Mehari: Information risk analysis and management methodology

Since 1996, Mehari is being developed by the CLUSIF in order to assist the executives (operating managers, CISO, CIO, Risk Manager, auditor) in their efforts to manage the security of Information and IT resources and to reduce the associated risks.

To reduce the risks implies a preliminary knowledge of the major business stakes and processes in order to optimize the investments in the operation of the organizational and technical security measures.

This, in turn, allows to apply the appropriate practices, procedures and solutions to the level of the stakes and types of menaces bearing on the information and the multiple processes which create, handle and distribute it.

Mehari, compliant to ISO/IEC 27005 risk management standard, is suitable for the ISMS process described by ISO 27001, allowing to provide accurate indications for building security plans, based on a complete list of vulnerability control points and an accurate monitoring process in a continual improvement cycle.

Mehari is an efficient way to manage Information security for any type of organization., through the provision of a methodological framework, tools, modular components and knowledge, bases in order to:

• Analyze the major stakes,
• Analyze the vulnerabilities,
• Decrease and manage the risks,
• Monitor the security of information.

Mehari modules may be selected, based on corporate policies or strategic choices, to decide and build security action plans for information security