Mehari

This article is about the method of risk-analysis. For the motor vehicle, see Citroën Méhari.

MEHARI (Method for Harmonized Analysis of Risk) is a free, open-source information risk analysis assessment and risk management method, developed, maintained and distributed by CLUSIF - Club de la Sécurité de l’Information Français, the French association of information security professionals.

MEHARI enables business managers, information security/risk management professionals and other stakeholders to evaluate and manage the organization's risks relating to information, information systems and information processes (not just IT). It is designed to align with and support information security risk management according to ISO/IEC 27005, particularly in the context of an ISO/IEC 27001-compliant Information Security Management System (ISMS) or a similar overarching security management or governance framework.

History

MEHARI has steadily evolved since the mid-1990's to support standards such as ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005 and NIST's SP 800-30.

Description

MEHARI 2010 combines a powerful and extendible knowledgebase with a flexible suite of tools supporting the following information security risk analysis and management activities:

MEHARI 2010's comprehensive knowledgebase, built using Excel, is available in both English and French as an interactive tool, or more accurately a suite of tools that can be used individually but are designed as a coherent suite. As the process proceeds, the knowledgebase automatically expands with the information obtained, providing inputs for subsequent steps. Consistent analysis of the risks and controls enables large, diverse organizations to compare and contrast operating units on an even footing.

Additional applications and tools, based on the same principles, are available as both free and commercial products.

See also

References

External links