What is the MEHARI risk management framework and how can it be used?

What can you tell me about the MEHARI risk management framework? Is it an ISO equivalent? How does it compare with or match up against other common enterprise risk management frameworks?

    Requires Free Membership to View

Ask the Expert

Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

MEHARI (Method for Harmonized Analysis of Risk) is a risk management framework developed by a French association of information security professionals called CLUSIF. This framework has been in development since 1996 and is compliant with the ISO 27005 risk management standard. The license is open, but not under a standard open-source licensing model like BSD licenses or the GPL v3. However, the license only restricts the sale of the framework, while still allowing its integration into commercial products.

The framework is unique in that it is completely contained within a freely downloadable Excel spreadsheet. This makes MEHARI readily accessible for any information security manager looking to get a solid risk management framework in place, but lacking either knowledge of ISO 27000 or the budget for consulting engagements. In comparison, the NIST 800 and ISO 27000 series both provide documented frameworks, but lack the step-by-step guidance made available with MEHARI.

I wouldn't describe the MEHARI risk management framework as the equivalent of NIST 800 or ISO 27000, only because it currently lacks the industry recognition of those frameworks. Both the ISO and NIST series are produced by major organizations with solid reputations that develop standards across a wide range of technologies and processes, which lends them both credibility and name recognition. MEHARI is just not as popular and may not garner credibility with those outside of the information security profession. However, it should not be overlooked as an option where the cost and complexity of an implementation are key issues.

This was first published in January 2014

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: