Product identity card
This attribute holds basic information to identify the product. The information provided here contains the name of the product, the company or cross-frontier organization that provides the product and the country of origin (in case the product originated from a company or national organization).
Method or tool name : MEHARI (MEthod for Harmonized Analysis of RIsk)
Originator name : CLUSIF (CLub for the Security of Information in France or CLub de la Sécurité de l'Information Français)
Country of origin : France
Level of reference of the product
Details about the type of initiator of the product
Private sector organisation / association : CLUSIF - Club de la Sécurité de l'Information Français
Specify the phases this method supports and a short description
MEHARI 2010 is an RA and RM method that also includes, directly in the knowledge bases, the formulas for the direct assessment of the risks and selection of the ways to reduce them. The knowledge bases are available as a workbook (for Excel or Open Office) capable to conduct the qualification and quantification of all the elements of risk. Associated documents are available from http://www.clusif.asso.fr/en/clusif/present/ and include http://www.clusif.asso.fr/fr/production/ouvrages/pdf/MEHARI-2010-Overview.pdf http://www.clusif.asso.fr/fr/production/ouvrages/pdf/MEHARI-2010-Processing-Guide.pdf
R.A. Method phases supported
Context establishment : MEHARI allows to cover either an entire organization or to select particular parts using specific scope and boundaries
Stakes analysis and assets classification : based on business consideration of consequences of dysfunctions and allowing to give a “value” to the assets (primary and secondary, according to ISO/IEC 27005) The types of assets considered are: services, data and compliance to regulations.
Risk identification : MEHARI gives indications for the business stakes identification and valuation, the resulting classification of assets (according to IS0 27005, e.g. services, data and compliance to regulations) for the Availability, Integrity and Confidentiality security criteria is effected. Also the likelihood of the various threats is identified and the evaluation of the security measures to reduce the risks may be collected from audit questionnaires. All the elements for risk evaluation are available for the next phases
Risk analysis : MEHARI provides a comprehensive list of risk scenarios associated with the assets and the various threats. The combination of stakes, threats and vulnerabilities included in the method allows analyzing the risks situations and preparing for the risk evaluation.
Risk evaluation : the evaluation of the risks is based on the quantification of these elements, and the seriousness for the organization is established on a scale with 4 levels. The most serious scenarios will have to be managed
R.M. Method phases supported
Risk assessment: the critical risks may be displayed and analyzed under various other forms: by asset criterion, type of threat, actor, etc
Risk treatment : The Risk managers or auditors have the capacity to select the treatment option (reduce, accept, transfer, avoid) and, in the case of a decision of reduction, MEHARI provides the capability to select the additional security measures for the reduction of likelihood and/or impact and to integrate them in additional projects depending on the level of the resources and types of organization
Risk acceptance : the capacity to indicate individually the acceptance of scenarios is provided. Further indications in the case of transfer (e.g. to insurance) is collectable
Risk communication : All the stakeholders are associated since the beginning (stakes analysis) and the operational staff (either IT, communications, etc.) contributes to the analysis. Inputs to the building or revision of the Information security policies are provided as well as directions for security projects. Once filled during the risk management cycle, the knowledge base file constitutes a folder for further work and communication..
Compliance to standard : MEHARI 2010 answers to ISO/IEC 27005:2008 guidelines, MEHARI assists and can be used to check the compliance of organizations for their ISMS process (like ISO 27001).
Brief description of the product
- provides a complete risk management model compliant to ISO 27005 requirements, description of modular components and processes.
- includes the classification of assets, the likelihood of the threats, measures the vulnerabilities through audit.
- analyzes a generic list of risk situations and provides seriousness levels for each scenario
- bases its analysis on formulas and parameters,
- allows an optimal selection of corrective actions,
- gives additional compliance scoring of the organization to ISO 27001-2005 controls and the ISMS process as well,
- can be considered also as an RA/RM tool by the automatic use of formulas.
