MEHARI explained

MEHARI (MEthod for Harmonized Analysis of RIsk) is a free, open-source information risk analysis assessment and risk management method, for the use of information security professionals.

MEHARI enables business managers, information security/risk management professionals and other stakeholders to evaluate and manage the organization's risks relating to information, information systems and information processes (not just IT). It is designed to align with and support information security risk management according to ISO/IEC 27005, particularly in the context of an ISO/IEC 27001-compliant Information Security Management System (ISMS) or a similar overarching security management or governance framework.

History

MEHARI has steadily evolved since the mid-1990s to support standards such as ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005 and NIST's SP 800-30.The current version of MEHARI Expert (2010) includes links and support for ISO 27001/27002:2013 revision ISMS.

Description

MEHARI Expert (2010) combines a powerful and extendible knowledge base with a flexible suite of tools supporting the following information security risk analysis and management activities:

MEHARI Expert (2010)'s comprehensive knowledgebase, built using Excel, is available in both English and French as an interactive tool, or more accurately a suite of tools that can be used individually but are designed as a coherent suite. As the process proceeds, the knowledgebase automatically expands with the information obtained, providing inputs for subsequent steps. Consistent analysis of the risks and controls enables large, diverse organizations to compare and contrast operating units on an even footing.

Additional applications and tools, based on the same principles, may be developed under Creative Commons license.

See also

References

External links