Mehari

MEHARI (Méthode Harmonisée d'Analyse de Risques — Harmonised Risk Analysis Method) is a method for risk analysis and risk management developed and distributed by CLUSIF (French association of information security professionals).

History

Since 1995, MEHARI provides to information security personnel (ISO, RM, CIO, etc.) the capability to evaluate and manage the risks attached to scenarios . MEHARI is derived from previous standards (IS0 13335) and has steadily evolved to provide compliance to the newer ISO/IEC 27001, 27002 and 27005 standards.

Description

The general step of Mehari consists of the analysis of the security stakes and of the preliminary classification of the IS entities according to three basic security criteria (confidentiality, integrity, availability).

The typical Mehari process is the following:

• Involved parts list the dysfunctions having a direct impact on organisation activity.
• Then, audits are carried out to identify potential Information System (IS) vulnerabilities.
• Finally, the risk analysis itself is carried out.

MEHARI complies by design with ISO 13335, in order to manage risks. This method can thus take part in a stage of the information security management system (ISMS) model promoted by ISO 27001

• by identifying and evaluating the risks within the framework of a security policy (P),
• by providing precise information on the plans to be built (D) starting from reviews of the points of control of the vulnerabilities (C)
• and in a cyclic approach of piloting (A).

See also

• Attack (computer)
• Computer security
• Information security
• ISMS
• IT risk
• Methodology
• Threat (computer)
• Vulnerability (computing)

References

• CLUSIF
• ENISA

External links

• Veridion information security compliance directory
• CLUSIF
• ENISA