Date of the first edition, date and number of actual version
Date of first release : 1998
Date and identification of the last version : MEHARI 2010 November 2010 (French and English)
Link for further information
Official web site : http://www.clusif.asso.fr/en/clusif/present/ (English) or http://www.clusif.asso.fr (French)
Related user group web site : http://www.mehari.info/forum/ plus 2 independent linkedin groups for Mehari
Main relevant web site : http://fr.wikipedia.org/wiki/Mehari
List the available languages that the tool supports
Availability in European languages : French and English (full set of documents and knowledge bases) "Overview" document: Spanish, Italian, German, Polish, Romanian, Dutch, Portuguese (Brasil) Other languages: Chinese, Arabic
Specify the price for the method
Free: the solution is delivered as Open Source, free of charge.
Defines the most appropriate type of organisations the product aims at
Medium to Large companies
Non-profit: NGOs, education, health sector, public services, etc.
Specific sector : Mehari applies to all sectors
Information concerning the spread of this tool
Used in EU member states : downloaded to all EU states and to European Commission.
Used in non-EU countries : Probably world wide (More than 150 countries), including USA, Canada, Switzerland, South America, China, India, Morocco, Tunisia, Algeria, African countries.
Level of detail
Specify the target kind of users
Management level : top management, business line managers, ...
Operational level: CISO, Risk managers, auditors, CIO, ...
Technical level: systems, networks, application managers, general services, development teams, end users
License and certification scheme
Specify the licensing and certification schemes available for this method
Recognized licensing scheme : there is a recognized scheme for consultants/firms stating their mastering of a method.
Existing certification scheme : in France via CLUSIF. In progress for Canada (Quebec).
Specify the level of skills needed to use and maintain the solution
Risk Assessment and Management require in any case a good knowledge of the business internals and the handling of risk. The method exploits these skills and facilitates the processes for RA and RM.
To introduce : Standard level, CIO, CISO, RM, top management, business line managers
To use : Standard, auditors (internal or external), CISO, Risk Managers, simple use of Excel
To maintain : Standard, the documentation and the integrated tool are complete, first level of Excel knowledge
Specify the kind of support available
Training and consultancy support are provided by CLUSIF with relays in Poland, North America (Quebec) and Africa.
Consultancy : Training and consultancy are available in various countries in Europe, North America, Africa and other places.
There is a given compliance of the product with international regulations
Compliance of the method with international regulations (e.g. Basel II, Sarbanes Oxley Act) may be achieved when needed.
Compliance to IT standards
There is a compliance with a national or international standard
Originally built in accordance with ISO/IEC IS 13335-1
MEHARI has evolved to better deal with the evolutions of Information and Communication technologies and working changes, also MEHARI 2010 complies with ISO/IEC 27005:2008 requirements
MEHARI is applicable for ISO/IEC 27001 ISMS processing and certification, including Annex A (security controls)
Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.
Not needed, download and use are free (Open Source)
Availability : world wide
Maturity level of the Information system
The product gives maturity indications of the capability of the organization to manage information security under all its forms including information system security (e.g. through a reasoned best practice document).
It is possible to measure the I.S.S. maturity level : Yes, through several indicators (e.g. Efficiency, Resiliency, Continuity aspects)
Tools supporting the method
List of tools that support the product
Non commercial tools
A first level of tool is directly included in the knowledge base of the method, using Excel and Open Office formulas. A reference manual explains its use, which is free.
Several independent efforts to develop additional tools are known to CLUSIF. The most compliant and complete one being RISICARE from BUC SA.
Technical integration of available tools
It is possible to integrate additional worksheets within the knowledge base.
Tools can be integrated with other tools : classical links between Excel and other types of programs may be used
Organisation processes integration
The method provides interfaces to existing processes within the organization (e.g. project management, procurement, etc.), e.g. through additional worksheets.
Method provides interfaces to other organisational processes : e.g. ISO 27001 ISMS
Flexible knowledge databases
It is easily possible to adapt the knowledge database specific to specific activity domain, maturity level, scope and size of the company.