/IEC 21827. The document is available at this location.

Tools supporting the method
List of tools that support the product

Non commercial tools

Commercial tools

  • N/A


Technical integration of available tools
Particular supporting tools (see C-7) can be integrated with other tools

Tools can be integrated with other tools : No

Organisation processes integration
The method provides interfaces to existing processes within the organisation

Method provides interfaces to other organisational processes : Procurement

Flexible knowledge databases
It is possible to adapt a knowledge database specific to the activity domain of the company.

Method allows use of sector adapted databases : Yes, domain specific vulnerabilities bases

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more