EBIOS Risk Manager – The method

EBIOS RM makes it possible to assess digital risks and identify the security measures to be taken in order to control them. It also makes it possible to validate the acceptable level of risk and to carry on in the longer term in a continuous improvement approach. Finally, this method makes it possible to bring about resources and arguments that are useful for communication and decision-making within the organisation and with regards to its partners.

The EBIOS RM method can be used for several purposes:

• setting up or reinforcing a management process of the digital risk within an organisation;
• assess and treat the risks relating to a digital project, in particular with the aim of a security accreditation;
• define the level of security to be achieved for a product or service according to its use cases and the risks to be countered, in the perspective of a certification or accreditation for example.

It applies to public as well as private organizations, regardless of their size, their sector of activity and whether their information systems are being developed or already exist.

An iterative approach

The EBIOS Risk Manager method adopts an approach to the management of the digital risk starting from the highest level (major missions of the studied object) to progressively reach the business and technical functions, by studying possible risk scenarios.
It aims to obtain a synthesis between « conformity » and « scenarios », by positioning these two complementary approaches where they provide the highest value added.

Going Further – Methodological sheets

In addition to the EBIOS Risk Manager guide, « method sheets » have been created to help users conduct each workshop described in the guide.

Designed as pedagogical support tools, these method sheets are regularly updated.