What can you tell me about the MEHARI risk management framework? Is it an ISO equivalent? How does it compare with
or match up against other common enterprise risk management frameworks?
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
MEHARI (Method for Harmonized Analysis of Risk) is a risk management framework developed by a French association of information security professionals called CLUSIF. This framework has been in development since 1996 and is compliant with the ISO 27005 risk management standard. The license is open, but not under a standard open-source licensing model like BSD licenses or the GPL v3. However, the license only restricts the sale of the framework, while still allowing its integration into commercial products.
The framework is unique in that it is completely contained within a freely downloadable Excel spreadsheet. This makes MEHARI readily accessible for any information security manager looking to get a solid risk management framework in place, but lacking either knowledge of ISO 27000 or the budget for consulting engagements. In comparison, the NIST 800 and ISO 27000 series both provide documented frameworks, but lack the step-by-step guidance made available with MEHARI.
I wouldn't describe the MEHARI risk management framework as the equivalent of NIST 800 or ISO 27000, only because it currently lacks the industry recognition of those frameworks. Both the ISO and NIST series are produced by major organizations with solid reputations that develop standards across a wide range of technologies and processes, which lends them both credibility and name recognition. MEHARI is just not as popular and may not garner credibility with those outside of the information security profession. However, it should not be overlooked as an option where the cost and complexity of an implementation are key issues.
Dig deeper on Enterprise Risk Management: Metrics and Assessments
Related Q&A from Joseph Granneman, Security Management
Expert Joseph Granneman offers advice to enterprise security teams on using open source intelligence tools to learn about potential threats.continue reading
(ISC)2's HCISPP certification has many potential benefits for health information privacy and security. Expert Joseph Granneman examines them.continue reading
Expert Joseph Granneman explains important business skills information security pros need -- and how to acquire them -- as the discipline matures.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.