What can you tell me about the MEHARI risk management framework? Is it an ISO equivalent? How does it compare with or match up against other common enterprise risk management frameworks?
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
MEHARI (Method for Harmonized Analysis of Risk) is a risk management framework developed by a French association of information security professionals called CLUSIF. This framework has been in development since 1996 and is compliant with the ISO 27005 risk management standard. The license is open, but not under a standard open-source licensing model like BSD licenses or the GPL v3. However, the license only restricts the sale of the framework, while still allowing its integration into commercial products.
The framework is unique in that it is completely contained within a freely downloadable Excel spreadsheet. This makes MEHARI readily accessible for any information security manager looking to get a solid risk management framework in place, but lacking either knowledge of ISO 27000 or the budget for consulting engagements. In comparison, the NIST 800 and ISO 27000 series both provide documented frameworks, but lack the step-by-step guidance made available with MEHARI.
I wouldn't describe the MEHARI risk management framework as the equivalent of NIST 800 or ISO 27000, only because it currently lacks the industry recognition of those frameworks. Both the ISO and NIST series are produced by major organizations with solid reputations that develop standards across a wide range of technologies and processes, which lends them both credibility and name recognition. MEHARI is just not as popular and may not garner credibility with those outside of the information security profession. However, it should not be overlooked as an option where the cost and complexity of an implementation are key issues.
This was first published in January 2014