What can you tell me about the MEHARI risk management framework? Is it an ISO equivalent? How does it compare with or match up against other common enterprise risk management frameworks?
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
MEHARI (Method for Harmonized Analysis of Risk) is a risk management framework developed by a French association of information security professionals called CLUSIF. This framework has been in development since 1996 and is compliant with the ISO 27005 risk management standard. The license is open, but not under a standard open-source licensing model like BSD licenses or the GPL v3. However, the license only restricts the sale of the framework, while still allowing its integration into commercial products.
The framework is unique in that it is completely contained within a freely downloadable Excel spreadsheet. This makes MEHARI readily accessible for any information security manager looking to get a solid risk management framework in place, but lacking either knowledge of ISO 27000 or the budget for consulting engagements. In comparison, the NIST 800 and ISO 27000 series both provide documented frameworks, but lack the step-by-step guidance made available with MEHARI.
I wouldn't describe the MEHARI risk management framework as the equivalent of NIST 800 or ISO 27000, only because it currently lacks the industry recognition of those frameworks. Both the ISO and NIST series are produced by major organizations with solid reputations that develop standards across a wide range of technologies and processes, which lends them both credibility and name recognition. MEHARI is just not as popular and may not garner credibility with those outside of the information security profession. However, it should not be overlooked as an option where the cost and complexity of an implementation are key issues.
Dig deeper on Enterprise Risk Management: Metrics and Assessments
Related Q&A from Joseph Granneman, Security Management
An IT security governance board is a key feature in security budgeting, but who makes up this body? Expert Joseph Granneman outlines the best ...continue reading
The security data breach public response times from Target and Neiman Marcus were noticeably different. Expert Joseph Granneman explains which one ...continue reading
Security staffing can be tricky, but talent can be found in unconventional places. Expert Joseph Granneman explains the pros and cons of hiring data ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.