What can you tell me about the MEHARI risk management framework? Is it an ISO equivalent? How does it compare with or match up against other common enterprise risk management frameworks?
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
MEHARI (Method for Harmonized Analysis of Risk) is a risk management framework developed by a French association of information security professionals called CLUSIF. This framework has been in development since 1996 and is compliant with the ISO 27005 risk management standard. The license is open, but not under a standard open-source licensing model like BSD licenses or the GPL v3. However, the license only restricts the sale of the framework, while still allowing its integration into commercial products.
The framework is unique in that it is completely contained within a freely downloadable Excel spreadsheet. This makes MEHARI readily accessible for any information security manager looking to get a solid risk management framework in place, but lacking either knowledge of ISO 27000 or the budget for consulting engagements. In comparison, the NIST 800 and ISO 27000 series both provide documented frameworks, but lack the step-by-step guidance made available with MEHARI.
I wouldn't describe the MEHARI risk management framework as the equivalent of NIST 800 or ISO 27000, only because it currently lacks the industry recognition of those frameworks. Both the ISO and NIST series are produced by major organizations with solid reputations that develop standards across a wide range of technologies and processes, which lends them both credibility and name recognition. MEHARI is just not as popular and may not garner credibility with those outside of the information security profession. However, it should not be overlooked as an option where the cost and complexity of an implementation are key issues.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading