This sums-up my notes on the EBIOS Risk Manager methodology. I host both the original version and the official english version here :
EBIOS : Expression des besoins et identification des objectifs de sécurité (english : Expression of Needs and Identification of Security Objectives)
Big picture
5 main steps (workshops) :
Recapitulative table for each Workshop and use case :
Identifying cycles
Two main cycles can be distinguished during the whole assessment.
-
Strategic Cycle Approach the environment as a whole entity and ecosystem. It will be closely linked to Governance and aimed at defining a security posture. The audience target is mainly Management, non technical business owners, CISO.
-
Operational Cycle Zooming on the defined scope. We’re talking about implementation and concrete security measures once the risks have been identified. This is targets Security Engineers, project managers and architecture IT people.
The idea is to use the strategic cycle with the Workshop 1 and 2 to prepare the operational cycle. By assessing the context in its globality and pinpointing the Risks, you can then focus down on the different narrower scopes and elaborate the operational cycle.