MEHARI has steadily evolved since the mid-1990s to support standards such as ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005 and NIST's SP 800-30. The current version of MEHARI Expert includes links and support for ISO 27001/27002:2013 revision ISMS.
Description
MEHARI Expert combines a powerful and extendible knowledge base with a flexible suite of tools supporting the following information security risk analysis and management activities:
Threat analysis: top business managers describe the organization's activities, list the potential issues or concerns that might adversely affect those activities, and assign values to the business impacts.
The business processes are analyzed further in order to identify and map out the associated organizational, human and technical assets.
The assets are classified according to three classic security criteria plus the need for compliance to applicable laws and regulations.
The intrinsic likelihood/probability of representative threat event types is considered.
These elements are combined automatically to analyze and assess the intrinsic severity of risks, highlighting the most critical and serious ones according to the projected business consequences.
Diagnostic questionnaires help users evaluate the ability of their existing information security measures/controls to mitigate risks.
Security measures are grouped into services for discussion with the relevant managers and professionals.
The current severity level of each risk scenario is displayed, taking account of the effectiveness of existing security measures, giving an indication of the current information security risk landscape and suggesting the prioritization of remedial work.
Action plans and security projects can be selected to manage the risks, based on the expected effectiveness of additional security measures and the timescales for their implementation. The preceding analysis enables management to appreciate the business benefits of, and hence justify, appropriate investment in information security: the entire process is business-driven.
MEHARI Expert 's comprehensive knowledgebase, built using Excel, is available in both English and French as an interactive tool, or more accurately a suite of tools that can be used individually but are designed as a coherent suite. As the process proceeds, the knowledgebase automatically expands with the information obtained, providing inputs for subsequent steps. Consistent analysis of the risks and controls enables large, diverse organizations to compare and contrast operating units on an even footing. Additional applications and tools, based on the same principles, may be developed under Creative Commons license.
